Your Bank's Digital Side Door

and the potential vulnerabilities it opens you up to.

WHAT WE UNCOVERED

Security Innovation's recent research uncovers a widely-used but little known technology (OFX) creation of a vulnerable "side door,"  potentially open to attacks, into thousands of financial institutions in North America.

This discovery started with a simple question:

"Why does my bank require multi-factor authentication (MFA), but Quicken does not?"

This led to an exploration of the twenty-year old Open Financial Exchange (OFX) protocol and the
3000+ North American banks that support it. 

The conclusion:
 
 80% of banks using OFX have weak or no MFA support, putting consumers at risk by exposing login credentials.

logo-19

THE THREAT...

Impacts financial institutions using older versions of OFX Direct Connect that provide weak or no multi-factor authentication. While two-factor authentication is required when directly accessing online banking, it is not required when accessing an account through third- parties, such as leading personal financial management software programs that use the OFX Direct Connect protocol.

In Response...

Security Innovation has released a free digital side door OFX Scanning Tool that will quickly identify if a bank is affected and provide remediation instructions so financial services companies utilizing OFX can quickly assess and mitigate this security gap.

During the course of this investigative research, the lead researcher, Steven Danneman discovered the digital side door as well as a number of other privacy and security problems associated with the OFX Direct Connect protocol.

In addition to the scanning tool, we have compiled some additional, helpful resources below.

“The difficulty with the OFX Direct Connect side-door vulnerability is that even strong security solutions can miss this type of gap since it is buried in an underlying protocol. Our team made it easy for financial institutions to uncover this issue by leveraging our free scanning tool and mitigation directions to immediately close this security gap.”

testimonial.jpg

Ed Adams

CEO, Security Innovation

RESOURCES

We have assembled several resources below for organizations to better understand inherent OFX Direct Connect Risks and how to devise techniques to mitigate it..

Webinar

On-Demand Webinar

Join this on-demand session with Security Innovation CEO, Ed Adams as he dives into Security Innovation's Digital Side Door research and provides practical tips on how your organization can mitigate risk around this widely used OFX Direct Connect technology.

Watch On-Demand


 

Blog

Blog by Steven Danneman

Like many people, I have various financial accounts, e.g., checking, savings, brokerage, retirement, and mortgage. And like most people, these accounts are in different places.  There are plenty of PFM options but Quicken is the 800-pound gorilla and the one I chose...

Read the Blog

Executive Summary

Executive Summary

ARE THE OFX SECURITY PROBLEMS WIDESPREAD?

• Over 3,000 North American banks support it today
• Over 30 different implementations in the wild today

Get the Summary

 

Video

Side Door @ DEFCON

"This investigation took me 20+ years into the past and landed me on stage at DEFCON a few months ago to enlighten consumers and the financial industry as a whole, on the risks associated with this side door."

Watch the Video