Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Banks. Show all posts
Russian-Ukraine War
Airports Banks Cyber Attacks Cybersecurity Intesa Sanpaolo Italy Milan Pro-Russian Hackers Russian-Ukraine War

Pro-Russia Hackers Target Italian Banks and Airports Amid Rising Tensions

 

Around 20 Italian websites, including those of major banks and airports, were targeted by alleged pro-Russian hackers, according to Italy’s cybersecurity agency on Monday. The attack is believed to be linked to escalating diplomatic tensions between Rome and Moscow.

Earlier this month, Italian President Sergio Mattarella likened Russia’s invasion of Ukraine to Nazi Germany’s pre-World War II expansionism. The statement sparked strong reactions from Moscow but was defended by Italian Prime Minister Giorgia Meloni.

The cyberattacks, reportedly carried out by the pro-Russian hacker group Noname057(16), impacted the websites of Intesa Sanpaolo, Banca Monte dei Paschi, Iccrea Banca, and Milan’s Linate and Malpensa airports, among others. However, the cybersecurity agency confirmed that the attacks did not cause significant disruptions.

Intesa Sanpaolo and SEA, the operator of Milan’s airports, declined to comment on the incident. A spokesperson for Iccrea Banca stated that its services remained unaffected, while Banca Monte dei Paschi has yet to respond to requests for comment.

According to Italy’s cybersecurity agency, the hacker group cited Mattarella’s remarks as the motivation behind the attack. In December, Noname057(16) had claimed responsibility for another cyber assault on Italy, targeting approximately 10 institutional websites.

SEO Keywords: Cyberattack, Italy, Pro-Russian Hackers, Banks, Airports, Cybersecurity, Noname057(16), Russian-Ukraine War, Milan, Intesa Sanpaolo, Banca Monte dei Paschi, Iccrea Banca, Linate Airport, Malpensa Airport.
Read more »
Sensitive data
Banks CrowdStrike outage Cyber Security Financial Institutions Security Sensitive data

Lessons for Banks from the Recent CrowdStrike Outage

 


The recent disruption caused by CrowdStrike has been a wake-up call for financial institutions, highlighting that no cybersecurity system is entirely foolproof. However, this realisation doesn’t lessen the need for rigorous preparation against potential cyber threats.

What Happened with CrowdStrike?

CrowdStrike, a well-known cybersecurity company based in Austin, Texas, recently faced a major issue that caused extensive system crashes. The problem originated from a software update to their Falcon Sensor, which led to a "logic error." This error caused systems to crash, showing the infamous "Blue Screen of Death" (BSOD). The company later revealed that a pre-deployment test, meant to catch such errors, failed, leading to widespread issues.

This incident impacted various organisations, including big names like ICE Mortgage Technology, Fifth Third Bank (with $214 billion in assets), TD Bank, and Canandaigua National Bank in New York, which holds $5 billion in assets.

The Need for Better Planning

Dave Martin, founder of the advisory firm BankMechanics, emphasised that while such events are often discussed in theoretical terms when planning for worst-case scenarios, they can quickly become real, underscoring the ardent need for being well-prepared.

According to Martin, this event has likely prompted bank leaders around the world to focus even more on their contingency plans and backup strategies. The fact that this outage affected so many organisations shows just how unpredictable such crises can be.

As cybersecurity threats become more common, financial institutions are increasingly focused on their defences. The risks of not being adequately prepared are growing. For example, after a cyberattack in June, Patelco Credit Union in California, which manages $9.6 billion in assets, is now facing multiple lawsuits. These lawsuits claim that the credit union did not properly secure sensitive data, such as Social Security numbers and addresses.

Andrew Retrum, a managing director at Protiviti, a consulting firm specialising in technology risk and resilience, pointed out that while organisations face numerous potential threats, they should focus on creating strong response and recovery strategies for the most likely negative outcomes, like technology failures or site unavailability.

Preparing for Future Cyber Incidents

Experts agree on the importance of having detailed action plans in place to restore operations quickly after a cyber incident. Kim Phan, a partner at Troutman Pepper who specialises in privacy and data security, advises financial institutions to be ready to switch to alternative systems or service providers if necessary. In some cases, this might even mean going back to manual processes to ensure that operations continue smoothly.

