According to Corsaire (www.corsaire.com), an IT consultancy, computer ‘hackers’ will go to extraordinary lengths to compromise a financial application. The spoils are just too tempting.
As a result, these applications should have higher requirements for data confidentiality, transaction integrity, and service availability than many other applications, the Company claims in a new report.
However, despite calls for added diligence in this area, many of the numeric calculations being conducted within modern financial applications are often still handled inappropriately, as some computer programmers are simply unaware of the intrinsic programmatic risks associated with numerical processing, whilst others are focused on more easily identifiable issues associated with IT applications in general.
The routine discovery of such flaws by Corsaire’s consultants suggests that there is still a lack of awareness of these issues, and that they remain misunderstood and overlooked both from development and security assessment perspectives. Unfortunately, serious brand damage, loss of client and corporate data, fraudulent transactions, and loss of revenue are just some of the direct local impacts associated with a security breach of a financial application.
What they say
"Accurately processing numeric data is of paramount importance to organisations that depend on the accurate management of financial data," says Martin O’Neal, Managing Director,at Corsaire. "Financial applications must be designed and implemented with accuracy and correctness in mind in order to avoid direct financial loss, and also to comply with relevant regulatory requirements. Without a doubt, a compromise of the integrity of financial data can have severe repercussions."
Fines and sanctions
Aside from the direct impact from deliberate fraud, organisations can also find themselves subject to fines and sanctions issued by bodies such as the UK’s Financial Services Authority (FSA), the Gambling Commission, or Australia’s Australian Prudential Regulation Authority (APRA), as well as the threat of potential prison sentences associated with breaches of Sarbanes Oxley.
Although banking, trading, e-commerce and electronic gaming applications are likely to be some of the most affected by such flaws, these same issues are applicable to any application where critical numeric calculations are made and relied upon, Corsaire claims. The risk posed by these vulnerabilities can be managed, however, by understanding how to identify these issues, and how to use the applicable programming APIs correctly.
Corsaire adds that its research on this subject, outlined in a new white paper series called Breaking the Bank, focuses mainly on the technical issues associated with common programming languages and APIs, and on how to mitigate any associated risks by showing how flaws in the processing of numeric data can allow attackers to manipulate the outcome of transactions, and/or otherwise interfere with the accuracy of calculations.
The paper concedes that this area remains a challenge, however, due to the way common programming languages deal with numeric data, especially floating point values. This phenomenon is of particular concern during the validation stage, where the application determines whether numeric data is valid or not.
The complete research paper, which is available free of charge from the Corsaire web site (http://research.corsaire.com/), also considers a number of other common security threats facing financial applications, including areas such as authentication, data validation, and accountability.
