[Global_industry_committee] SIG:An Assessment of the 24 Top Financial Institutions

Marco M. Morana marco.m.morana at gmail.com
Thu Feb 11 19:43:00 EST 2010


List

 

Wanted to share the reference to this Study U.S. Online Channel Security: An Assessment of the 24 Top Financial Institutions that was shared to me by today. A sample report can be downloaded herein: http://www.javelinstrategy.com/brochure-162

 

The study has interesting data on how banks deal with authentication and customer validations for on-line banking applications  as well as transactions such as registration, password/username change and reset.

 

Interesting to notice most of US banks still use ATM PINs (52% of all banks in the survey) to validate customers such as during registration of an online account and as form of validation of customer secrets in other transactions.

 

We (OWASP) probably need to educate FIs (Financial Institutions) on the concept of reducing attack surface such as limit using the authentication credentials to the channel that is designed for (e.g. ATM PIN should be only used over ATM channel) as well as other things such as do not use PII such as SSN as element of authentication.

 

In my opinion this is a architecture legacy problem and the tip of the iceberg of how on-line financial applications have been developed in the past as a form of front end on top of legacy systems such as mainframes that still use their form of authentication.

 

Some of these system require ATM PINs to validate the customers in on-line transactions instead to rely on trusted authentication among servers, federation and mutual authentication. Also not requiring to pass authentication credentials such as PIN over other channels provides for not storing  and encrypting them that should be avoided at all costs.

 

Fabio

 

Maybe we can put the feedback to this study as part of the agenda of one of the next SIG WG? Just a suggestion

 

Thanks

 

Marco M.

 

 

From: global_industry_committee-bounces at lists.owasp.org [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of fabio.e.cerullo at aib.ie
Sent: Tuesday, February 09, 2010 12:31 PM
To: Jerry Kickenson
Cc: eoinkeary at gmail.com; Jim Routh; Global_industry_committee; dave.wichers at owasp.org; jeff.williams at owasp.org
Subject: Re: [Global_industry_committee] OWASP Financial Services SIG

 


Jerry, 

I will organize a conf call for this friday... could you please get me the email addresses for the people below? 

thanks! 

Fabio Cerullo
Divisional Information Security 
Bankcentre D1, 
Ballsbridge,
Dublin 4,
Ireland.

Tel: +353 1 772 6309
Email: fabio.e.cerullo at aib.ie




	
Jerry Kickenson <jerry.kickenson at verizon.net> 

09/02/2010 17:13 

        
        To:        fabio.e.cerullo at aib.ie 
        cc:        Eoin <eoin.keary at owasp.org>, Joe Bernik <bernik at gmail.com>, eoinkeary at gmail.com, Global_industry_committee <Global_industry_committee at lists.owasp.org>, Jim Routh <routh3742 at gmail.com>, dave.wichers at owasp.org, tomb at owasp.org, jeff.williams at owasp.org 
        Subject:        Re: OWASP Financial Services SIG 





Fabio,

A couple of questions:

1.   Shall I approach my CISO (SWIFT) about participating?  More 
generally, how do you want to coordinate who is asked to participate?

2.   There are several folks on LinkedIn, members of the OWASP group, 
who have expressed interest in getting involved.  How, if at all, would 
we want to get them involved?  They are:

   James McGovern, Enterprise Architect, The Hartford
   Gaurav Chaturvedi, System Admin, Directi
   Don Turnblade, Security Architect, Terra Verde Services
   Mike Lemire, Head of Information Security, RiskMetrics Group
   Rommel Garcia, Sr. Software Engineer, Internap
   Mike Morris, Lead Technical Architect, USAA
   David Zendzian, Sr. Security Engineer, Digital Resources Group



