4

The company I work for has to send monthly payments to 20 to 50 users at a time. These users can change from month to month. Generally, each user will receive money from us for 2-3 months.

The users complete a form in which they enter their details.

We want to be able to store their bank account number and sort code into our database, at least for the period in which they are paid. We are using HTTPS, but I want to know if we should take any more security measures.

I've searched all over trying to find an answer, but did not come across anything relevant to this use case. We are based in the UK and only send payments to UK accounts.

Anders
  • 64,406
  • 24
  • 178
  • 215
Daniel San
  • 143
  • 2
  • The user completes a form, then you send them money? Sounds great, can I be a user? Seriously though, there must be some process you authorise users, the security of that will be key. – paj28 Jul 08 '17 at 22:04

1 Answers1

4

HTTPS is mandatory of course. But there are a lot more of security options. I can provide you some basics:

  • Server technologies

You should implement HSTS (Http Strict Transport Security) to force clients to use your HTTPS connection.

You didn't specified what is your back-end technology (Java, PHP, etc). You should update your server to the latest versions to avoid known exploits. For example in case of PHP, old versions have a lot of possible exploits.

You should configure your perimetral firewalls to avoid DoS (Denial of Service) attacks as we'll see later, but you can avoid some very basic and known DoS attacks like for example Slow Loris only hardening your server configuration.

Disable banners and server signatures as much as possible in order to try to make harder identification of your software and version (O.S., web server technology, etc).

  • Code

Is your backend injection proof? You must be pretty sure about filtering and sanitizing "dangerous" chars to avoid XSS, SQL injection and other possible attacks. This is one of the more important points.

CSRF attacks must be avoided. You should perform a correct session handling with some kind of mechanism (usually session hashes, tokens or similar) to prevent this.

  • Perimetral Security

WAF (Web Application Firewall) is a good option to try to filter a lot of attacks against your site. Anyway, this must be a complement of secure coding. Never the security must depend only on this element.

IDS/IPS (Intrusion Detection System/Intrusion Prevention System) are mandatory (in my opinion) if you are managing sensible information like bank accounting data. You must be able to detect/prevent attacks.

There are more... but as a start is enough I think. :)

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 3
    The suggested basics are good starting points, but since the question mentions MongoDB I would add reviewing the [MongoDB Security Checklist](https://docs.mongodb.com/manual/administration/security-checklist/) as a requirement and change the "SQL injection" reference to [NoSQL injection](https://www.owasp.org/index.php/Testing_for_NoSQL_injection). – Stennie Jul 08 '17 at 23:51
  • Good point. Upvoting! – OscarAkaElvis Jul 09 '17 at 09:30
  • Thank you for pointing out all the basic security measures I can take. Our backend is in Node JS and Express and the db is Mongo with Mongoose. I'm also thinking about using mongoose-encrypt only for the sensitive information and store the key in an environment variable. How does that sound to you? – Daniel San Jul 10 '17 at 15:52
  • I'd suggest hiring professional pen testers to audit your system. Under the incoming GDPR rules your organisation could be fined huge amounts of money for data breaches involving such sensitive data. – iainpb Oct 12 '17 at 11:12