I have to do a presentation on developing an authentication plan for a financial services application used to manage an investment portfolio. I have to develop use scenarios for the 2 functions (depositing money to a fund and withdrawing from it). How would the use scenarios differ?
Asked
Active
Viewed 282 times
-2
-
If you deposit funds, is it withdrawn from an account? Or introduced externally? (credit card, for example) – ndrix May 13 '14 at 07:13
-
Both. If you use an account you would be transferring from another fund. – Jay May 13 '14 at 07:26
3 Answers
1
Authentication, like most security actions, should correspond to the risk.
Consider the deposit - what is the risk presented by a erroneous (potentially fraudulent) deposit? From a strictly financial viewpoint, the impact is limited to refund of the deposit. (there are legal situations where it might be larger).
Consider the withdrawal - what is the risk presented by an erroneous withdrawal? It is at least double the amount - you have a good faith obligation to reimburse the account holder for the money entrusted to you, plus you lose the amount withdrawn. There are secondary risks to your reputation to the account holder, to the beneficiary of the error, and to the public/other account holders. There are also likely to be legal/regulatory consequences.
How would the authentications differ? Obviously the deposit authentication is at a lower level of assurance. The withdrawal transaction should probably require higher assurance authentication & authorization, should probably be limited to a small set of pre-agreed destinations, and should have a more stringent audit trail.
How do you increase the level of assurance for the transaction? Fortunately there are many resources that will help with that.
MCW
- 2,572
- 1
- 15
- 26
0
Personally - I think both scenario's differ. Think of it as an ordinary piggy bank; it's easy to put money into the piggybank, it's more difficult to take it out.
Assuming an attacker wishes to "steal money", you'd be more concerned when a withdrawal is made. When money is deposited, I would assume that the security would lie in the authentication/authorization on the other end. If, as you mentioned in your comment, money is withdrawn from an account, you may want to put extra checks there (the "attack" being that a malicious user could "block" someone's funds by investing it in a long-term plan, affecting your customer's liquidity.)
Generally, a check to ensure that the intended user wanted to perform a transaction is good. Many banks use a hardware token that verifies a PIN code and the amount of the transaction.
ndrix
- 3,206
- 13
- 17
-
Deposting money to a fund would mean taking money out of your bank, or a fund from another investment method, and putting it in the fund. Withdrawing from your fund would mean taking money out of your fund, and putting it in your bank. Based on this, can you provide a more technical answer on the difference between the authentication process of the 2 actions? – Jay May 13 '14 at 11:39
-
Im guessing the difference lies more on which authentication server the application communicates with. What do you think? – Jay May 13 '14 at 11:49
0
the scenarios would only differ with the action of withdrawing and depositing, but i dont understand your question all together, but i THINK you mean, if you need different authentication for both.
well, try to use a bit of what banks use (atleast, over here in the netherlands) you need to authorize yourself to login into the web enviorment, and then use a 2-step authentication method for every action you make (deposit, send money etc.).
When doing a project, looking at others helps, try that idea, of authentication for login, and authentication for action :3
Lighty
- 2,368
- 1
- 23
- 36
-
Im looking for an answer that states the difference between the actions (in authentication) the application would take based on wheter the user wishes to deposit or withdraw from the fund. – Jay May 13 '14 at 11:47