Transaction Authorization Cheat Sheet
Guidelines for implementation of transaction authorization.
Update 23/12/2015 Version 2.0
Transaction authorization is implemented in modern financial systems in order to protect against unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS, etc. Common methods are TAN lists, SMS codes, OTP tokens, CAP readers, etc. Unfortunately, as with any piece of code, such protection can be improperly implemented and as a result it might be possible to bypass this safeguard. Purpose of this cheat sheet is to provide guidelines on how to properly implement transaction authorization to protect it from bypassing.
Updated PDF version will be available at SecuRing web page.
See also our presentation from AppSec EU 2015 in Amsterdam : “Internet banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation”