Web Application Security

Protecting Financial Applications at Scale

Brendon Macaraeg

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. Outside of work, Brendon keeps busy with his wife and kids enjoying outdoor activities.

Picture this: you’ve found the perfect home, but need financing. You select a lender online and begin the mortgage application process by uploading all the requested documents in digital format through a secure web portal with login credentials supplied to you by the lender. The lender verifies the information you provide, asks for clarification on a few items through email, and a few days later, provides you the final mortgage closing paperwork for your digital signature.

A few decades ago, obtaining a home mortgage like this was the stuff of science fiction. The emergence of digital commerce opened up a world of possibilities that enable us to purchase products and services anywhere with an internet-connected device.

However, there’s a flip side to this convenience: imagine sitting down to close escrow on your new home only to be told the funds to cover your down payment and closing costs never went through. The reason you're provided is  an attacker brute forced their way into your account and exfiltrated the necessary information to divert the funds.

This is just one example of how financial services companies must be vigilant against attackers who want to pry into their systems, manipulate their applications and the business logic behind them, and exfiltrate valuable customer data for their own gain. With over 450 billion non-cash transactions annually traversing the global markets and new means to conduct commerce (think: Bitcoin and new digital currencies, NFC-enabled mobile devices that store credit card accounts, etc.) the attack surface is ever widening. Clearly, protecting customer data and transactions will be an ongoing battle for financial companies.

At Signal Sciences, we know the responsibility that security and development teams have to secure customer data at the web application layer and stop attackers. In this blog we’ll look at a few examples of how we’ve helped our customers do just that.

Preventing Wire Fraud in the Mortgage Industry with Signal Sciences

Snapdocs offers a suite of business management tools that enables mortgage providers to deliver an efficient, secure signing experience to consumers while enabling transaction participants such as lenders, title and escrow entities, and notaries to streamline their operations while being compliant.

snapdocsmobileiphone7smSensitive documents must be transferred securely between parties in a transaction, so security is required as an integral part of Snapdocs platform. Snapdocs needed technology that could provide the real-time visibility necessary to prevent account takeovers and upgrade their overall security posture.

To prevent fraud, Snapdocs sought to identify malicious actors’ requests and other attack event patterns to prevent account takeovers. Additionally, they wanted faster visibility into attackers’ web requests in order to trigger alerts to stop them.

 

Snapdocs provides a loan closing platform for lenders and title and escrow companies.

"Aside from defending against OWASP Top 10 attacks, Signal Sciences gives us enhanced visibility,” says Evan Arnold, Snapdocs’s CTO. “We can now easily set up Power Rules to monitor and block activity that we couldn't before."

Read the Snapdocs Web Application Security Case Study

Auto-scaling Betterment’s Application Security

Betterment is an online financial advisor with more than $14 billion in assets under management. Betterment required visibility to understand and track malicious activity against its customer-facing applications. Their Engineering and Security teams needed a web application security solution that could automatically scale and accurately block attacks without increasing support call volume or creating more work for Engineering or Security.

Bettermentweb_summary_mobile_portfoliosm

Betterment offers customers recommended investing plans and a personalized portfolio.

In addition to Signal Sciences' turn-key detections that auto-block malicious traffic, Betterment uses Power Rules to help prevent attacks against their unique application logic to keep financial data safe. For example, they’re able to define, monitor, and block abuse against their APIs by restricting access based on point of origin. To prevent user account compromise, they leverage Account takeover (ATO) protection and Power Rules that are configurable with easy-to-use drop-down menus in the dashboard.

“After deploying Signal Sciences there have been zero false positives,” says Anson Gomes, Lead Security Engineer at Betterment. “This has reduced the workload on our Security team while also providing a very friendly user experience. It also allows the team to configure and modify rules addressing new attack vectors and payloads in an ever-evolving threat landscape, to help mitigate business risk.”

Read the Betterment Web Application Security Case Study

 

Microservices and API Security for OFX’s International Wire Transfer Business

OFX is an international financial transfer platform based in Sydney, Australia, that processes over $22 billion annually through its web application. Having recently completed a total migration to the cloud over a period of three years, OFX wanted to get visibility and protection against Open Web Application Security Project (OWASP) attacks and authentication abuse in its cloud-first microservices infrastructure. Partners interact with the OFX platform via APIs that talk to microservices internal to the OFX network.

OFX-App-Market-RatesOFX wire transfer platform includes a mobile app so customers can confirm exchange rates.

Tasked with building the security program and team, Head of Digital Security Richard Lane wanted to ensure their microservices weren’t implicitly trusting others and sought a product that would provide visibility. He wanted a solution that would prove easy to install, use, and effectively block malicious traffic automatically — including logins — without hand holding or causing production incidents.

Deploying Signal Sciences in their mid-tier environment with an agent on their web servers allowed OFX to “get into the guts of the application,” as Lane explains. “Signal Sciences has provided a whole ton of visibility where we didn’t have it before.”

With Signal Sciences automated application security capabilities, OFX realizes engineering benefits without tradeoffs, protects their authentication sessions with Power Rules and validates their app sec with penetration testing visibility and validation.

Read the OFX Application Security Case Study

 

Protect Financial Services Applications with Signal Sciences

Digital financial transactions are part of daily life for millions around the globe. But as these customer stories show, visibility and actionable information is critical to protecting those transactions. Signal Sciences automated web application security offering enables financial organizations to monitor, detect and stop layer 7 web application attacks. We invite you to learn more about our offering’s full capabilities or see our solution in action for yourself.