Your Bank's Digital Side Door

Conference:  Defcon 26



The speaker discusses the neglected security of OFX, a protocol used by banks for programmatic access to customer data, and calls for investment in its security and development.
  • OFX is a protocol used by banks for programmatic access to customer data
  • OFX security is often neglected and not invested in
  • The speaker calls for investment in OFX security and development
  • Financial institutions should care about a consumer-based API for OFX
The speaker highlights the neglect of OFX security by pointing out that the protocol was created in 1997 as an open spec for programmatic access to customer data, but has since been forgotten and not invested in. The speaker also notes that there are no other standard APIs for accessing bank data, and calls for investment in OFX security and development to create a hopeful future of apps that help with personal finances.


Why does my bank's website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank's website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month. Answering these questions led me to deeply explore the 20 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks' digital side doors. Now I'd like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We'll watch them flow over the wire and learn about the jumble of software your bank's IT department deploys to provide them. We'll discuss how secure these systems are, that keep track of your money, and we'll send a few simple packets at several banks and count the number of security WTFs along the way. Lastly, I'll demo and release a tool that fingerprints an OFX service, describes its capabilities, and assesses its security.



Post a comment

Related work

Conference:  Defcon 31
Authors: Dan "AltF4" Petro Senior Security Engineer, Bishop Fox, David Vargas Senior Security Consultant, Bishop Fox

Conference:  BlackHat USA 2021

Authors: Adam Wolfe Gordon, Wayne Warren