News & Events

Press Releases

Security Innovation's Steven Danneman to Address Banks Digital Side Door Attack Surfaces at DEF CON 26 | Security Innovation


Wilmington, MA – August 8, 2018 – Security Innovation, a pioneer in software security assessment and training, today announced that on Friday, August 10th at 5:00 p.m. PDT, Security Engineer Steven Danneman, will be a featured speaker at DEF CON 26, the world’s longest running and largest underground hacking conference. Security Innovation’s CMD+CTRL cyber range will also be highlighted at the conference as part of DEF CON’s Contest Floor activities.

Danneman’s presentation, “Your Bank’s Digital Side Door” will show how personal financial software gathers information, how they communicate with banks, and discuss the broad attack surface presented by these banks’ digital side doors.

Session Highlights:

After exploring the 20 year old Open Financial Exchange (OFX) protocol and over 3,000 North American banks that support it, Danneman will discuss how it led him to the over 30 different implementations that create a broad and inviting attack surface for hackers.

  • The presentation will guide attendees through how Quicken, QuickBooks, Mint.com, and even GnuCash applications gather checking account transactions, credit card purchases, stock portfolio, and tax documents. Attendees will watch this data flow over the wire and learn about the jumble of software banking IT departments deploy to support this activity, and discuss how secure these systems are.
  • The session will include sending simple packets at several banks and reveal security surprises that occur during the process.
  • Danneman will also demo and release a tool that fingerprints an OFX service, describes its capabilities, and assesses its security.

CMD+CTRL Contest:

Security Innovation will also run a CMD+CTRL Contest on the Contest Floor at DEF CON on Friday, August 10 and Saturday, August 11 between 10 a.m. and 6 p.m. CMD+CTRL is the only cyber range focused exclusively on Web application security. The CTF activity will include two new vulnerable web sites where participants will gain a deeper understanding of how cyber-attackers find and exploit vulnerabilities in insecure software applications.

People interested in learning more about CMD+CTRL can email pr@securityinnovation.com

Click here to learn why Security Innovation is the worldwide leader in software security training and assessment services.

About Security Innovation

Since 2002, organizations have relied on Security Innovation for our unique software security expertise to help secure and protect sensitive data in the most challenging environments – desktops, web applications, mobile devices and in the cloud. A best in class security training, assessment and consulting provider, Security Innovation has been named to the Gartner Magic Quadrant for Security Awareness Training for four consecutive years. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com or connect with us on LinkedIn or Twitter.

Security Innovation Media Contact:
Joshua Milne
pr@securityinnovation.com, +1-617-501-1620