Contact Us

OFX: The Next Battleground

Sep 12, 2017 7:10:00 PM

OFX (Open Financial Exchange) is an XML based protocol which essentially behaves like an API and enables the exchange of financial information between interested parties. This API has been around since 1997 and is usually used to pull financial information by "aggregators" or client-side software. Common examples include Quickbooks, GnuCash, and Microsoft Money. This API sits on top of HTTP and the communications are always encrypted using TLS. 

In order to exchange financial information, there has to be an authentication mechanism supported by this API. The current authentication mechanism is based on the username and password pair. In certain implementations, a ClientUID token is also sent which acts as an MFA token. The credentials are directly submitted by the OFX application using a custom OFX command to an endpoint URL exposed by the bank. Once authentication is successful, the financial information can be exchanged.

A draft for OFX 2.2 was published in late 2016 proposes an OAuth based authentication system. However, currently, this is not widely deployed.

Attacking over OFX

OFX, in addition to web and mobile, adds another channel for legitimate entities to authenticate and pull financial data. However, nothing prevents an attacker from abusing the channel in the same way they currently abuse the web and mobile channels.

Open source libraries, which allow OFX applications to be written in Python and JavaScript, are readily available. Hence, it is not hard to create a “credential checker tool” that uses these libraries to authenticate a consumer account against a particular financial institute over OFX. Next, the criminal can follow the credential exploitation attack flow, launching a distributed attack using proxies and leaked credentials.

Why Attack Using OFX 

For attackers, OFX is an attractive target. There is no client browser to which you can serve JavaScript code, so it is not possible to collect the end user’s browser fingerprint or user behavior. Additionally, the lack of client-side code execution also rules out traditional defenses like CAPTCHA. Unlike the mobile channel, there is no client side SDK which can be embedded into an app to collect user information. Finally, typical statistics-based solutions won’t work either as many of the legitimate applications querying OFX API are automated programs.

Additionally, in case of the web/mobile flow, an attacker has to recon the target’s login flow and modify the attack tool accordingly. The OFX API defines standard authentication flow and successful/failed authentication markers, making it easier for the attacker to reuse the same tool across the thousands of financial institutions that support this standard.

 While we are aware of only a few instances of these attacks, we predict a tremendous rise in OFX-based automated attacks!

Mayank Dhiman

Written by Mayank Dhiman

(Former) Principal Security Researcher at Stealth Security