Best regards,
Jerry

fabio.e.cerullo at aib.ie wrote:
>
> hi guys,
>
> yesterday we met with Joe Bernik to start the discussion about this 
> OWASP Financial Services SIG.
>
> unfortunately I forgot to send a reminder to everyone and Joe was the 
> only one to remember my previous mail :-P
>
> here I'm sending you the outcome from the meeting... the idea is to 
> organize maybe a bi-weekly conf call to progress some of the items below:
>
> - Gather a tentative list of security professionals at CISO/Management 
> level that would like to be part of a discussion panel during AppSec 
> EU/US 2010.
> - Define a topic... an idea might be "What should financial 
> institutions do around application security?"
> - Define a set of questions to ask these participants in order to kick 
> off the discussion.
> - Discuss the challenges about using open source/free 
> applications/tools in financial environments... actually this could be 
> another topic.
> - Discuss the topics that are on top of the agenda for CISO/Security 
> Managers (eg. cybercrime, targeted attacks, app security)
> - Show examples on how OWASP can help financial institutions to 
> increase the security of web applications.
>
> any questions/ideas are more than welcome.
>
> thank you,
>
> Fabio Cerullo
> Divisional Information Security
> Bankcentre D1,
> Ballsbridge,
> Dublin 4,
> Ireland.
>
> Tel: +353 1 772 6309
> Email: fabio.e.cerullo at aib.ie
>
>
>
>
>                  *Eoin <eoin.keary at owasp.org>*
> Sent by: eoinkeary at gmail.com
>
> 27/01/2010 15:22
>
>                         
>         To:        fabio.e.cerullo at aib.ie
>         cc:        Joe Bernik <bernik at gmail.com>, Jerry Kickenson 
> <jerry.kickenson at verizon.net>, Jim Routh <routh3742 at gmail.com>, 
> Global_industry_committee <Global_industry_committee at lists.owasp.org>
>         Subject:        Re: [Global_industry_committee] OWASP 
> Financial Services SIG
>
>
>
>
>
> I'd like to attend if this ok?
>
> 2010/1/27 <_fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>>
>
> I could make it 8AM EST which is 1PM GMT.... anyone else would like to 
> join? thanks!
>
> Fabio Cerullo
> Divisional Information Security
> Bankcentre D1,
> Ballsbridge,
> Dublin 4,
> Ireland.
>
> Tel: +353 1 772 6309
> Email: _fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>
>
>
>
>                  *Joe Bernik <**_bernik at gmail.com_* <mailto:bernik at gmail.com>*>*
>
> 27/01/2010 14:06
>
>                         
>         To:        _fabio.e.cerullo at aib.ie_ 
> <mailto:fabio.e.cerullo at aib.ie>
>         cc:        Global_industry_committee 
> <_Global_industry_committee at lists.owasp.org_ 
> <mailto:Global_industry_committee at lists.owasp.org>>, Jerry Kickenson 
> <_jerry.kickenson at verizon.net_ <mailto:jerry.kickenson at verizon.net>>, 
> Jim Routh <_routh3742 at gmail.com_ <mailto:routh3742 at gmail.com>>
>         Subject:        Re: OWASP Financial Services SIG                  
>
>
>
>
>
> Fabio,
>
> Sounds good, I am available next February 4th from 8-10 am EST.
>
> Joe
>
>
>
>
> On Wed, Jan 27, 2010 at 4:43 AM, <_fabio.e.cerullo at aib.ie_ 
> <mailto:fabio.e.cerullo at aib.ie>> wrote:
>
> This is great! I really like to see this working... so let's have a 
> meeting (probably next week)?
>
> I'm in GMT zone so please let me know your location and I will 
> coordinate the conf call bridge.
>
> thanks!
>
> Fabio Cerullo
> Divisional Information Security
> Bankcentre D1,
> Ballsbridge,
> Dublin 4,
> Ireland.
>
> Tel: +353 1 772 6309
> Email: _fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>
>
>
>                  *"Joe Bernik" <**_bernik at gmail.com_* <mailto:bernik at gmail.com>*>*
>
> 27/01/2010 01:21
>
>                         
>         To:        "'Jerry Kickenson'" <_jerry.kickenson at verizon.net_ 
> <mailto:jerry.kickenson at verizon.net>>, "'Jim Routh'" 
> <_routh3742 at gmail.com_ <mailto:routh3742 at gmail.com>>, 
> <_fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>>
>         cc:        "Global_industry_committee" 
> <_Global_industry_committee at lists.owasp.org_ 
