[Global_industry_committee] SIG:An Assessment of the 24 Top Financial Institutions

Eoin eoin.keary at owasp.org
Tue Feb 16 15:34:24 EST 2010


The ATM pin usage over online apps is not so common in europe.
i am involved in a e-crime working group for a global bank and such a
solution would be at the lower scale of things in the European space.
in terms of retail banking its still 2 factor but moving to token based. The
most common business banking solution in europe is token and OTP (one time
password).

ek



On 11 February 2010 16:43, Marco M. Morana <marco.m.morana at gmail.com> wrote:

>  List
>
>
>
> Wanted to share the reference to this Study U.S. Online Channel Security:
> An Assessment of the 24 Top Financial Institutions that was shared to me by
> today. A sample report can be downloaded herein:
> http://www.javelinstrategy.com/brochure-162
>
>
>
> The study has interesting data on how banks deal with authentication and
> customer validations for on-line banking applications  as well as
> transactions such as registration, password/username change and reset.
>
>
>
> Interesting to notice most of US banks still use ATM PINs (52% of all banks
> in the survey) to validate customers such as during registration of an
> online account and as form of validation of customer secrets in other
> transactions.
>
>
>
> We (OWASP) probably need to educate FIs (Financial Institutions) on the
> concept of reducing attack surface such as limit using the authentication
> credentials to the channel that is designed for (e.g. ATM PIN should be only
> used over ATM channel) as well as other things such as do not use PII such
> as SSN as element of authentication.
>
>
>
> In my opinion this is a architecture legacy problem and the tip of the
> iceberg of how on-line financial applications have been developed in the
> past as a form of front end on top of legacy systems such as mainframes that
> still use their form of authentication.
>
>
>
> Some of these system require ATM PINs to validate the customers in on-line
> transactions instead to rely on trusted authentication among servers,
> federation and mutual authentication. Also not requiring to pass
> authentication credentials such as PIN over other channels provides for not
> storing  and encrypting them that should be avoided at all costs.
>
>
>
> Fabio
>
>
>
> Maybe we can put the feedback to this study as part of the agenda of one of
> the next SIG WG? Just a suggestion
>
>
>
> Thanks
>
>
>
> Marco M.
>
>
>
>
>
> *From:* global_industry_committee-bounces at lists.owasp.org [mailto:
> global_industry_committee-bounces at lists.owasp.org] *On Behalf Of *
> fabio.e.cerullo at aib.ie
> *Sent:* Tuesday, February 09, 2010 12:31 PM
> *To:* Jerry Kickenson
> *Cc:* eoinkeary at gmail.com; Jim Routh; Global_industry_committee;
> dave.wichers at owasp.org; jeff.williams at owasp.org
> *Subject:* Re: [Global_industry_committee] OWASP Financial Services SIG
>
>
>
>
> Jerry,
>
> I will organize a conf call for this friday... could you please get me the
> email addresses for the people below?
>
> thanks!
>
> Fabio Cerullo
> Divisional Information Security
> Bankcentre D1,
> Ballsbridge,
> Dublin 4,
> Ireland.
>
> Tel: +353 1 772 6309
> Email: fabio.e.cerullo at aib.ie
>
>
>    *Jerry Kickenson <jerry.kickenson at verizon.net>*
>
> 09/02/2010 17:13
>
>
>         To:        fabio.e.cerullo at aib.ie
>         cc:        Eoin <eoin.keary at owasp.org>, Joe Bernik <
> bernik at gmail.com>, eoinkeary at gmail.com, Global_industry_committee <
> Global_industry_committee at lists.owasp.org>, Jim Routh <routh3742 at gmail.com>,
> dave.wichers at owasp.org, tomb at owasp.org, jeff.williams at owasp.org
>         Subject:        Re: OWASP Financial Services SIG
>
>
>
>
>
> Fabio,
>
> A couple of questions:
>
> 1.   Shall I approach my CISO (SWIFT) about participating?  More
> generally, how do you want to coordinate who is asked to participate?
>
> 2.   There are several folks on LinkedIn, members of the OWASP group,
> who have expressed interest in getting involved.  How, if at all, would
> we want to get them involved?  They are:
>
>    James McGovern, Enterprise Architect, The Hartford
>    Gaurav Chaturvedi, System Admin, Directi
>    Don Turnblade, Security Architect, Terra Verde Services
>    Mike Lemire, Head of Information Security, RiskMetrics Group
>    Rommel Garcia, Sr. Software Engineer, Internap
>    Mike Morris, Lead Technical Architect, USAA
>    David Zendzian, Sr. Security Engineer, Digital Resources Group
>
>
>
> Best regards,
> Jerry
>
> fabio.e.cerullo at aib.ie wrote:
> >
> > hi guys,
> >
> > yesterday we met with Joe Bernik to start the discussion about this
> > OWASP Financial Services SIG.
