Web security company, ImmuniWeb, has conducted research into the state of application security at the most prominent and well-funded global fintech startups, as identified by CB Insights, and found that 98 of the top 100 are vulnerable to phishing, web and mobile application security attacks.
Key Findings: Security
ImmuniWeb conducted various non-intrusive security, privacy and compliance checks to identify potential security flaws on the main websites and subdomains of the 100 fintech startups:
[REITs]Q2 hedge fund letters, conference, scoops etc
100% have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains.
- 8 main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk.
- The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).
- The oldest unpatched security vulnerability is CVE-2012-6708 impacting jQuery 1.7.2.
- 100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.
- 56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.
Key Findings: Compliance
- 62% of the companies’ main websites failed PCI DSS compliance test. The major cause was outdated open-source and commercial software and its components (Requirement 6.2).
- 64% of the companies’ main websites likewise failed GDPR compliance. After vulnerable web software, the second most frequent reason is a missing cookie disclaimer or unset security flags on cookies that transfer tracking, PII or otherwise sensitive information. The third top cause is missing or inaccessible privacy policy.
Ilia Kolochenko, CEO and Founder of ImmuniWeb, commented: “The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions. At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.
“The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.”
Full research and infographics at: https://www.immuniweb.com/blog/fintech-application-security.html
