tags:

views:

307

answers:

2
Q: 

Best practices/algorithm/approach for implementing temporary transaction password for banking/financial website.

What are the best practices for implementing temporary transaction password feature for website?

For e.g in banking/finance scenarios like - While transfering funds from one account to another, a transaction password is required - While commiting a trade, a transaction password is required - etc.

The password should be temporary and time based i.e. this password should not work after x minutes has elapsed.

What algorithm would you recommend? Do you suggest keeping track of used passwords i.e. store used password in some store?

Some website use a OneTimePassword device. Apart from this please feel to highlight any other strategy you think may be appropriate.

Any other thoughts/suggestions/algorithm welcome.

Edit: Based on question from 'lassevk'

  1. The password would be communicated by email/phone/sms.
  2. There is no third site involved.

I require this for additional level of security for critical points in the application. This may also be called as "AuthenticationCode".

A: 

Edit after updated question:

Well, one way would be to simply store it in the session variable, that would make it forcibly go away whenever the service is restarted.

Additionally you would need to have a timer on it, basically you store expiration time+password somewhere, and whenever you check the password, if the expired time is in the past, you don't have a password and just clear it.

If you encapsulate this away in some base code that not only checks if the right password is given, then it would need to be able to answer both yes, no, and no password stored so that you can give the appropriate message to the user.

A couple of questions:

  • How would you communicate the temporary password to the user? SMS?
  • Is the password for the same site, or is it created for another, linked, site? (ie. your bank main site generates or gets hold of the password, and you use that to log on or authorize the transaction on another, related, site?)

If the answers are:

  • Via the website
  • No, same site

Then what's the point? What are you hoping to gain from this? What are the specific criteria or goal for implementing this feature?

Lasse V. Karlsen  2009-01-05 07:01:21
Updated the question as answer to your comments.
rajesh pillai  2009-01-05 08:57:48
A: 

Well It really differs from institutions to institutions

Creating a Financial PIN on the basis of Sessions would be more securer strategy rather then creating a FPIN that works for particular time period.

If you have resources to SMS the FPIN then the best practice would be to Generate FPIN before every transaction and SMS the FPIN to user that would be some thing like 2FA.

Regards Azeem.

azimyasin  2009-01-05 07:08:20

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security