Web 2.0 Threats and Risks for Financial Services 56
An anonymous reader writes "Companies are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting, Cross Site Request Forgery and Application interconnection issues due to SOA. With regard to security, two dimensions are very critical for financial systems — Identity and Data privacy. Adopting the Web 2.0 framework may involve risks and threats against these two dimensions along with other security concerns. Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises."
honestly... (Score:4, Insightful)
keep it simple. for such ordinary tasks there does not have to be great interaction schemes or whatever comes to your mind. it just has to freaking work. and - it's even more secure the simple way? well, then don't tamper with it.
The real problem (Score:5, Insightful)
Web 2.0 not necessary for banks (Score:2, Insightful)
Why is this even being considered?
Re:honestly... (Score:3, Insightful)
Likewise the web presence. Whenever I see data change without a page load it creeps me out. It may be sexy looking, but for every piece of flashy 2.0 Ajax, there is a cost in terms of security.
Sad to say though, there are people out there who are so conditioned to the "new is better" mentality that applies to consumer goods, that they think the same applies to computer code. They view a flashy "new" site as being more secure, rather than less secure, because newer is better, right?
Re:honestly... (Score:3, Insightful)
Now could someone please explain to me what cross site scripting is and why it is so hard to stamp it out.
please buy my security solution .. (Score:4, Insightful)
Re:The real problem (Score:5, Insightful)
The real problem with TFA becomes apparent at the start of the second page:
That sentence alone confirmed what I'd been beginning to suspect by the end of the first paragraph: TFA is a mishmash of ill-informed technobabble penned for the purpose of allowing underqualified CTOs to give the impression that they are fully buzzword-compliant.
Re:please buy my security solution .. (Score:5, Insightful)
I was there when a certain bank that better remains anonymous (not because of being innocent, but because they got more & better lawyers than me) jumped the train for online business. All the managers saw how much work could be put onto the customers and how much we can save by not having people come in and actually talk to the teller or drop transfer orders in our boxes. They'd do all themselves! And we can charge them for that! Good God, we need that! No matter the cost! Security? Aw heck, ignore that, who'd dare to attack a bank here (Seriously, that was actually the attitude towards it)? And even, what could go wrong? We got https, we got security certificates, our servers are kept tight by the best people money can buy...
The average annual damage for actual physical bank robberies is a tiny fraction by now of what online frauds cause. Especially since you get about 90-95% of the guys that come with a gun to your bank, while 90-95% of those coming online slip past you.
And now everyone's all over security and everyone wants it secure damn right now or else.... But you can't secure something that is inherently insecure. It was designed insecurely, it was created insecurely, it's run insecurely. Yes, the key attack point is the customer, not the bank, but all in all, the damage rests on the banks. Either they pay the damage, or they don't and word gets out, and everyone will stop using online banking. THAT damage, though, would be even higher!
So take my word for it, nobody will give a rat's rear about security until it's too late. Why should it be different this time?