Security Innovation's recent research uncovers a widely-used but little known technology (OFX) creation of a vulnerable "side door," potentially open to attacks, into thousands of financial institutions in North America.
"Why does my bank require multi-factor authentication (MFA), but Quicken does not?"
This led to an exploration of the twenty-year old Open Financial Exchange (OFX) protocol and the
3000+ North American banks that support it.
The conclusion: 80% of banks using OFX have weak or no MFA support, putting consumers at risk by exposing login credentials.
Impacts financial institutions using older versions of OFX Direct Connect that provide weak or no multi-factor authentication. While two-factor authentication is required when directly accessing online banking, it is not required when accessing an account through third- parties, such as leading personal financial management software programs that use the OFX Direct Connect protocol.
Security Innovation has released a free digital side door OFX Scanning Tool that will quickly identify if a bank is affected and provide remediation instructions so financial services companies utilizing OFX can quickly assess and mitigate this security gap.
During the course of this investigative research, the lead researcher, Steven Danneman discovered the digital side door as well as a number of other privacy and security problems associated with the OFX Direct Connect protocol.
In addition to the scanning tool, we have compiled some additional, helpful resources below.
“The difficulty with the OFX Direct Connect side-door vulnerability is that even strong security solutions can miss this type of gap since it is buried in an underlying protocol. Our team made it easy for financial institutions to uncover this issue by leveraging our free scanning tool and mitigation directions to immediately close this security gap.”
Join this on-demand session with Security Innovation CEO, Ed Adams as he dives into Security Innovation's Digital Side Door research and provides practical tips on how your organization can mitigate risk around this widely used OFX Direct Connect technology.
ARE THE OFX SECURITY PROBLEMS WIDESPREAD?
• Over 3,000 North American banks support it today
• Over 30 different implementations in the wild today
187 Ballardvale Street, Suite A195
Wilmington, MA 01887
Copyright © 2024 Security Innovation, Inc. All Rights Reserved