98 of 100 most prominent and well-funded fintech startups are vulnerable to phishing, web and mobile application security attacks.
CB Insights has recently compiled a report entitled “The Fintech 250: The Top Fintech Startups Of 2018”. According to the report, the 250 companies have raised approximately $53 billion in aggregate funding across 947 deals. The report includes companies at different investment stages of development, from early-stage (seed/Series A) to well-funded unicorns.
Today, we’re observing a digital transformation and an increasing impact of emerging fintech companies on traditional banking models. Everyone has likely heard of Revolut, a prominent example of a game-changing unicorn. Rapid proliferation of uberization, blockchain and AI technologies contribute into the overall disruption and trembles global financial industry.
Given a positive feedback we have received about our research “State of Application Security at S&P Global World’s 100 Largest Banks”, we decided to run similar research covering the top 100 fintech startups from the abovementioned CB Insights report.
This research aims to shed some light on the overall state of web and application security of the fintech companies and compare it with the results of traditional banks.
- 100% of the companies have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains.
- 8 main websites and 64 subdomains of the companies have at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk.
- The most popular website vulnerabilities were XSS (Cross-Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).
- The oldest unpatched security vulnerability is CVE-2012–6708 impacting jQuery 1.7.2 being publicly known since 2012.
- 100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.
- 56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.
- 62% of the companies failed PCI DSS compliance test even for their main website.
- 64% of the companies likewise failed GDPR compliance test for their main website.
Methodology and Data Sources
We leveraged an enhanced methodology from our previous banking research that covered web and mobile application security of world’s 100 largest banks by S&P Global ratings.
Using OSINT discovery and non-intrusive testing techniques, we carefully studied external web applications, APIs and mobile apps of the companies from the above-mentioned CB Insights report that encompasses companies from 6 regions and 17 countries:
The following external assets and applications of the companies were tested during the research:
We conducted various non-intrusive security, privacy and compliance checks. All of the testing tools are available online and can be freely used to reproduce the results of the research as well as to validate improvements after remediation of the described security flaws:
- SSL Security Test [scoring methodology and list of checks]
- Website Security Test [scoring methodology and list of checks]
- Mobile App Security Test [list of checks]
- Phishing Test [list of checks]
PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version 3.2.1 of the standard (assuming the websites fall within the Cardholder Data Environment).
GDPR compliances testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation (assuming websites handle and/or store PII of the EU residents).
Non-intrusive Software Composition Analysis (SCA) of Open Source and proprietary web software verified fingerprinted software versions for publicly disclosed vulnerabilities from the OWASP Top 10 list.
Additionally, Content Security Policy (CSP) and others security and privacy-related HTTP headers were audited.
Domain security and malicious squatting are as well covered in this research.
Only 2 main websites had the highest “A+” grades both for (1) SSL encryption and (2) website security fully meeting applicable PCI DSS and GDRP compliance requirements:
On the remaining main websites we identified 64 security issues related to outdated web software or its components. One website had as many as 17 outdated JS libraries and other external software components.
On average, each website contained at least one third-party component, such as JS library, web framework or other third-party code. Below are security grades for the main websites:
Given the importance of the main website, as many as six failing “F” grades are an alarmingly important number.
The situation is, however, considerably worse with the subdomains. In total, we have identified over 2,474 outdated software components across the tested subdomains. Brief numbers related to subdomain insecurity are provided below:
- 1,074 of the subdomains had at least one outdated software component
- 64 subdomains had at least one outdated software component with exploitable vulnerabilities
- The oldest vulnerable CMS is WordPress 4.7.1 with 26 publicly known security issues so far
Below are website security grades for the subdomains:
SSL/TLS Encryption Security
Implementation and configuration of the HTTPS SSL/TLS encryption is remarkably well done. Only one main website scored with a “B” grade, while all others received laudable “A” or even the highest possible “A+” grades:
Similarly to the website security issues described above, the situation with HTTPS encryption on the subdomains is alarming. As many as 93 subdomains had the failing “F” grade, 537 had an untrusted or expired SSL certificate:
PCI DSS and GDPR Website Compliance
Below are PCI DSS compliance tests for the main websites:
As many as 62 websites failed the applicable requirements of the PCI DSS compliance test. The major cause was outdated open-source and commercial software and its components (Requirement 6.2).
PCI DSS compliance tests for the subdomains are, however, comparable to the main websites:
Below are GDPR compliance tests for the main websites:
Perhaps unsurprisingly, most subdomains failed the GDPR compliance test for similar reasons:
Usage of Web Application Firewalls
A Web Application Firewall (WAF) was used on 95% of the main websites, a remarkably high number.
As for the subdomains a lesser but still large proportion of 65% was protected with WAF that is a comparatively high result if juxtaposed to other industries:
Mobile Applications and Backend APIs
We discovered and audited 61 mobile applications handling personal, financial or otherwise sensitive data. All of the mobile apps were tested for Mobile OWASP Top 10 security and privacy issues. Given the sensitive nature of financial and other data handled by these applications, we find below-mentioned statistics quite frustrating:
- 100% of the mobile applications contained at least 1 medium-risk security vulnerability
- 97% of the mobile applications had 2 or more medium-risk vulnerabilities
- 3% of the mobile applications contained at least 1 high-risk security vulnerability
Three most common OWASP Mobile Top 10 security issues were:
- M1: Improper Platform Usage (299 issues)
- M2: Insecure Data Storage (210 issues)
- M7: Client Code Quality (153 issues)
Supplementary, we tested web security and SSL/TLS encryption for the mobile backend APIs where users’ data is being sent to or is received from. The most popular grade was almost-failing “C”, highlighting a widespread and insufficient prioritization of mobile backend security:
SSL/TLS encryption of the data sent and received via the APIs is considerably better, though 9 backend APIs contained exploitable vulnerabilities or used clear text HTTP protocol instead of secure HTTPS:
Trademark Infringement and Brand Abuse
We detected that 90 out of 100 companies are victims of cybersquatting, having at least one domain taken over by competitors or unscrupulous third parties to steal web traffic.
We also identified that 86 companies have at least 1 typosquatted domain forwarding inattentive users to spam gateways, adult-oriented shops or even websites infected with malware and ransomware:
Benchmark with S&P Global World’s 100 Largest Banks
Below is a visual comparison of the FinTech companies from this research with the largest banking institutions from our previous research:
Such an alarming discrepancy probably stems out from the following factors:
- Incomparably larger, complicated and long-existing IT infrastructure of the banks is much harder, longer and expensive to inventory, maintain and protect
- Business-critical legacy applications and omnipresent in the banking industry, while startups usually build their technology from scratch avoiding many challenges of compatibility
- Decision-making processes, exacerbated by a growing number of regulatory frameworks and compliances, is much longer in the banking industry
- Not that infrequent, FinTech startups have comparatively larger and virtually uncontrolled funds to invest into cybersecurity and talent acquisition after raising money from generous investors
Recommendations and Conclusion
Ilia Kolochenko, CEO and Founder of ImmuniWeb, says:
The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions.
At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.
The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.
At ImmuniWeb, we are firmly committed to tackle and disperse these grey areas with ImmuniWeb Discovery. It is tailored to illuminate external attack surfaces, provide measurable risks and actionable security ratings, and enable a well-informed and data-driven decision-making process.
ImmuniWeb suggests the following recommendations to avoid most of the security issues detailed in the report:
- Consider implementing Gartner’s CARTA strategy to enhance your cybersecurity.
- Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation.
- Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security.
- Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks, suggested reading: “4 Practical Questions to Ask Before Investing in AI”.