Phan also suggests that financial institutions should manage customer expectations, reminding them that the convenience of instant online services is not something that can always be guaranteed.

The CrowdStrike outage is a recurring reminder of how unpredictable cyber threats can be and how crucial it is to be prepared. Financial institutions must learn from this incident, regularly updating their security measures and contingency plans. While technology is essential in protecting against cyber threats, having a solid, human-driven response plan is equally important for maintaining security and stability.

By looking at past cyber incidents in the banking sector, we can draw valuable lessons that will help strengthen the industry's overall defences against future attacks.


Read more »
Rasomware Attack
Banks Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Rasomware Attack

Major Ransomware Attack Targets Evolve Bank, Impacting Millions

 


An Arkansas-based financial services organization confirmed the incident on July 1 shortly after the ransomware gang published data it claimed had been stolen during the attack and published it on its website. According to the company, there was no payment made to the ransom demand, so the stolen data was leaked online due to the failure to pay the ransom. 

Additionally, the bank also reported that the attackers had exfiltrated personal information from some of the bank's customers, including their names, Social Security numbers, and the bank account numbers associated with their accounts, along with their contact information. One of the nation's largest financial institutions, Evolve Bank & Trust, has shared the news of a data breach posing a massive threat to all 7.64 million individuals impacted by the data breach. 

After a period of system outages started occurring at the Arkansas-based bank in late May, officials initially thought that a "hardware failure" had caused the outages, but an investigation revealed that the outages were caused by a cyberattack. It was confirmed by Evolve that hackers infiltrated the company's network as early as February. This could have had a significant impact on sensitive customer data. 

Understandably, the official notification letter filed with the Maine Attorney General avoids specific details. Still, it is worth noting that the bank has acknowledged that it has lost names, social security numbers, bank account numbers, and contact information. The Maine Attorney General's Office was informed by one of the financial institutions on Monday that the personal information about 7,640,112 individuals was compromised in the attack and that it would provide them with 24 months of credit monitoring and identity protection due to the breach. 

Also on Monday, Evolve Bank started sending out written notifications to the impacted individuals, explaining that the ransomware attack occurred on May 29 and that the attackers had access to its network since at least February. Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners. 

There are several partners in this list, including Affirm, which recently made a statement assuring customers that the Evolve breach "may have compromised some personal information and data" of its customers." Evolve's partner Mercury, which offers fintech solutions to businesses, made a statement on X in regards to the data breach that affected "some account numbers, deposit balances, and business owner names as well as emails" that were exposed. 

The money transfer company Wise (formerly TransferWise) confirmed last week that there may have been an issue with the confidentiality of some of its customers' personal information. A statement by Evolve confirmed this week that the intrusion was the result of a ransomware attack that was instigated by the Russia-linked LockBit group. LockBit's administrator, who was disrupted earlier this year by a multigovernmental operation, is still at large. 

When the bank discovered the hacker had accessed its systems in May, it was able to identify the intrusion as an attack by hackers. It's no secret that LockBit made a deal with hackers to release the compromised data on its dark web leak site, which has since been revived after Evolve refused to pay the ransom demand.  This letter, sent to customers, expresses Evolve's concern over the hacking of its customer database and a file-sharing system during February and May 2024, during which data about customers was accessed and downloaded. 

RaaS groups, like this one, often deploy misinformation or disinformation campaigns alongside cyberattacks as part of their tactics to cause confusion and add maximum impact to their operations. As a result of the breach at Evolve, financial institutions can be reminded of the critical need for them to take robust cybersecurity measures to prevent data breaches in the future. 

A growing number of open banking platforms are on the rise and several RaaS attacks are ever-present, as well as a growing warning about data security threats. Institutions need to prioritize data security and implement strong access controls, encryption, and incident response protocols to ensure that their data is secure.
Read more »
Privacy
Banks Cyberattacks CyberCrime Cyberhackers CyberThreat Digital Token OTP Passwords Privacy

Singapore Banks Phasing Out OTPs in Favor of Digital Tokens

 


It has been around two decades since Singapore started issuing one-time passwords (OTPs) to users to aid them in logging into bank accounts. However, the city-state is planning to ditch this method of authentication shortly. Over the next three months, major retail banks in Singapore are expected to phase out the use of one-time passwords (OTP) for account log-in by digital token users as part of their transition away from one-time passwords. 

With an activated digital token on their mobile device, customers will need to either use the token to sign in to their bank account through a browser or the mobile banking app on their mobile device. In a joint statement on Tuesday (Jul 9), the Monetary Authority of Singapore (MAS) and The Association of Banks (ABS) said that, while the digital token is designed to authenticate customers' logins, there will not be an OTP needed to prove identity, which scammers can steal or trick victims into disclosing. 

There is also a strong recommendation to activate digital tokens by those who haven't already done so, as this will greatly reduce the chance of having one's credentials stolen by unauthorized personnel. According to The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), within the next three months, major retail banks in Singapore will gradually phase out the use of One-Time Passwords (OTPs) to log into bank accounts by customers who are using digital tokens. 

By doing this, the banks hope to better protect their customers against phishing attacks - at the very least against scams in which scammers get their customers to divulge their OTPs. To secure bank accounts, MAS and ABS encourage the use of digital tokens - apps that run on smartphones and provide OTPs - as a source of second-factor authentication, as opposed to software programs that are installed on computers. 

There will be better protection for them against phishing scams since they have been among the top five scam types over the past year, with at least SGD 14.2 million being lost to these scams, as outlined in the Singapore Police Force Annual Scams and Cybercrime Brief 2023, which was released in January of this year. When customers activate their digital tokens on their mobile devices, they will have to use these tokens when logging in to their bank accounts through the browser or by using the mobile banking app on their mobile devices. 

With the help of the token, scammers will be unable to steal your OTP, which customers may be tricked into revealing, or steal non-public information about themselves that they will be asked to provide. To lower the chances of having identity credentials phished, MAS and ABS have urged customers who haven't activated their digital token to do so, so that they don't become a victim of identity theft. The use of One Time Passwords (OTPs) has been used since early 2000 as a multi-factor authentication option to strengthen the security of online transactions. 

Nevertheless, technological advancements and more sophisticated social engineering tactics have since made it possible for scammers to manipulate phishing requests for customers' OTPs with more ease, such as setting up fake bank websites that closely resemble real banks' websites and asking for the OTP from them. As a result of this latest step, the authentication process will be strengthened, and it will be harder for scammers to trick customers out of money and funds by fraudulently accessing their accounts using their mobile devices without explicit authorization. 

During the 2000s, one-time passwords were implemented as a means to enhance the security of online transactions to strengthen multi-factor authentication. MAS and ABS have both warned consumers to be cautious about phishing for their OTP as a result of technological improvements and increasingly sophisticated social engineering techniques. There have been several phishing scams in Singapore over the past year, with at least $14.2 million lost to these scams, according to records released by the Singapore Police Force earlier this month. 

It is expected that this latest measure will enhance authentication and will ensure that scammers will not be able to fraudulently access a customer's accounts and funds without the explicit permission of the customer using their mobile devices," they commented. According to ABS Director Ong-Ang Ai Boon, this measure may cause some inconveniences for some consumers, but it is essential to help prevent unscrupulous suppliers and protect customers in the long run. 

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a collaborative effort to strengthen protections against digital banking scams. This initiative involves the gradual phasing out of One-Time Passwords (OTPs) for bank logins by customers utilizing digital tokens on their mobile devices. This rollout is anticipated to occur over the next three months. MAS, represented by Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), emphasized their ongoing commitment to safeguarding consumers through decisive action against fraudulent digital banking activities. 

The elimination of OTPs aims to bolster customer security by mitigating the risks associated with phishing attacks. Phishing scams have evolved alongside advancements in technology, enabling fraudsters to more effectively target customer OTPs. They often achieve this by creating deceptive websites that closely mimic legitimate banking platforms. ABS, represented by Director Ong-Ang Ai Boon, acknowledged that this measure might cause minor inconveniences. 

