Template:Netherlands January 31, 2013

= January 31, 2013 = Broken Online Strong Authentication and OWASP update
 * This chaptermeeting will be about broken online strong authentication with banking web applications and OWASP updates.

Programme:

 * 18:30 - 19:00 Registration
 * 19:00 - 19:45 The Truth about the e.dentifier2 - Erik Poll
 * 19:45 - 20:00 Break
 * 20:00 - 20:45 OWASP Update - Martin Knobloch
 * 20:45 - 21:30 Networking

The Truth about the e.dentifier2
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.

OWASP Update
News and updates on OWASP BeneLux 2013, OWASP Dutch Chapter meetings, AppSec EU 2013, OWASP Connector, the OWASP Newsletter and new OWASP initiatives.

Erik Poll
Erik works in the Digital Security group of the Radboud University on a range of topics in security, including smartcards, security protocols, software security, and critical infrastructures (esp. the smart grid).

Martin Knobloch
Martin Knobloch is member of the Dutch chapter board and chair of the Global Education Committee. Next to this he contributes to several projects as the OWASP Education Project and the OWASP Academy Portal. Martin is an independent security consultant and owner of PervaSec. His main working area is (software) security in general, from awareness to implementation. In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures.