-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is one error I cannot find. Otherwise it is fine.wise it seems fine. #1402
Conversation
Generally, mobile and online applications will require users a second factor to check whether they are authorized to perform a sensitive operation (such as wire transfer authorization). In this document, we say that this action is called *transaction authorization*. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence is missing something. "Will require users to use.." perhaps?
|
||
For the purpose of this document we will call that process: *transaction authorization*. | ||
Transaction authorization is typically used in financial systems, but the need for secure transactions has driven its adoption across the internet. For example, an email that allows users to unlock a user account by providing them with a secret code or a link that has a token contains a transaction authorization. A transaction authorization can be implemented with methods such as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "for example" sentence looks run-on. Can you review?
- A OTP sent by SMS or provided by phone | ||
- A digital signature provided by a smart card or a smartphone, | ||
- A challenge-response token, including unconnected card readers or solutions which scan transaction data from the user's computer screen. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some of these end with a comma, some do not
Some of these can be implemented on a physical device or in a mobile application. | ||
|
||
Transaction authorization is implemented in order to protect for unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS, etc.. Unfortunately, as with any piece of code, this protection can be improperly implemented and as a result it might be possible to bypass this safeguard. | ||
Most often, transaction authorizations are used to prevent for unauthorized wire transfers, but unfortunately, this protection can be improperly implemented and at might be possible to bypass this safeguard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"For unauthorized wire" looks off.
For example when an SMS message is used to send significant transaction data, it is possible to send the target account, amount and type of transfer. However, for an unconnected [CAP reader](https://en.wikipedia.org/wiki/Chip_Authentication_Program) it is perceived to be inconvenient for a user to enter these data. In such cases, entering only the most significant transaction data (e.g. partial target account number and amount) can be considered sufficient. | ||
|
||
In general, significant transaction data should always be presented as an inherent part of the transaction authorization process. Whereas the user experience should be designed to encourage users to verify the transaction data. | ||
For example, if an SMS message is used to confirm significant transaction data, the developer could respond by returning the target account, amount and type of transfer to the user. However, for an unconnected [CAP reader](https://en.wikipedia.org/wiki/Chip_Authentication_Program) it is inconvenient for a user to enter these data. In such cases, the developer should probably returm the minimium amount of significant transaction data (e.g. partial target account number and amount) for confirmation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Returm...
I see a lot of small errors, can you give you edits a review one more time? |
Sure. I’ll go back and take a look.
…On Sat, May 11, 2024 at 6:50 PM Jim Manico ***@***.***> wrote:
I see a lot of small errors, can you give you edits a review one more time?
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BDMXOUKMOJOMRHB2NRNPD2LZB2OCVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBWGA2TAMBXGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I’ll be more careful in the future.
On Sat, May 11, 2024 at 6:50 PM Robert Thornton ***@***.***>
wrote:
… Sure. I’ll go back and take a look.
On Sat, May 11, 2024 at 6:50 PM Jim Manico ***@***.***>
wrote:
> I see a lot of small errors, can you give you edits a review one more
> time?
>
> —
> Reply to this email directly, view it on GitHub
> <#1402 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/BDMXOUKMOJOMRHB2NRNPD2LZB2OCVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBWGA2TAMBXGA>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
@@ -2,111 +2,107 @@ | |||
|
|||
## Purpose and audience | |||
|
|||
The Purpose of this cheat sheet is to provide guidelines on how to securely implement transaction authorization to protect it from being bypassed. These guidelines can be used by: | |||
This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed These guidelines are for: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing period:
This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed These guidelines are for: | |
This cheat sheet discusses how developers can secure transaction authorizations and prevent them from being bypassed. These guidelines are for: |
Can I assume we can delete this branch I assume the other change we committed is the live one and this is legacy? |
Yes, it is. Thanks. My git journey is still alive. :)
…On Mon, May 13, 2024 at 2:19 PM Jim Manico ***@***.***> wrote:
Can I assume we can delete this branch I assume the other change we
committed is the live one and this is legacy?
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BDMXOUI5A4QQV26RYNBYXGDZCD7ZPAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBYGUYTIMRYHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
So it is ok to delete it? :) Just double checking before I do. |
Yes.Sent from my iPhoneOn May 13, 2024, at 2:22 PM, Jim Manico ***@***.***> wrote:
So it is ok to delete it? :) Just double checking before I do.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
@jmanico - Usually after you do a merge, GitHub itself will tell you / ask
you, if you want to delete the branch. It only does that when it thinks
it's safe to do so.
…On Mon, May 13, 2024 at 2:23 PM Jim Manico ***@***.***> wrote:
So it is ok to delete it? :) Just double checking before I do.
—
Reply to this email directly, view it on GitHub
<#1402 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PGZNX6BYCC6KC3L2RGDZCEAIVAVCNFSM6AAAAABHSG2PQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBYGUZDCNRQHA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Blog: https://off-the-wall-security.blogspot.com/ | GitHub: @kwwall |
OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
|
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)
If your PR is related to an issue, please finish your PR text with the following line:
This PR covers issue #.
Thank you again for your contribution 😃