Web 2.0 Threats and Risks for Financial Services

An anonymous reader writes "Companies are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting, Cross Site Request Forgery and Application interconnection issues due to SOA. With regard to security, two dimensions are very critical for financial systems — Identity and Data privacy. Adopting the Web 2.0 framework may involve risks and threats against these two dimensions along with other security concerns. Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises."

CSRF and XSS FAQ's

[mrkitty]

The Cross Site Request Forgery FAQ [cgisecurity.com]
The Cross Site Scripting FAQ [cgisecurity.com]

Re:The real problem

[dkf]

All this "Web 2.0" stuff adds one important attack vector, and that is scripts downloaded from a malicious website that manipulates the user's experience of the real site (e.g. to make extra transfers and yet hide the details of those from your view of the log). The proper solution to this is to only allow scripted control of a site (other than from scripts downloaded from the same site) if the controlled site specifically declares that it is OK for scripts from the other site to do so, a policy which would need to be enforced by everyone's browsers. (Yeah, I know. Good luck with getting IE to adopt a sensible default-deny policy on anything.) Of course, this measure completely stuffs most mashups, but is that such a bad thing? :-)

Re:honestly...

[mobby_6kl]

> Nothing makes me happier than an old atm with a limited feature set...You know it's not running windows in the background, you know it doesn't have code interpretation vulnerabilities...It's simple, clean, and elegant.

Depending on your exact meaning of "old", you might be very, very wrong. Many ATMs do, in fact, run Windows [google.com].