There is one error I cannot find. Otherwise it is fine.wise it seems fine. #1402
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jmanico
reviewed
May 11, 2024
Comment on lines
+13
to
14
| Generally, mobile and online applications will require users a second factor to check whether they are authorized to perform a sensitive operation (such as wire transfer authorization). In this document, we say that this action is called *transaction authorization*. | ||
|
|
There was a problem hiding this comment.
This sentence is missing something. "Will require users to use.." perhaps?
|
|
||
| For the purpose of this document we will call that process: *transaction authorization*. | ||
| Transaction authorization is typically used in financial systems, but the need for secure transactions has driven its adoption across the internet. For example, an email that allows users to unlock a user account by providing them with a secret code or a link that has a token contains a transaction authorization. A transaction authorization can be implemented with methods such as: |
There was a problem hiding this comment.
The "for example" sentence looks run-on. Can you review?
Comment on lines
+19
to
+21
| - A OTP sent by SMS or provided by phone | ||
| - A digital signature provided by a smart card or a smartphone, | ||
| - A challenge-response token, including unconnected card readers or solutions which scan transaction data from the user's computer screen. |
There was a problem hiding this comment.
Some of these end with a comma, some do not
| Some of these can be implemented on a physical device or in a mobile application. | ||
|
|
||
| Transaction authorization is implemented in order to protect for unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS, etc.. Unfortunately, as with any piece of code, this protection can be improperly implemented and as a result it might be possible to bypass this safeguard. | ||
| Most often, transaction authorizations are used to prevent for unauthorized wire transfers, but unfortunately, this protection can be improperly implemented and at might be possible to bypass this safeguard. |
There was a problem hiding this comment.
"For unauthorized wire" looks off.
| For example when an SMS message is used to send significant transaction data, it is possible to send the target account, amount and type of transfer. However, for an unconnected [CAP reader](https://en.wikipedia.org/wiki/Chip_Authentication_Program) it is perceived to be inconvenient for a user to enter these data. In such cases, entering only the most significant transaction data (e.g. partial target account number and amount) can be considered sufficient. | ||
|
|
||
| In general, significant transaction data should always be presented as an inherent part of the transaction authorization process. Whereas the user experience should be designed to encourage users to verify the transaction data. | ||
| For example, if an SMS message is used to confirm significant transaction data, the developer could respond by returning the target account, amount and type of transfer to the user. However, for an unconnected [CAP reader](https://en.wikipedia.org/wiki/Chip_Authentication_Program) it is inconvenient for a user to enter these data. In such cases, the developer should probably returm the minimium amount of significant transaction data (e.g. partial target account number and amount) for confirmation. |
|
I see a lot of small errors, can you give you edits a review one more time? |
|
Sure. I’ll go back and take a look.
…On Sat, May 11, 2024 at 6:50 PM Jim Manico ***@***.***> wrote:
I see a lot of small errors, can you give you edits a review one more time?
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BDMXOUKMOJOMRHB2NRNPD2LZB2OCVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBWGA2TAMBXGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I’ll be more careful in the future.
On Sat, May 11, 2024 at 6:50 PM Robert Thornton ***@***.***>
wrote:
… Sure. I’ll go back and take a look.
On Sat, May 11, 2024 at 6:50 PM Jim Manico ***@***.***>
wrote:
> I see a lot of small errors, can you give you edits a review one more
> time?
>
> —
> Reply to this email directly, view it on GitHub
> <#1402 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/BDMXOUKMOJOMRHB2NRNPD2LZB2OCVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBWGA2TAMBXGA>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
szh
reviewed
May 13, 2024
| @@ -2,111 +2,107 @@ | |||
|
|
|||
| ## Purpose and audience | |||
|
|
|||
| The Purpose of this cheat sheet is to provide guidelines on how to securely implement transaction authorization to protect it from being bypassed. These guidelines can be used by: | |||
| This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed These guidelines are for: | |||
There was a problem hiding this comment.
Missing period:
Suggested change
| This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed These guidelines are for: | |
| This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed. These guidelines are for: |
jmanico
previously approved these changes
May 13, 2024
|
Can I assume we can delete this branch I assume the other change we committed is the live one and this is legacy? |
|
Yes, it is. Thanks. My git journey is still alive. :)
…On Mon, May 13, 2024 at 2:19 PM Jim Manico ***@***.***> wrote:
Can I assume we can delete this branch I assume the other change we
committed is the live one and this is legacy?
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BDMXOUI5A4QQV26RYNBYXGDZCD7ZPAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBYGUYTIMRYHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
So it is ok to delete it? :) Just double checking before I do. |
|
Yes.Sent from my iPhoneOn May 13, 2024, at 2:22 PM, Jim Manico ***@***.***> wrote:
So it is ok to delete it? :) Just double checking before I do.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
@jmanico - Usually after you do a merge, GitHub itself will tell you / ask
you, if you want to delete the branch. It only does that when it thinks
it's safe to do so.
…On Mon, May 13, 2024 at 2:23 PM Jim Manico ***@***.***> wrote:
So it is ok to delete it? :) Just double checking before I do.
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PGZNX6BYCC6KC3L2RGDZCEAIVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBYGUZDCNRQHA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Blog: https://off-the-wall-security.blogspot.com/ | GitHub: @kwwall |
OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)If your PR is related to an issue, please finish your PR text with the following line:
This PR covers issue #.
Thank you again for your contribution 😃