> >
> > unfortunately I forgot to send a reminder to everyone and Joe was the
> > only one to remember my previous mail :-P
> >
> > here I'm sending you the outcome from the meeting... the idea is to
> > organize maybe a bi-weekly conf call to progress some of the items below:
> >
> > - Gather a tentative list of security professionals at CISO/Management
> > level that would like to be part of a discussion panel during AppSec
> > EU/US 2010.
> > - Define a topic... an idea might be "What should financial
> > institutions do around application security?"
> > - Define a set of questions to ask these participants in order to kick
> > off the discussion.
> > - Discuss the challenges about using open source/free
> > applications/tools in financial environments... actually this could be
> > another topic.
> > - Discuss the topics that are on top of the agenda for CISO/Security
> > Managers (eg. cybercrime, targeted attacks, app security)
> > - Show examples on how OWASP can help financial institutions to
> > increase the security of web applications.
> >
> > any questions/ideas are more than welcome.
> >
> > thank you,
> >
> > Fabio Cerullo
> > Divisional Information Security
> > Bankcentre D1,
> > Ballsbridge,
> > Dublin 4,
> > Ireland.
> >
> > Tel: +353 1 772 6309
> > Email: fabio.e.cerullo at aib.ie
> >
> >
> >
> >
> >                  *Eoin <eoin.keary at owasp.org>*
> > Sent by: eoinkeary at gmail.com
> >
> > 27/01/2010 15:22
> >
> >
> >         To:        fabio.e.cerullo at aib.ie
> >         cc:        Joe Bernik <bernik at gmail.com>, Jerry Kickenson
> > <jerry.kickenson at verizon.net>, Jim Routh <routh3742 at gmail.com>,
> > Global_industry_committee <Global_industry_committee at lists.owasp.org>
> >         Subject:        Re: [Global_industry_committee] OWASP
> > Financial Services SIG
> >
> >
> >
> >
> >
> > I'd like to attend if this ok?
> >
> > 2010/1/27 <_fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>>
> >
> > I could make it 8AM EST which is 1PM GMT.... anyone else would like to
> > join? thanks!
> >
> > Fabio Cerullo
> > Divisional Information Security
> > Bankcentre D1,
> > Ballsbridge,
> > Dublin 4,
> > Ireland.
> >
> > Tel: +353 1 772 6309
> > Email: _fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>
> >
> >
> >
> >                  *Joe Bernik <**_bernik at gmail.com_* <mailto:
> bernik at gmail.com>*>*
> >
> > 27/01/2010 14:06
> >
> >
> >         To:        _fabio.e.cerullo at aib.ie_
> > <mailto:fabio.e.cerullo at aib.ie>
> >         cc:        Global_industry_committee
> > <_Global_industry_committee at lists.owasp.org_
> > <mailto:Global_industry_committee at lists.owasp.org>>, Jerry Kickenson
> > <_jerry.kickenson at verizon.net_ <mailto:jerry.kickenson at verizon.net>>,
> > Jim Routh <_routh3742 at gmail.com_ <mailto:routh3742 at gmail.com>>
> >         Subject:        Re: OWASP Financial Services SIG
>
> >
> >
> >
> >
> >
> > Fabio,
> >
> > Sounds good, I am available next February 4th from 8-10 am EST.
> >
> > Joe
> >
> >
> >
> >
> > On Wed, Jan 27, 2010 at 4:43 AM, <_fabio.e.cerullo at aib.ie_
> > <mailto:fabio.e.cerullo at aib.ie>> wrote:
> >
> > This is great! I really like to see this working... so let's have a
> > meeting (probably next week)?
> >
> > I'm in GMT zone so please let me know your location and I will
> > coordinate the conf call bridge.
> >
> > thanks!
> >
> > Fabio Cerullo
> > Divisional Information Security
> > Bankcentre D1,
> > Ballsbridge,
> > Dublin 4,
> > Ireland.
