security evaluation method of mobile banking

Posted by tetley at 2020-02-26

Reading: 9135

The existing "security assessment of a bank's business" is mostly the security assessment of the business system, rather than the security assessment of the business itself. It is also mentioned in the 2014 Green Alliance Technology Internet financial security report that "business design defects cause the highest risk". This time, Lvmeng science and technology blog cooperated with Lvmeng science and technology journal to launch a series of articles on mobile banking business security assessment. This paper introduces a simple business security assessment method, taking the actual mobile banking business security assessment as an example. The general content includes business process sorting, two business risk analysis methods and their comparison.

Narrow sense and broad sense business security

This article only discusses the narrow sense of business security.

First of all, we will explain the scope of business security. In a narrow sense, business only refers to the business itself: a series of operations and processes designed to achieve business goals. According to the process, users can achieve their own goals by performing these operations. For example, we are all familiar with the business of "cash withdrawal from bank", and there are different business operations in different business scenarios:

The same is to withdraw cash. No matter what kind of business scenario, you need to rely on some kind of goods and some kind of information to prove your identity, and to prove that you legally own the ownership of the money, in order to successfully handle the business. " Proof of identity, "proof of ownership" and "asking for and obtaining cash" are business function design, while banknote, signature, secret pledge, passbook, bank card, withdrawal password, bank teller, ATM machine, etc. are necessary conditions in business logic implementation and part of narrow business security.

Narrow business security and broad business security

For mobile banking, this paper takes these business operations and processes, the necessary conditions for business logic implementation (application software) as the evaluation object. As for the basic environment needed for the operation of mobile banking system, including web server, middleware and data, host, network, physical machine room, etc., of course, their security will also affect the security of mobile banking business, but this belongs to the generalized business security, which is not discussed in this paper.

At present, banking institutions and security manufacturers focus on the security of application software for mobile banking, which is a kind of Internet-based financial business, rather than the reasonable security design of business functions and processes. Up to now, many banks also call security design "non functional design", in fact, security function should also become a part of business, closely cooperate with business function, so as to effectively ensure business security.

This paper introduces a simple security evaluation method of mobile banking.

Combing business process

First of all, the business processes of mobile banking should be decomposed according to the business requirements specification, and each step should be sorted into a list for analysis.

It should be noted that if the real business process of mobile banking is different from that in the original business requirements specification, this is because most of the bank projects have a short development time, many requirements have not been fully discussed and software has been written, or some new functions have been added in the test process, which will lead to different business realization from that in the design specification 。 Therefore, the online system should also verify the content of the design document through business operations, so that the process analysis form is consistent with the actual business process.

Business process example: mobile banking login

Each step of mobile banking login is broken down to explain user operation, input content, server processing, etc. In the above table, the four steps of mobile banking login include the following elements:

All the elements in the above business processes are faced with threats and risks. In the next step, risk analysis and identification can be carried out so as to design corresponding safety protection measures.

Business process risk analysis method 1: stride analysis method

Stride threat and business element correspondence table

Borrowing the SDL theory of application development security, business behavior also faces the following threats:

These threats act on four types of business elements, forming a risk matrix. Similar to the analysis method of application development security in SDL, we can also carry out risk analysis on business elements, and identify the risks of each business process and business link.

Business process risk analysis method II: known risk control method

This analysis method should be fully prepared in advance, including:

Then the existing mobile banking business processes after decomposition can be compared with the prepared list to directly identify the possible risks of each business process and fill in the column of "possible risks".

Comparison of two analytical methods

Comparison of two business risk analysis methods

Both methods have advantages and disadvantages. Because the stride method is based on the decomposed business process to conduct a separate risk analysis of each element, theoretically covering the risks faced in the business process, so there will be no omission, which can effectively find the business risks. However, the analysis process is complex and time-consuming, which can be well adapted to the traditional waterfall development mode. Waterfall development is a typical predictive development method, which strictly follows the planned sequence of requirements, analysis, design, coding and testing. Step results as a way to measure progress, such as requirements specifications, design documents, test plans and code reviews, etc. If a mobile banking application is developed in this mode, it may take three, four months or even longer, obviously, it has been unable to adapt to the development speed of Internet finance.

At present, many mobile banking businesses are only two months from decision-making to online, and usually adopt agile development or iterative development mode. In this case, it is not feasible to conduct a full stride analysis. However, with sufficient preparation in advance (the list of known problems is perfect), the known risk control method can quickly deduce the corresponding risks and countermeasures from the business functions, and can better adapt to the rhythm of agile development or iterative development.

A better way is to combine the two. For mature business functions and processes, the known risk comparison method is used; for new business functions and processes, the stride method is used. As most of the mobile banking business functions are the same, so objectively formed a situation of known risk method as the main method, with stride analysis as the auxiliary.