However, they firmly believe such steps are essential to prevent scams and ensure customer protection. MAS, through Ms. Loo, reaffirmed the significance of maintaining good cyber hygiene practices in conjunction with this latest initiative. Customers are urged to remain vigilant and safeguard their banking credentials at all times. MAS and ABS jointly urge customers who haven't activated their digital tokens to do so promptly. 

This action minimizes the vulnerability of their credentials to phishing attempts. By implementing this multifaceted approach, MAS and ABS aim to create a more secure digital banking environment for customers in Singapore.
Read more »
irda
Banks bfsi CIO CISO Cyber Security insurance irda

Enhancing Cybersecurity: Automated Vulnerability Detection and Red Team Exercises with Validation Scans



In today's digital age, cybersecurity has become a top priority for organizations of all sizes. The ever-evolving landscape of cyber threats necessitates robust and comprehensive approaches to identifying and mitigating vulnerabilities.

Two effective methods in this domain are automated vulnerability detection and red team exercises. This article explores how these methods work together, the process of recording identified vulnerabilities, and the crucial role of human analysts in prioritizing them.

Automated Vulnerability Detection:

Automated vulnerability detection tools are designed to scan systems, networks, and applications for known vulnerabilities. These tools leverage databases of known threats and employ various scanning techniques to identify potential security weaknesses. The benefits of automated detection include:

1. Speed and Efficiency: Automated tools can quickly scan large volumes of data, significantly reducing the time needed to identify vulnerabilities.

2. Consistency: Automated processes eliminate the risk of human error, ensuring that every scan is thorough and consistent.

3. Continuous Monitoring: Many automated tools offer continuous monitoring capabilities, allowing organizations to detect vulnerabilities in real time.

However, automated tools are not without their limitations. They may not detect new or complex threats, and false positives can lead to wasted resources and effort.


Red Team Exercises:


Red team exercises involve ethical hackers, known as red teams, who simulate real-world cyber attacks on an organization's systems. These exercises aim to uncover vulnerabilities that automated tools might miss and provide a realistic assessment of the organization's security posture. The advantages of red team exercises include:

1. Real-World Scenarios: Red teams use the same tactics, techniques, and procedures as malicious hackers, providing a realistic assessment of the organization's defenses.

2. Human Ingenuity: Human testers can think creatively and adapt to different situations, identifying complex and hidden vulnerabilities.

3. Comprehensive Assessment: Red team exercises often reveal vulnerabilities in processes, people, and technologies that automated tools might overlook.

Recording and Prioritizing Vulnerabilities:

Once vulnerabilities are identified through automated tools or red team exercises, they need to be meticulously recorded and managed. This is typically done using a bugtrack Excel sheet, which includes details such as the vulnerability description, severity, affected systems, and potential impact.

The recorded vulnerabilities are then reviewed by human analysts who prioritize them based on their severity and potential impact on the organization.

This prioritization is crucial for effective vulnerability management, as it ensures that the most critical issues are addressed first. The analysts categorize vulnerabilities into three main levels:

1. High: These vulnerabilities pose a significant risk and require immediate attention. They could lead to severe data breaches or system compromises if exploited.

2. Medium: These vulnerabilities are less critical but still pose a risk that should be addressed promptly.

3. Low: These vulnerabilities are minor and can be addressed as resources allow.

Machine-Readable Vulnerability Reports and Automated Validation:

Once the vulnerabilities are prioritised and added to the bugtrack, it is essential to provide customers with the information in a machine-readable format. This enables seamless integration with their existing systems and allows for automated processing. The steps involved are:

1. Machine-Readable Format: The bugtrack data is converted into formats such as JSON or XML which can be easily read and processed by machines.

2. Customer Integration: Customers can integrate these machine-readable reports into their security information and event management (SIEM) systems or other security tools to streamline vulnerability management and remediation workflows.

3. Automated Remediation and Validation: After addressing the vulnerabilities, customers can use automated methods to validate the fixes. This involves re-scanning the systems with automated tools to ensure that the vulnerabilities have been effectively mitigated. This is done using YAML scripts specifically added to the vulnerability scanning tool to scan. Output is analyzed to see if a vulnerability is fixed.

