bank - Real-life Example Security Testing of an Online...

Info icon This preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
1 1 Online Banking Security CS177 2011 Real-life Example: Security Testing of an Online Banking Service We will refer to the bank as Bank X At the time of the experiments Bank X had ~ 30 million accounts > 400,000 online accounts 2 Online Banking Security CS177 2011 Starting Point • Blackbox testing No privileged information Had access to one online account Had Internet access Had letter from the bank verifying that we were working for them 3 Online Banking Security CS177 2011 Authentication User ID and Pin Code User ID: Branch Number + Account Number + Control digit Pin code: 4 digits Randomly generated personal information request (e.g., SSN, mother’s maiden name) – 2 out of 4 for personal – always EIN for business Used SSL for communication and a Java program with undisclosed encryption protocol 4 Online Banking Security CS177 2011 Experiments Attempted to Find Out What accounts existed What the pin number for each account was Who owned the account – personal – business Personal data on the owner/business 5 Online Banking Security CS177 2011 Client Applet 3 Java classes Classes were obfuscated Broke the obfuscation – constant strings were declared to be larger than they really were – parameters containing line feed were inflated to line feed plus carriage return without increasing the string size of the parameter 6 Online Banking Security CS177 2011 Client-side Java Classes Reverse engineered the java classes – built pre-decompiler to clean up bytecode – Used the Jasmine decompiler
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern