Transaction Authorization Cheat Sheet

From OWASP
Revision as of 18:13, 6 July 2015 by Jmanico (talk | contribs) (getting started)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cheatsheets-header.jpg

Last revision (mm/dd/yy): 07/6/2015

DRAFT DOCUMENT - WORK IN PROGRESS

Introduction

Some applications use second factor to check whether sensitive operations are being performed by an authorized user. Common example is wire transfer authorization, typically used in internet or mobile banking applications. For the purpose of this document we will call such process: “transaction authorization”. However, usage scenarios are not only limited to financial systems. For example: an e mail with a secret code or a link with some kind of token to unlock user account is also a special case of transaction authorization. User authorizes operation of account unlocking by using second factor (a unique code sent to his email address).

Transaction authorization is currently performed by various methods. The following are common examples:

  • cards with transaction authentication numbers (TAN),
  • time based OTP tokens, such as SecureID,
  • OTP sent by SMS, provided by phone or sent to email address,
  • digital signature using a smart card,
  • challenge-response tokens (including “disconnected card readers” or solutions which scan transaction data from computer screen).

Some of these can be implemented on a physical device or in a mobile application.

Transaction authorization is implemented in modern financial systems in order to protect against unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS and other. Unfortunately, as with any piece of code, such protection can be improperly implemented and as a result it might be possible to bypass this safeguard. Purpose of this cheat sheet is to provide guidelines on how to properly implement transaction authorization to protect it from bypassing.

Authors and Primary Editors

Eoin Keary eoinkeary[at]owasp.org

Other Cheatsheets