Transaction Authorization Cheat Sheet

Transaction authorization is implemented in modern financial systems in order to protect against unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS, etc.

Update 23/12/2015  Version 2.0

Transaction authorization is implemented in modern financial systems in order to protect against unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS, etc. Common methods are TAN lists, SMS codes, OTP tokens, CAP readers, etc. Unfortunately, as with any piece of code, such protection can be improperly implemented and as a result it might be possible to bypass this safeguard. Purpose of this cheat sheet is to provide guidelines on how to properly implement transaction authorization to protect it from bypassing.

This document was created originally by SecuRing team and donated to OWASP Cheat Sheet Series Project. Current version is maintained at OWASP wiki page.

Get this material on your inbox

Wojciech Dworakowski
Wojciech Dworakowski Managing Partner at SecuRing