> <mailto:Global_industry_committee at lists.owasp.org>>
>         Subject:        RE: OWASP Financial Services SIG                  
>
>
>
>
>
>
> Jim and Fabio,
>  
> I could  use your guidance and collaboration on this effort.
>  
> Perhaps we can have a quick call to formalize our approach and 
> potential topics. Ultimately it would be great to coordinate with the 
> Summit in Sweden in June
>  
> I would love to have all the CISO’s discuss emerging trends in the 
> AppSec space and then take questions from the attendees in Sweeden.
>  
> Just some thoughts.
>  
> Joe
>   *
> From:* Jerry Kickenson [mailto:_jerry.kickenson at verizon.net_ 
> <mailto:jerry.kickenson at verizon.net>] *
> Sent:* Tuesday, January 26, 2010 10:47 AM*
> To:* Jim Routh*
> Cc:* Joe Bernik*
> Subject:* Re: OWASP Financial Services SIG
>  
> Jim,
>
> Your text look great.  
>
> However, there seems to be a potentially parallel effort going on in 
> the Global Industry committee.  I don't know if you get the GIC notes? 
>  There seems to be an initiative to create a CISO level group from the 
> financial industry, which Joe has indicated he would assist with.  The 
> notes I have on this follow.
>
> If Joe and others are putting together a CISO panel, should we perhaps 
> support that effort, and not put together another group?  Or would 
> another group (perhaps more technical, or a different level) add any 
> value?
>
> Let us know what you think.  Hopefully Joe can fill us in, as well. 
>  We can then close the circle with Tom and Colin Watson.
>
> You can reach me at this email (_jerry.kickenson at verizon.net_ 
> <mailto:jerry.kickenson at verizon.net>, or at 
> _jerry.kickenson at swift.com_ <mailto:jerry.kickenson at swift.com>).
>
> Best regards,
> Jerry
>
> Message: 1
> Date: Sun, 24 Jan 2010 10:44:40 +0000
> From: Colin Watson _<colin.watson at owasp.org>_ 
> <mailto:colin.watson at owasp.org>
> Subject: Re: [Global_industry_committee] Global Industry committee
>         meeting
> To: Joe Bernik _<bernik at gmail.com>_ <mailto:bernik at gmail.com>,    
> Global_industry_committee
>         _<Global_industry_committee at lists.owasp.org>_ 
> <mailto:Global_industry_committee at lists.owasp.org>
> Message-ID:
>         
> _<b46e4cdd1001240244o327f63cdoedab2fd3959eb899 at mail.gmail.com>_ 
> <mailto:b46e4cdd1001240244o327f63cdoedab2fd3959eb899 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>  
> Hi Joe
>  
> That sounds of interest.  Is it worth writing up some notes proposing
> its scope, objectives and the resources required?  It's often down to
> us as individuals to do the legwork.
>  
> Colin
>  
> 2010/1/19 Joe Bernik _<bernik at gmail.com>_ <mailto:bernik at gmail.com>:
>  
> > Gents,
> >
> > I listened to the recording of the committee call over the weekend.
> >
> > I would be happy to assist in coordinating a CISO panel if the 
> committee
> > would like.
> >
> > I believe I can get a handful of CISO's fro the FS sector to attend.
> >
> > Joe
> >
> >
> >
>    
> ------------------------------
> _______________________________________________
> Global_industry_committee mailing list_
> __Global_industry_committee at lists.owasp.org_ 
> <mailto:Global_industry_committee at lists.owasp.org>_
> __https://lists.owasp.org/mailman/listinfo/global_industry_committee_
>
>
> End of Global_industry_committee Digest, Vol 13, Issue 11
> *********************************************************
>  
>
>
>
>
>
> Jim Routh wrote:
>
> *LinkedIn*
>
> *Jim Routh* has sent you a message.
>
> *Date:* 1/25/2010
>
> *Subject:* RE: OWASP Financial Services SIG
>
> I sent this on December 3rd but it must have been bounced...Jerry,
>
> Here this is what I prepared. Feel free to cc Joe and me on your 
> message to Tom.
>
> PURPOSE:
>
> The purpose of the OWASP Financial Services Sub Group is to define and 
> rank requirements from the industry for OWASP to address and consider 
> as projects to support the maturation of software security practices 
> for the industry.
>
> APPROACH:
>
> The Financial Services SIG will reach out to selected leaders in 