Network and Application Vulnerability Revalidation:

For network level vulnerabilities, revalidation can be done using the Security Content Automation Protocol (SCAP) or by automating the process using YAML/Nuclei vulnerability scanners.

These tools can efficiently verify that the identified network vulnerabilities have been patched and no longer pose a risk.

For application level vulnerabilities, SCAP is not suitable. Instead, the bugtrack system should have a feature to revalidate vulnerabilities using YAML/Nuclei scanners or validation scripts via tools like Burp Suite Replicator plugin. These methods are more effective for confirming that application vulnerabilities have been properly addressed.

Conclusion:

Combining automated vulnerability detection with red team exercises provides a comprehensive approach to identifying and mitigating security threats.  Automated tools offer speed and consistency, while red teams bring creativity and real-world testing scenarios. Recording identified vulnerabilities in a bugtrack Excel sheet, providing machine-readable reports, and validating fixes through automated methods ensure that resources are effectively allocated to address the most pressing security issues.

By leveraging these methods, organizations can enhance their cybersecurity posture, protect sensitive data, and mitigate the risk of cyber attacks. As the threat landscape continues to evolve, staying proactive and vigilant in vulnerability management will remain essential for safeguarding digital assets.

The entire vulnerability monitoring with the automated machine-readable format for validating has been implemented in DARWIS VM module.

-----------
Suriya Prakash & Sabari Selvan
CySecurity Corp 
www.cysecuritycorp.com
Read more »
Security
Antiphish Banks bfsi CISO phishing Phishing and Spam Security

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

Read more »
RBI
Banks CISO Corporate Cyber Security Opensource RBI

Enhancing API Security: CSPF's Contribution to Wallarm's Open-Source Project

 

In the ever-evolving landscape of digital security, the Cyber Security & Privacy Foundation (CSPF) remains a beacon of innovation and support. Our mission extends beyond mere advocacy for cybersecurity; we actively enhance the tools that fortify our digital world. A testament to this commitment is our recent focus on Wallarm's API Firewall, a robust tool designed to protect APIs from emerging cyber threats. 
 
Our journey with Wallarm's API Firewall began with a simple yet powerful intention: to make this tool not just effective but also adaptable to the stringent requirements of B2B and high-security environments. In doing so, we embarked on a path that not only led us to add new functionalities but also to discover and rectify hidden vulnerabilities. 
 
Introducing the AllowedIPList Feature and Addressing the Denylist Bug 
 
The new feature we introduced, the AllowedIPList, is a game-changer for API security. It restricts API access to specific, pre-approved IP addresses, an essential requirement for secure, business-to-business communications and high-security domains. This addition ensures that only authorized machines can interact with the API, thereby enhancing the security manifold. 
 
In our journey of innovation, we encountered a critical bug in the existing Denylist feature. The Denylist, designed to block requests using certain compromised keys, cookies, or tokens, had a significant flaw. The bug stemmed from a cache implementation error, leading to the failure of adding entries to the Denylist if the list was shorter than 53 characters. This vulnerability was particularly concerning for shorter tokens, commonly used in HTTP basic authentication and cookies.  
 
Our team promptly addressed this issue, ensuring that the Denylist functioned as intended, regardless of the character count. The resolution of this bug, alongside the implementation of the AllowedIPList, marked a significant enhancement in the API Firewall's security capabilities. 
 
The Broader Impact of Open-Source Contributions 
 
This initiative underscores the importance of not just using open-source software but actively contributing to it. While the immediate financial returns might be non-evident, such contributions lead to a more secure and robust digital ecosystem. It is through diverse collaboration and multiple perspectives that we can uncover and rectify latent vulnerabilities. 

Link - 

https://github.com/CSPF-Founder/api-firewall/tree/main
 
Founder & TechCore Team
Cyber Security and Privacy Foundation
https://github.com/CSPF-Founder/
Read more »
RBI
App Developers Banks CISO Developers RBI

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Read more »
Subscribe to: Posts (Atom)