A widely-used but little known technology has created a vulnerable “Side Door” to thousands of financial institutions in North America. This discovery started with a simple question: why does my bank require multi-factor authentication (MFA), but Quicken does not? This led to an exploration of the twenty-year old Open Financial Exchange (OFX) protocol and the 3000+ North American banks that support it.  The conclusion:  80% of banks using OFX have weak or no MFA support, putting consumers at risk by exposing login credentials.

Security Innovation has assembled several resources for organizations to better understand inherent OFX Direct Connect Risks and devise techniques to mitigate. 

Resources

• Executive Summary With Mitigation Recommendations
• DefCon Video
• Blog Post
• Webinar

OFX postern tool

OFX Postern is a command line interface (CLI) vulnerability scanner that fingerprints an OFX service, describes its capabilities, and checks for common web service vulnerabilities and OFX specific issues.   It provides a quick understanding of low hanging issues that should be further investigated as part of a deeper penetration test.

https://github.com/securityinnovation/ofxpostern

How SI Can Help

Security Innovation’s deep understanding of the OFX protocol and its full spectrum of implementations ensures we can accurately assess risk and recommend steps to mitigate that risk. We can run a high level scan on your OFX implementation, or conduct a specialized pen test to pinpoint risky and vulnerable areas. 

OFX Direct Connect Penetration Test

While Direct Connect is similar to other web services, the protocols and functions used are uncommon and not supported by commercial scanning products. We leverage our purpose-built OFX Scan to quickly enumerate the plethora of service functionality, then augment with traditional and OFX-specific attacks.   

 After testing is complete, the lead engineer will deliver a final report that includes:

• Summary of the Attack Surface Analysis and all tests conducted
• Detailed vulnerability information including impact, adjusted risk rating, and remediation recommendations for each area
• Executive summary with key observations, risks, mitigations, and next steps

"We do quarterly internal pen tests and semi-annual external pen tests of our web application. We've never done a scan of the OFX server in its entire 12 year history. Thank you."  Fortune 1000 Bank.