Reading: 9135

The existing "security assessment of a bank's business" is mostly the security assessment of the business system, rather than the security assessment of the business itself. It is also mentioned in the 2014 Green Alliance Technology Internet financial security report that "business design defects cause the highest risk". This time, Lvmeng science and technology blog cooperated with Lvmeng science and technology journal to launch a series of articles on mobile banking business security assessment. This paper introduces a simple business security assessment method, taking the actual mobile banking business security assessment as an example. The general content includes business process sorting, two business risk analysis methods and their comparison.

Narrow sense and broad sense business security

This article only discusses the narrow sense of business security.

First of all, we will explain the scope of business security. In a narrow sense, business only refers to the business itself: a series of operations and processes designed to achieve business goals. According to the process, users can achieve their own goals by performing these operations. For example, we are all familiar with the business of "cash withdrawal from bank", and there are different business operations in different business scenarios:

• Shanxi Bank, the predecessor of the bank, uses silver notes as the exchange voucher for large amount of silver. The person who withdraws the bank note shall hand it over to the counter of the bank note number. The bank note number shall check the authenticity, signature, secret pledge, etc. of the bank note. If there is no mistake, the person who withdraws the same amount of silver shall hand it over to the person who withdraws the bank note.
• The teller who uses the passbook shall interact with the teller at the bank counter and withdraw cash with the passbook and withdrawal password.
• Users of bank card can operate in ATM by themselves and withdraw cash by debit card and withdrawal password.

The same is to withdraw cash. No matter what kind of business scenario, you need to rely on some kind of goods and some kind of information to prove your identity, and to prove that you legally own the ownership of the money, in order to successfully handle the business. " Proof of identity, "proof of ownership" and "asking for and obtaining cash" are business function design, while banknote, signature, secret pledge, passbook, bank card, withdrawal password, bank teller, ATM machine, etc. are necessary conditions in business logic implementation and part of narrow business security.

Narrow business security and broad business security

For mobile banking, this paper takes these business operations and processes, the necessary conditions for business logic implementation (application software) as the evaluation object. As for the basic environment needed for the operation of mobile banking system, including web server, middleware and data, host, network, physical machine room, etc., of course, their security will also affect the security of mobile banking business, but this belongs to the generalized business security, which is not discussed in this paper.

At present, banking institutions and security manufacturers focus on the security of application software for mobile banking, which is a kind of Internet-based financial business, rather than the reasonable security design of business functions and processes. Up to now, many banks also call security design "non functional design", in fact, security function should also become a part of business, closely cooperate with business function, so as to effectively ensure business security.

This paper introduces a simple security evaluation method of mobile banking.

Combing business process

First of all, the business processes of mobile banking should be decomposed according to the business requirements specification, and each step should be sorted into a list for analysis.

It should be noted that if the real business process of mobile banking is different from that in the original business requirements specification, this is because most of the bank projects have a short development time, many requirements have not been fully discussed and software has been written, or some new functions have been added in the test process, which will lead to different business realization from that in the design specification 。 Therefore, the online system should also verify the content of the design document through business operations, so that the process analysis form is consistent with the actual business process.

Business process example: mobile banking login

Each step of mobile banking login is broken down to explain user operation, input content, server processing, etc. In the above table, the four steps of mobile banking login include the following elements:

• Interactive parties, including mobile phones and servers, represent users and banking systems respectively.
• Operation (processing), including user input, selection, confirmation and other operations. The server processes the instructions sent by the user and reads the database records.
• Information flow, the process of information transmission between the interacting parties, contains information of different importance.
• Data storage, mobile phone and server will save data, including user information, cookies, logs, etc.

All the elements in the above business processes are faced with threats and risks. In the next step, risk analysis and identification can be carried out so as to design corresponding safety protection measures.

Business process risk analysis method 1: stride analysis method

Stride threat and business element correspondence table

Borrowing the SDL theory of application development security, business behavior also faces the following threats:

• Spoofing. The fake interactive party is the mobile phone user or the server, which fakes a certain business operation.
• Tampering. Tampering with the content of information flow, data storage content, operation instruction content, etc.
• Repudiation. Maliciously deny that they have done the operation, such as users deny that they have done the transfer operation.
• Information disclosure. In the process of information flow, data storage and operation, sensitive information such as user name, password, ID card number and bank card number are disclosed.
• Denial of service (DOS). Make a business function not working properly.

• Promote permissions (EOP). Ultra vires operation in business, such as illegally viewing other people's account transaction records.

These threats act on four types of business elements, forming a risk matrix. Similar to the analysis method of application development security in SDL, we can also carry out risk analysis on business elements, and identify the risks of each business process and business link.

Business process risk analysis method II: known risk control method

This analysis method should be fully prepared in advance, including:

• Collect and sort out the past business risk events, which are mainly related to mobile banking attacks or vulnerability exposures.
• Analyze these events, sort out the business elements with vulnerable points in these attacks, and make a clear explanation. For example, in the second step of mobile banking login, in our penetration test case, it was found that many bank servers not only returned the verification code picture, but also included the verification code content in the page file of mobile app and sent it back to the client together, so as to facilitate the client's verification. Although the content of the verification code is not displayed in the mobile app, it may be read directly from the page file by the interested person using the viewing tool, and the verification code mechanism is bypassed. Therefore, the process of "sending the captcha picture" is prone to the problem of "sending the captcha content at the same time", which will make it easier for attackers to carry out password guessing attacks.
• Summarize the descriptions of these problems and form a list of risk descriptions. When the event source is sufficient, all the business processes with problems have been included in the list, and the ways in which each business process is attacked or threatened have been sorted out, and the preparation work has been completed.

Then the existing mobile banking business processes after decomposition can be compared with the prepared list to directly identify the possible risks of each business process and fill in the column of "possible risks".

Comparison of two analytical methods

Comparison of two business risk analysis methods

Both methods have advantages and disadvantages. Because the stride method is based on the decomposed business process to conduct a separate risk analysis of each element, theoretically covering the risks faced in the business process, so there will be no omission, which can effectively find the business risks. However, the analysis process is complex and time-consuming, which can be well adapted to the traditional waterfall development mode. Waterfall development is a typical predictive development method, which strictly follows the planned sequence of requirements, analysis, design, coding and testing. Step results as a way to measure progress, such as requirements specifications, design documents, test plans and code reviews, etc. If a mobile banking application is developed in this mode, it may take three, four months or even longer, obviously, it has been unable to adapt to the development speed of Internet finance.

At present, many mobile banking businesses are only two months from decision-making to online, and usually adopt agile development or iterative development mode. In this case, it is not feasible to conduct a full stride analysis. However, with sufficient preparation in advance (the list of known problems is perfect), the known risk control method can quickly deduce the corresponding risks and countermeasures from the business functions, and can better adapt to the rhythm of agile development or iterative development.

A better way is to combine the two. For mature business functions and processes, the known risk comparison method is used; for new business functions and processes, the stride method is used. As most of the mobile banking business functions are the same, so objectively formed a situation of known risk method as the main method, with stride analysis as the auxiliary.