Your Bank's Digital Side Door
Conference: Defcon 26
2018-08-01
Summary
The speaker discusses the neglected security of OFX, a protocol used by banks for programmatic access to customer data, and calls for investment in its security and development.
- OFX is a protocol used by banks for programmatic access to customer data
- OFX security is often neglected and not invested in
- The speaker calls for investment in OFX security and development
- Financial institutions should care about a consumer-based API for OFX
Abstract
Why does my bank's website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank's website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month. Answering these questions led me to deeply explore the 20 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks' digital side doors. Now I'd like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We'll watch them flow over the wire and learn about the jumble of software your bank's IT department deploys to provide them. We'll discuss how secure these systems are, that keep track of your money, and we'll send a few simple packets at several banks and count the number of security WTFs along the way. Lastly, I'll demo and release a tool that fingerprints an OFX service, describes its capabilities, and assesses its security.
Materials:
Tags:
Post a comment
Related work
Conference: Defcon 31
Authors: Dan "AltF4" Petro Senior Security Engineer, Bishop Fox, David Vargas Senior Security Consultant, Bishop Fox
2023-08-01