On a recent exam one of the findings listed related to online banking is "The platform allows concurrent logins/sessions…" How should I respond?

Search

Tools

On occasion, IT examiners and audit professionals may claim allowing “concurrent sessions” on It’s Me 247 Online Banking presents a security risk. While it is true that It’s Me 247 allows concurrent sessions, security risk is minimal and preventing concurrent sessions would create disruption to your members.

The primary benefit of having concurrent sessions is they allow the owners of an account to be logged in at the same time on different devices. Without concurrent sessions, a husband at home would not be able to login if the wife is at work and logged in. Preventing concurrent sessions is not a required practice and concurrent sessions are common for data-sensitive applications.

If an IT examiner or auditor continues to insist that allowing concurrent sessions present a security risk, we recommend the following responses:

If a user is logging on to a shared public PC, an auditor may raise concerns that another user may gain access to the member’s session. In the first instance this is a practice that should be discouraged for other reasons, namely that the public PC may have malware that can hijack the person’s credentials. Disabling concurrent sessions would have little effect on reducing this risk. Furthermore, sessions automatically time-out after fifteen minutes based on the browser used on that PC. For disabling concurrent sessions to mitigate the risk, the member would have to log into another device within fifteen minutes to invalidate the original session.
Another argument that may be raised is reducing the risk of session hijacking attacks or the ability to determine whether unauthorized activity has taken place from a hijacked session. First, It’s Me 247 tracks all logins and the member will be able to see those logins from the history. Second, if an attacker is able to steal a session token, disabling concurrent sessions would only work when the legitimate user logged back in. Therefore, this mitigation is extremely limited.

CU*Answers always looks to balance security with functionality. Adding security often comes at cost to user functionality. We provide regular updates to features and functionality on our Kitchen page and encourage you to offer suggestions on new functionality by submitting an Idea Form.