Hi, I am Mayank Dhiman, Principal Security Researcher here at Stealth Security. In this post I will talk about OFX, a financial exchange protocol, which is ripe for credential exploitation attacks.
OFX (Open Financial Exchange) is an XML based protocol which essentially behaves like an API and enables the exchange of financial information between interested parties. This API has been around since 1997 and is usually used to pull financial information by "aggregators" or client-side software. Common examples include Quickbooks, GnuCash, and Microsoft Money. This API sits on top of HTTP and the communications are always encrypted using TLS.
In order to exchange financial information, there has to be an authentication mechanism supported by this API. The current authentication mechanism is based on the username and password pair. In certain implementations, a ClientUID token is also sent which acts as an MFA token. The credentials are directly submitted by the OFX application using a custom OFX command to an endpoint URL exposed by the bank. Once authentication is successful, the financial information can be exchanged.
A draft for OFX 2.2 was published in late 2016 proposes an OAuth based authentication system. However, currently, this is not widely deployed.
Attacking over OFX
OFX, in addition to web and mobile, adds another channel for legitimate entities to authenticate and pull financial data. However, nothing prevents an attacker from abusing the channel in the same way they currently abuse the web and mobile channels.
Why Attack Using OFX
Additionally, in case of the web/mobile flow, an attacker has to recon the target’s login flow and modify the attack tool accordingly. The OFX API defines standard authentication flow and successful/failed authentication markers, making it easier for the attacker to reuse the same tool across the thousands of financial institutions that support this standard.
While we are aware of only a few instances of these attacks, we predict a tremendous rise in OFX-based automated attacks!