Professional Documents
Culture Documents
Abstract
Security is the principal requirement for online financial applications.
Data privacy, customer trust, and long-term growth all depend
on how secure a financial application is. As these applications are
accessed from various devices and through numerous channels,
financial organizations strive hard to implement a foolproof
security system. In this white paper, we will discuss the core
security measures that can be considered while building financial
applications. We will start with core design concepts for financial
applications, move on to the different security techniques and best
practices, and finally, provide a basic security design for financial
applications. The financial applications referred in this white paper
include web applications, financial portals, and other finance
domain-related online applications.
Financial applications
Finance applications include applications applications face a host of threats such as the required information aggregation as
performing financial transactions such as identity theft, session hijacking, password well. They are integrated with core banking
online banking portals, online insurance hacking etc. which has long term impact systems or finance enterprise applications,
applications and such for which security is on revenue and user trust. to provide domain-specific features.
a prime concern. Most of the e-commerce Additionally, they also offer a wide range of
Online financial applications provide a
and retail applications invariably deal personalization and customization features
variety of features, such as dashboard
with payment transactions and hence that enable finance organizations to launch
views, reports, personalized customer
security would be an important feature of personalized campaigns and features for
pages, and for particular financial domains,
these applications as well. Online finance targeted segments.
Support,
Management Client
Information, Application Content
Presentation Widgets Widgets
Governance,
Common & Layer Server
Security Presentation Publishing
Content
Services Services
Users & Roles
REST
Authorization
Configuration
Caching
User Store
Database
Data File System Services Services 1 Services 2 Services 3
Sources
A typical, n-tier MVC architecture here. Presentation layer consists of financial be used for service mediation and to
for finance applications has various widgets, portlet, reports, and handle handle concerns such as routing, protocol
components, with MVC architecture other presentation concerns. Business transformation, validation etc. Business
providing separation of concerns for the layer processes business logic, rules and layer exposes various business services and
various layers. Service-oriented integration business processes. Typically a message integration layer integrates with necessary
is the de-facto standard for integration oriented middleware such as ESB would enterprise interfaces.
Password policy
Let us go with an encryption algorithm to encrypted value. Thus, it is easy to maintain What is the solution now?
encrypt and store the password. SHA, MD5 a lookup table of all possible combination
Salted Password Hashing
are some of the encryption algorithms of passwords. In some cases, if not most,
that generate an encrypted password of the user’s password will be one of a Salted password hashing algorithms– these
the user and store them in the database. dictionary word. Hackers can thus create a algorithms, such as the BCrypt Password
We all agree that it will never be possible lookup table for each dictionary word with Encoder, generate different encryption
to decrypt the encrypted password from a mapping encrypted password. If they values for the same password input. How
these secure encryption algorithms, but gain access to the encrypted password, is it possible? For every password, the
hackers will not try the obvious. Would they can easily crack the password using algorithm generates a random ‘salt’ that is
they? They would try to identify any this lookup table. inserted to the original password before
loopholes in these secure encryption it is encrypted. Thus, different encryption
Although this vulnerability can be limited
algorithms and exploit them instead. The values are generated for the same
to a certain extent, by introducing stronger
authentication mechanism should thus password input, and lookup tables can
password policies that restrict the use of
be foolproof against brute force attacks. If never be created for such algorithms. The
direct dictionary words. Hackers have gone
you wonder what brute force attack is, it salt is embedded along with the encrypted
a step further already– they have begun to
is a trial-and-error method used by hacker value, and only the algorithms themselves
suffix, prefix, or insert the possible special
application programs to decode encrypted can gain access to the salt, and validate the
characters, numeric values, as well as the
data such as passwords. supplied password. And these can never be
appropriate casing around it. They are thus
decrypted.
