VISA International is rolling out Web services to member banks to improve the process of card holder disputes - a process which has been until now on paper.

Visa has announced that it secures the inter-enterprise Web services transactions using Secure FTP sessions over SSL. That is it? Secure FTP? When securing Web services, SSL is definitely not enough and I would expect Visa to address a number of other key software security assessment issues.

It is reasonable to assume that Visa is doing a few other things in their software security assessment besides Secure FTP of XML files. SSL encryption does provide point-to-point data privacy between service requestors and service providers, but what happens after a SOAP message reaches a member bank system and SSL is terminated and the message is translated into clear text? How does VISA relate to the threat of transfer of messages to other destinations? Do they encrypt sensitive cardholder information in the payload?

• Malicious Attack
  One of the key simplicities of XML Web Services is that traffic flows through port 80 and port 443. Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. Most firewalls can recognize SOAP as well-formed HTTP traffic. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. SOAP interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The XML message is often self-describing and clearly shows the data elements. XML Web Services traffic needs real-time auditing and monitoring in order to keep up with hackers and insider threats.
• Replay Attack
  Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.
• Buffer Overflow
  For example, an attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.
• Dictionary Attack
  Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.
• Intrusion Detection
  Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IDS will detect anomalous behavior.
• Internal Threats (Extrusion Prevention)
  Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for extrusion prevention, we would require use of an EPS - extrusion prevention system such as Fidelis DataSafe, Vericept, Reconnex or Vontu.
• Threat containment
  Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise. An EPS provides real-time audit, logging and the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

Visa already used Web services for their dispute management system, called Resolve OnLine. The project that involved 150 developers working for nine months J2EE, Mercury and Rational tools, with IBM WebSphere Integrated Application Suite.

By using Web services, Visa and member banks have eliminated most manual processes involved in dispute management. Back-end systems at Visa and member banks now can communicate directly regarding requests for transaction research, dispute case search and retrieval, and requests for copies of original paper receipts.

Since implementing Resolve OnLine, not only has dispute transaction length been reduced but also the number of disputes has diminished. "The inquiry capabilities have lessened the number of issues that come to dispute, and we have seen resolution time cut roughly by one-third," According to Sara Garrison, senior vice president of network and open systems development at Visa, in Foster City, Calif.In 2004, Resolve OnLine saved issuers $52 million in operating costs, while member savings from the reduction in volume of exception items exceeded $300 million during the year