Security Innovation Uncovers Cyber Threat Impacting up to 80 percent of North American banks using OFX Direct Connect
Company creates free assessment tool as “digital side-door” threat eludes other vulnerability scanning solutions
WILMINGTON, Mass., Nov. 15, 2018 (GLOBE NEWSWIRE) -- Security Innovation, a pioneer in software security, discovered a “digital side-door” security threat in the Open Financial Exchange (OFX) Direct Connect protocol utilized by a many North American banks to automate financial transactions. The cyber threat is estimated to impact up to 80 percent of US and Canadian banks using OFX Direct Connect. Unfortunately, most of the automated vulnerability scanning tools on the market cannot detect this threat. In response, Security Innovation has released a free digital side door OFX scanning tool that will quickly identify if a bank is affected and provide remediation instructions so financial services companies utilizing OFX can quickly assess and mitigate this security gap.
The threat mainly impacts financial institutions using older versions of OFX Direct Connect that provide weak or no multi-factor authentication. While two-factor authentication is required when directly accessing online banking, it is not required when accessing an account through third parties, such as leading personal financial management software programs that use the OFX Direct Connect protocol. In additional to architectural issues with the older protocol versions, numerous security issues with the implementation and deployment of live OFX servers were also found at many financial institutions. Since OFX is an established and complex protocol, Security Innovation’s team launched an investigation as part of its commitment to ongoing cybersecurity research and development.
The team developed a tool to scan publicly available URLs for OFX Direct Connect versions in an effort to identify the scope and severity of the potential threat. During the course of the investigation, the lead researcher, Steven Danneman discovered the digital side-door as well as a number of other privacy and security problems associated with the OFX Direct Connect protocol.
“The difficulty with the OFX Direct Connect side-door vulnerability is that even strong security solutions can miss this type of gap since it is buried in an underlying protocol,” stated Ed Adams, president and CEO of Security Innovation. “It’s impossible to review 100 percent of a company’s product code base with automated tools, which is why I am a strong proponent of regular penetration testing that goes beyond automation to include manual analysis and threat hunting by cybersecurity experts – it will uncover these types of issues.” Adams continued, “We made it easy for financial institutions to uncover this issue by leveraging our free scanning tool and mitigation directions to immediately close this security gap.”
Security Innovation has a deep understanding of the OFX Direct Connect protocol and implementations. The company offers in-depth risk assessments using an OFX scan by security experts and specialized penetration testing to identify vulnerabilities. For more information on the OFX Direct Connect digital side-door vulnerability, learn more at https://web.securityinnovation.com/digitalsidedoor or sign up for our upcoming webinar here: https://www.brighttalk.com/webcast/16345/339060
ABOUT SECURITY INNOVATION
Security Innovation is a pioneer in software security and trusted advisor to its clients. Since 2002, organizations have relied on our assessment and training solutions to make the use of software systems safer in the most challenging environments – whether in Web applications, IoT devices, or the cloud. The company’s flagship product, CMD+CTRL Cyber Range, is the industry’s only authentic environment to build the skills teams need to protect the enterprise where it is most vulnerable – at the software layer. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com or connect with us on LinkedIn or Twitter.
Joshua Milne PR@SecurityInnovation.com 617-501-1620