For the same password input, these able to create the lookup table regardless.
encryption algorithms generate the same
Request identification
Banking applications need to go that one- request is allowed, and another Request ID • Sophisticated attacks like CSRF (Cross
step extra – they should also authenticate is generated and sent to the portal client, Site Request Forgery) can also be
each request and authenticate the request which also stores the new unique identifier prevented using Request IDs
even after post-login. This will prevent any in server cache or persistence storage.
session hijack. Now how is this achieved? This process repeats for every request, • Once again, browser refresh is not
possible, and a user cannot resubmit
enhancing the security measures at each
Immediately after validating user the same request, as the valid unique
step.
credentials, a unique identifier (let us call identifier cannot be supplied to the
it a Request ID) can be generated and • Session hijacking is not possible as server for validating the request
mapped to the customer ID in the server every request needs to have the
cache or persistence storage. The same Request ID,which the server expects • Simultaneous sessions can be
prevented in the same way, as the new
value would be returned to the portal from the portal client
session cannot provide the Request
client, which would be appended to this
Request ID for the subsequent requests. • The refresh, back, and forward ID the server expects – thus, no new
navigation within the history is not session can be established. If security
The request filter would then validate
possible on browsers as the session is highly critical, both simultaneous
the Request ID sent by client, against the
is destroyed when a valid unique session can be destroyed, prompting
unique identifier stored in the server cache
identifier cannot be supplied to the users to authenticate themselves again
or persistence storage. If they match the
server for validating the request
Validate the
password against Generate Secure
Yes Random UUID. Store the UID in
Login the encoded server cache
bcryptpassword in (If exists, re-generate)
database
No
Deny Access
Append uuid as request param
Regenerate another
TRUE UUID and store in
Validation
the server cache.
Append uuid as request param
Authorization
Authorization implements fine-grained request to access the application is • Access privileges to internal resources
access control by providing role-based allowed only if the user has privileges within the application can be
access to resources (such as functions, maintained within the application
pages, and widgets). • Identity Governance Administration
database itself
can be used to govern the degree of
• Access manager acts as a centralized access each identity (user) has to each
control center to enforce all aspect / module of the application
authorization policies and rules
• The application can be integrated with
• Once the authorization policies are the access manager to check for user
defined in the access manager, the privileges
No
Access Manager
Generate SSO
Token and store in
browser cookie
Deny Access
Two-factor authentication is needed to calls the OTP server through an ESB that have already been setup by the
step up the primary authentication along service call .The OTP server then user. Once the security answers are
with a supplementary authentication for connects with the SMS gateway validated, the transaction is allowed to
financially critical operations. In some to send the generated OTP to the proceed.
cases, the regulatory body makes two- customer’s device. Once the customer
factor authentication mandatory for enters the OTP, it is validated again by • Hard tokens – When the transaction
is initiated, the application prompts
transactions such as fund transfers. the application through a service call
for a token number generated on
to the OTP server via the ESB. Once the
Two-factor authentication can be the hard token held by the user. The
OTP is authenticated, the transaction is
implemented with any fool-proof token is authenticated and then the
allowed to proceed.
mechanism, such as - user is allowed to proceed with the
Shailesh Kumar Shivakumar has over 14 years of industry experience. He currently works as a Senior Technology
Architect at Digital Practice in Infosys Technologies. His areas of expertise includeEnterprise Java technologies, portal
technologies, web technologies, and performance engineering. He has published two books related to enterprise
web architecture,enterprise portals, and UXP and has four patent applications. He has published several papers
and presented talks in IEEE conferences in the areas of web technologies and performance engineering. He has
successfully lead several large-scale enterprise engagements for Fortune 500 clients.
Babu Krishnamurthy
Infosys
Babu Krishnamurthy has over 11 years of industry experience. He currently works as a Technology Architect at
Digital Practice in Infosys Technologies. His domain expertise includesbanking, ecommerce, and networking.
His areas of expertise in technology include Enterprise Java technologies, portal technologies, eCommerce
technologies, and web technologies.
© 2018 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this
documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the
prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.