> >
> > Tel: +353 1 772 6309
> > Email: _fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>
> >
> >
> >                  *"Joe Bernik" <**_bernik at gmail.com_* <mailto:
> bernik at gmail.com>*>*
> >
> > 27/01/2010 01:21
> >
> >
> >         To:        "'Jerry Kickenson'" <_jerry.kickenson at verizon.net_
> > <mailto:jerry.kickenson at verizon.net>>, "'Jim Routh'"
> > <_routh3742 at gmail.com_ <mailto:routh3742 at gmail.com>>,
> > <_fabio.e.cerullo at aib.ie_ <mailto:fabio.e.cerullo at aib.ie>>
> >         cc:        "Global_industry_committee"
> > <_Global_industry_committee at lists.owasp.org_
> > <mailto:Global_industry_committee at lists.owasp.org>>
> >         Subject:        RE: OWASP Financial Services SIG
>
> >
> >
> >
> >
> >
> >
> > Jim and Fabio,
> >
> > I could  use your guidance and collaboration on this effort.
> >
> > Perhaps we can have a quick call to formalize our approach and
> > potential topics. Ultimately it would be great to coordinate with the
> > Summit in Sweden in June
> >
> > I would love to have all the CISO’s discuss emerging trends in the
> > AppSec space and then take questions from the attendees in Sweeden.
> >
> > Just some thoughts.
> >
> > Joe
> >   *
> > From:* Jerry Kickenson [mailto:_jerry.kickenson at verizon.net_
> > <mailto:jerry.kickenson at verizon.net>] *
> > Sent:* Tuesday, January 26, 2010 10:47 AM*
> > To:* Jim Routh*
> > Cc:* Joe Bernik*
> > Subject:* Re: OWASP Financial Services SIG
> >
> > Jim,
> >
> > Your text look great.
> >
> > However, there seems to be a potentially parallel effort going on in
> > the Global Industry committee.  I don't know if you get the GIC notes?
> >  There seems to be an initiative to create a CISO level group from the
> > financial industry, which Joe has indicated he would assist with.  The
> > notes I have on this follow.
> >
> > If Joe and others are putting together a CISO panel, should we perhaps
> > support that effort, and not put together another group?  Or would
> > another group (perhaps more technical, or a different level) add any
> > value?
> >
> > Let us know what you think.  Hopefully Joe can fill us in, as well.
> >  We can then close the circle with Tom and Colin Watson.
> >
> > You can reach me at this email (_jerry.kickenson at verizon.net_
> > <mailto:jerry.kickenson at verizon.net>, or at
> > _jerry.kickenson at swift.com_ <mailto:jerry.kickenson at swift.com>).
> >
> > Best regards,
> > Jerry
> >
> > Message: 1
> > Date: Sun, 24 Jan 2010 10:44:40 +0000
> > From: Colin Watson _<colin.watson at owasp.org>_
> > <mailto:colin.watson at owasp.org>
> > Subject: Re: [Global_industry_committee] Global Industry committee
> >         meeting
> > To: Joe Bernik _<bernik at gmail.com>_ <mailto:bernik at gmail.com>,
> > Global_industry_committee
> >         _<Global_industry_committee at lists.owasp.org>_
> > <mailto:Global_industry_committee at lists.owasp.org>
> > Message-ID:
> >
> > _<b46e4cdd1001240244o327f63cdoedab2fd3959eb899 at mail.gmail.com>_
> > <mailto:b46e4cdd1001240244o327f63cdoedab2fd3959eb899 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Hi Joe
> >
> > That sounds of interest.  Is it worth writing up some notes proposing
> > its scope, objectives and the resources required?  It's often down to
> > us as individuals to do the legwork.
> >
> > Colin
> >
> > 2010/1/19 Joe Bernik _<bernik at gmail.com>_ <mailto:bernik at gmail.com>:
> >
> > > Gents,
> > >
> > > I listened to the recording of the committee call over the weekend.
> > >
> > > I would be happy to assist in coordinating a CISO panel if the
> > committee
> > > would like.
> > >
> > > I believe I can get a handful of CISO's fro the FS sector to attend.
> > >
> > > Joe
> > >
> > >
> > >
> >
> > ------------------------------
> > _______________________________________________
> > Global_industry_committee mailing list_
> > __Global_industry_committee at lists.owasp.org_
> > <mailto:Global_industry_committee at lists.owasp.org>_
> > __https://lists.owasp.org/mailman/listinfo/global_industry_committee_
> >
> >
> > End of Global_industry_committee Digest, Vol 13, Issue 11
> > *********************************************************
> >
> >
> >
> >
> >
> >
> > Jim Routh wrote:
> >
> > *LinkedIn*
> >
> > *Jim Routh* has sent you a message.
> >
> > *Date:* 1/25/2010
> >
> > *Subject:* RE: OWASP Financial Services SIG
> >
> > I sent this on December 3rd but it must have been bounced...Jerry,
> >
> > Here this is what I prepared. Feel free to cc Joe and me on your
> > message to Tom.
> >
> > PURPOSE:
> >
> > The purpose of the OWASP Financial Services Sub Group is to define and
> > rank requirements from the industry for OWASP to address and consider
> > as projects to support the maturation of software security practices
> > for the industry.
> >
> > APPROACH:
> >
> > The Financial Services SIG will reach out to selected leaders in
> > software security programs and facilitate a consensus based process
> > for defining requirements and priorities for potential OWASP project
> > work that will directly benefit financial service firms. The initial
> > deliverable from this SIG will be a list of potential project
> > requirements in rank order with descriptive information available for
> > each one.
> >
> > ASSUMPTION:
> >
> > OWASP has been a vital and essential part of the promotion of best
> > practices in software security and growing the awareness of the need
> > for mature software security practices among the development
> > community. This effort will produce a list of potential project
> > requirements that reflect the financial service industry's needs to
> > improve awareness and capabilities leveraged by software developers
> > through OWASP projects and engagement.
> >
> >
> > Regards,
> > Jim
> >
> > Please give me your email address.
> >
> > On 01/19/10 2:59 PM, Jerry. Kickenson wrote:
> > --------------------
> > Jim,
> >
> > Hope you had a great holiday.
> >
> > Do you think you'll have time to draft a mission/purpose statement for
> > the OWASP financial services SIG we can pass by Tom? I can probably
> > make some time over the next week or so if you are too busy.
> >
> > Let me know what you think.
> >
> > Best regards,
> > Jerry
> >
> > _View/reply to this message_
> > <
> http://www.linkedin.com/e/qyIPBE0oDGKtfmgUmNk7vEiNsrK2oZ412SIPlMqMTI/mbi/I1755488726_2/
> >
> >
> >
> > Don't want to receive e-mail notifications? _Adjust your message
> > settings_
> > <
> http://www.linkedin.com/e/qyIPBE0oDGKtfmgUmNk7vEiNsrK2oZ412SIPlMqMTI/blk/I1755488726_2/s6hJbOYWrSlI/mdp/>.
>
> >
> >
> > © 2010, LinkedIn Corporation
> >
> >
> >
> > ******************************************************
> > This document is strictly confidential and is intended for use by the
> > addressee unless otherwise indicated.
> >
> > This email has been scanned by an external email security system.
> >
> > Allied Irish Banks
> >
> > AIB and AIB Group are registered business names of Allied Irish Banks
> > p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial
> > Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel:
> > + 353 1 6600311; Registered in Ireland: Registered No. 24173
> >
> > Please consider the environment before printing this e-mail.
> > ******************************************************
> >
> >
> > ******************************************************
> > This document is strictly confidential and is intended for use by the
> > addressee unless otherwise indicated.
> >
> > This email has been scanned by an external email security system.
> >
> > Allied Irish Banks
> >
> > AIB and AIB Group are registered business names of Allied Irish Banks
> > p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial
> > Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel:
> > + 353 1 6600311; Registered in Ireland: Registered No. 24173
> >
> > Please consider the environment before printing this e-mail.
> > ******************************************************
> >
> >
> > _______________________________________________
> > Global_industry_committee mailing list_
> > __Global_industry_committee at lists.owasp.org_
> > <mailto:Global_industry_committee at lists.owasp.org>_
> > __https://lists.owasp.org/mailman/listinfo/global_industry_committee_
> >
> >
> >
> >
> > --
> > Eoin Keary
> > OWASP Global Board Member
> > OWASP Code Review Guide Lead Author
> > _
> > __http://asg.ie/__
> > __https://twitter.com/EoinKeary_
> >
> > ******************************************************
> > This document is strictly confidential and is intended for use by the
> addressee unless otherwise indicated.
> >
> > This email has been scanned by an external email security system.
> >
> > Allied Irish Banks
> >
> > AIB and AIB Group are registered business names of Allied Irish Banks
> p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.
>  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311;
> Registered in Ireland: Registered No. 24173
> >
> > Please consider the environment before printing this e-mail.
> > ******************************************************
> >
>
>
>
> ******************************************************
>
> This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
>
>
>
> This email has been scanned by an external email security system.
>
>
>
> Allied Irish Banks
>
>
>
> AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173
>
>
>
> Please consider the environment before printing this e-mail.
>
> ******************************************************
>
>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100216/19f0d947/attachment-0001.html 


More information about the Global_industry_committee mailing list