> software security programs and facilitate a consensus based process 
> for defining requirements and priorities for potential OWASP project 
> work that will directly benefit financial service firms. The initial 
> deliverable from this SIG will be a list of potential project 
> requirements in rank order with descriptive information available for 
> each one.
>
> ASSUMPTION:
>
> OWASP has been a vital and essential part of the promotion of best 
> practices in software security and growing the awareness of the need 
> for mature software security practices among the development 
> community. This effort will produce a list of potential project 
> requirements that reflect the financial service industry's needs to 
> improve awareness and capabilities leveraged by software developers 
> through OWASP projects and engagement.
>
>
> Regards,
> Jim
>
> Please give me your email address.
>
> On 01/19/10 2:59 PM, Jerry. Kickenson wrote:
> --------------------
> Jim,
>
> Hope you had a great holiday.
>
> Do you think you'll have time to draft a mission/purpose statement for 
> the OWASP financial services SIG we can pass by Tom? I can probably 
> make some time over the next week or so if you are too busy.
>
> Let me know what you think.
>
> Best regards,
> Jerry
>
> _View/reply to this message_ 
> <http://www.linkedin.com/e/qyIPBE0oDGKtfmgUmNk7vEiNsrK2oZ412SIPlMqMTI/mbi/I1755488726_2/>
>
>
> Don't want to receive e-mail notifications? _Adjust your message 
> settings_ 
> <http://www.linkedin.com/e/qyIPBE0oDGKtfmgUmNk7vEiNsrK2oZ412SIPlMqMTI/blk/I1755488726_2/s6hJbOYWrSlI/mdp/>. 
>
>
> © 2010, LinkedIn Corporation
>
>
>  
> ******************************************************
> This document is strictly confidential and is intended for use by the 
> addressee unless otherwise indicated.
>
> This email has been scanned by an external email security system.
>
> Allied Irish Banks
>
> AIB and AIB Group are registered business names of Allied Irish Banks 
> p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial 
> Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: 
> + 353 1 6600311; Registered in Ireland: Registered No. 24173
>
> Please consider the environment before printing this e-mail.
> ******************************************************
>
>
> ******************************************************
> This document is strictly confidential and is intended for use by the 
> addressee unless otherwise indicated.
>
> This email has been scanned by an external email security system.
>
> Allied Irish Banks
>
> AIB and AIB Group are registered business names of Allied Irish Banks 
> p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial 
> Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: 
> + 353 1 6600311; Registered in Ireland: Registered No. 24173
>
> Please consider the environment before printing this e-mail.
> ******************************************************
>
>
> _______________________________________________
> Global_industry_committee mailing list_
> __Global_industry_committee at lists.owasp.org_ 
> <mailto:Global_industry_committee at lists.owasp.org>_
> __https://lists.owasp.org/mailman/listinfo/global_industry_committee_
>
>
>
>
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> _
> __http://asg.ie/__
> __https://twitter.com/EoinKeary_
>
> ******************************************************
> This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
>
> This email has been scanned by an external email security system.
>
> Allied Irish Banks
>
> AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173
>
> Please consider the environment before printing this e-mail. 
> ******************************************************
>   

 
******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
 
This email has been scanned by an external email security system.
 
Allied Irish Banks
 
AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173
 
Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100211/7d2e16c9/attachment-0001.html 


More information about the Global_industry_committee mailing list