Overview

Union Bank of Nigeria (UBN) is one of the oldest and largest commercial banks in Nigeria. The bank was founded in 1917 and has since grown to become a major player in the Nigerian banking industry. UBN provides a wide range of banking and financial services, including corporate banking, retail banking, and investment banking. The bank has a strong presence in Nigeria, with over 300 branches and ATMs nationwide. Union Bank also operates in other African countries like Ghana, Sierra Leone, The Gambia and Liberia. The bank has also built a notable reputation for its Corporate Social Responsibility initiatives and its support of the Nigerian economy.

Client:
Union Bank of Nigeria (UBN)
Industry:
Banking And Finance
Services:
Web Application Security Testing
Company:
Union Bank of Nigeria
Development Company:
CEVA Ltd., Nigeria

Challenge

Union Bank of Nigeria is a large banking organisation having complex functionalities with a diverse range of systems and networks. As it has a large user base processes , stores and uses user’s financial data, it should be safe from all kind of threats. Union Bank of Nigeria is subject to various laws and regulations that govern the banking sector. While testing we need to keep in mind about the laws as well. Except that the error percentage during the test should be zero, our major focus towards the unauthorised data leaks and financial losses that can harm the organisation

Solution

As this is a sensitive project dealing finance and banking services, we have followed our own security checklist specially designed for banking sectors along with other popular security frameworks like OWASP , SANS25, PCI DSS security Guidlines . At first we have gone through the workflow of that application to understand it better before doing any security testing there. Each and every test was done under a host hosted on the staging server. We have started the audit With a team of highly experienced penetration testers, we divide each memebr with separate modules for completing the project before the deadline. As per procedures we initiated an automation scan( using paid enterprise tools) against the target and found several low hanging bugs. During the time of manual testing , our team first engaged themselves with black box testing and found several bugs , but worth mentioning here, the application is vulnerable for dBlind Xss During one signup which was executing directly on the banking administrator portal , this leads to the total account takeover of the admin portal. Then during white box test, we found one malicious user can have access to all other user’s personal financial Information. In total we found several bugs from the portal.

The team now has all the required evidences , root causes and preventions for the bugs we have found. We made a detailed security report v1.0 and coordinated continuously with the team of developers for fixing out all the raised security issues. After few days we confirmed the raised issues to be addressed by the dev team and provided them the final 2.0 version.

Results

Threatsys have completed the security testing on time successfully and the application code was updated with the fixed code in the live server . Now the portal is running securely and providing financial services to thousands of users flawlessly.

That means Threatsys is protecting the banking users of Nigeria and making the whole UBN secure enough.