Blog Feed

Security through obscurity

Software security is always a topic of concern. The concept of Security through obscurity has already been criticized for a long time. This concept believes that the system is secure until the vulnerabilities are hidden and not known to the attackers.

This approach gives false hope of safety when, in reality, the underlying systems are susceptible to attacks. You never know when the vulnerability is exposed, and you have no time left to fix the problem.

Software security, especially in the banking industry is critical. The banks should follow a proactive approach rather than reacting to the problems exposed.

White hat hacking is the cool name for hiring hackers to detect any vulnerability of the system before being detected by the attackers.

This reminds me of an incident which happened while I was working with a large banking product. We were developing the product, and one of the available security feature was encrypting the URL parameters.

Encryption helped to prevent any data being logged or tracked by the middle-men or network teams. As per the development team, this requirement was complete and ready for testing. All the urls had some random string in them e.g.

We hired some white hat hackers to test our product, to proactively find out any problems in our system.
One of the problems raised by the team was that our encryption logic was not proper. Their concern was a set of characters were being repeated in every URL, and hence the logic of encrypting the URL parameters is not correct.

I spent a few days trying to test and simulate the issue in our encryption engine. I wasn’t even able to reproduce the issue, rather than fix the problem.

Then I discussed with the tester to understand more details about the problem. He told me that a specific set of characters was repeating in every URL. On observing the set of characters which were repeating, I randomly did a full-text search for those characters.

And yes, I found it. The root cause of the problem: a lazy developer, who did not want to use encryption engine in order to save some performance. So he named the variable with random characters (and also the values that he intended to give) rather than going through the encryption engine.
He preferred to encrypt his parameters by obscurity. No other human apart from himself was aware of his mischief. He believed that nobody will ever come to know that the URL parameters are not being encrypted.
Technical people will understand the following structure of the URL & fsh2ohg = fh@
It is easier to fool humans, but the automated tools bring out such vulnerabilities and help fix the issues.
That was a moment of a hearty laugh.

From software islands to connected systems

Software Islands to Connected Software

Digitization of processes is not an option today. Even small businesses today need to be dependent upon computational power of devices to run and manage operations.

Large enterprises have different departments of operations, and each department has their budgets. And each department needs software, to smoothen out its processes, and the cost for the software comes out from their budget. This disconnection between different departments often results in various problems, including disconnected systems and redundant software islands.

All departments have many similar needs e.g., task management, content sharing, knowledge management, authentication, etc. which can be served by same enterprise-level software systems, instead of procuring different software systems for each department. Organizations can re-use software systems across departments to reduce costs and management efforts.

I am writing this article to bring forth a more significant problem which arises due to software islands. In recent history, India has seen some banking frauds. Referring to this issue, where the bank had different systems working correctly (in their work area) were disconnected with each other.

The Letter-Of-Undertaking system was disconnected from the core banking system. Both the systems kept on running without alerting anyone about the mismatch in data.

The manual process of entering the data output from one system to another system could easily have been automated. Humans can make mistakes. Humans can miss out a prescribed process. And humans can intentionally skip a step in a series of procedures for some benefit. But computers cannot. Machines are designed to follow instructions. If a piece of operation can be defined logically, computers can be programmed to support it. There is no escape from it. (unless instructed otherwise)

If the bank, would have designed the system to automate communication between the systems, this problem could have been avoided.

Banking industry (or any other sector which is highly governed) have a must need of systems which are connected. A software system which orchestrates the information between different systems reduces not only manual efforts but also makes sure that all the steps in the defined process are followed.

Such a system should also check different systems at regular intervals for validating the data between different systems.
Each enterprise has its own backbone of processes. Hence it is good to invest in a custom software which is dedicatedly built for the organization.

Object-Oriented Programming

Any real-world object has some properties (which may or may not change over time) and some behavior (which may or may not vary depending upon other conditions). 

e.g., A pencil is a real-world object; which has the following properties:

  • It has some color (e.g., red) (will not change with time)
  • It has some length (e.g., 10 cm) (may change when sharpening)

And it has the following behaviors:

  • It leaves a mark when appropriately used.
  • The mark may vary depending upon the pressure applied. (Depends upon an external factor)
  • Its length gets reduced when sharpened (constant behavior)

Just like this example, the real-world objects have many more features, but in programming, we cater only the required functions.

Object-oriented programming is a programming paradigm where we model real-world objects in program based objects.

Programming in OOPS has its advantages. e.g., It is easier for the programmers to relate an Object to the real world and develop code as per the expectations. Programmed objects are beneficial as and when the application scales up, adding additional features and properties is more natural. It helps in distributing responsibilities within the objective world, enabling focused thinking.

Another important feature associated with OOP (Object Oriented Programming) is the classification of objects. Since the world (real/virtual) is full of objects, it is difficult to manage them as individual objects. We need a way to classify these objects helping us relate different objects and their features. e.g., a black colored pencil. It is all the same as the one used in the previous example but is a separate object. But since they both are pencils, they belong to the same class “Pencil” . Whereas a pen, which is very similar to a pencil, belongs to a different Class. Although both Pen and Pencil are “Writing Instruments”.

This is a series of blogs which will help you understand the basics of Object-Oriented Programming. We are going to use Java as a base, but I will try to explain it in a more generic way so that the same concepts are applied in other languages as well.

Getting closer to the customers – the omnichannel way

The traditional banking system is changing fast in India. Indian banks are not the same anymore as they used to be ten years back. If I think about the banks of the past decade, the picture that comes to my mind is a small room full of people lined up to do tasks like updating passbooks or depositing/withdrawing money.

The same banks today are using the power of technology not only to reach out to the customers but also helping them invest or spend their money intelligently. 

Due to the increasing competition, it is essential for the banks to reach out to the customers, rather than asking them to connect with the bank. Banking is a crucial aspect of everyone’s life, and in today’s world, no one wants to get in the queue to do simple but critical tasks like checking account balance or transferring money. Customers now want to access their account at a place and with the pace of their comfort. It is their hard earned money, after all!

With a wide range of customers that banks have, there is no “one size fits all” solution to the different mediums or channels that banks can focus on to reach customers. Banks today mandatorily need to cater via multiple channels.

Moreover, all those channels should coordinate with each other seamlessly.

Reaching customers via multiple channels

An omnichannel environment allows banks to always stay connected and serve the needs of their customers. 

A customer would want to have complete control over his money, although it is stored safely in a bank account. He would like to access the money any time of the day including holidays or odd night hours. Giving this feeling to a money holder is very important. 

Imagine, you are waiting for the cab to arrive to go to the office and in those few minutes, you need to apply for a loan or to check your eligibility. While you were doing the calculations in your home desktop and had semi-filled the loan application form, the cab arrived, and you had to leave the house. It would have been a delight if you could continue completing the form on your way from your mobile app. It would save so much of time and effort.

The feature, as mentioned earlier, is something which Gmail does very nicely with emails, where a user may resume writing an email from a different channel (mobile/web). However, this facility is not prevalent in the financial sector despite the long forms that spread across multiple pages.

Disconnected channels in banks may cause delays in implementing updates (e.g. a change in government policy or a new exciting offer) as these updates need to be reflected across different disconnected channels individually.

The solution for connecting channels is investing in an omnichannel platform. This platform is a software application, that is deployed on the client-facing end of a bank’s existing software architecture. The omnichannel platform would orchestrate the requests from different channels to a common pathway, which can then be controlled and modified at one place.