This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: 1 1 Online Banking Security CS177 2011 Real-life Example: Security Testing of an Online Banking Service We will refer to the bank as Bank X At the time of the experiments Bank X had ~ 30 million accounts > 400,000 online accounts 2 Online Banking Security CS177 2011 Starting Point Blackbox testing No privileged information Had access to one online account Had Internet access Had letter from the bank verifying that we were working for them 3 Online Banking Security CS177 2011 Authentication User ID and Pin Code User ID: Branch Number + Account Number + Control digit Pin code: 4 digits Randomly generated personal information request (e.g., SSN, mothers maiden name) 2 out of 4 for personal always EIN for business Used SSL for communication and a Java program with undisclosed encryption protocol 4 Online Banking Security CS177 2011 Experiments Attempted to Find Out What accounts existed What the pin number for each account was Who owned the account personal business Personal data on the owner/business 5 Online Banking Security CS177 2011 Client Applet 3 Java classes Classes were obfuscated Broke the obfuscation constant strings were declared to be larger than they really were parameters containing line feed were inflated to line feed plus carriage return without increasing the string size of the parameter 6 Online Banking Security CS177 2011 Client-side Java Classes Reverse engineered the java classes built pre-decompiler to clean up bytecode Used the Jasmine decompiler Studied the applet classes to better understand the protocols used user interface crypto algorithm interface to the crypto algorithm 2 7 Online Banking Security CS177 2011...
View Full Document
This note was uploaded on 12/27/2011 for the course CMPSC 117 taught by Professor Kemm during the Fall '09 term at UCSB.
- Fall '09