Top 100 Global Fintech Startups Have Exploitable Security Vulnerability

Web security company, ImmuniWeb, has conducted research into the state of application security at the most prominent and well-funded global fintech startups, as identified by CB Insights, and found that 98 of the top 100 are vulnerable to phishing, web and mobile application security attacks.

Fintech Startups

Key Findings: Security

ImmuniWeb conducted various non-intrusive security, privacy and compliance checks to identify potential security flaws on the main websites and subdomains of the 100 fintech startups:

[REITs]

Q2 hedge fund letters, conference, scoops etc

100% have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains.

  • 8 main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk.
  • The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).
  • The oldest unpatched security vulnerability is CVE-2012-6708 impacting jQuery 1.7.2.
  • 100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.
  • 56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.

Security Vulnerability

Security Vulnerability

Key Findings: Compliance

  • 62% of the companies’ main websites failed PCI DSS compliance test. The major cause was outdated open-source and commercial software and its components (Requirement 6.2).
  • 64% of the companies’ main websites likewise failed GDPR compliance. After vulnerable web software, the second most frequent reason is a missing cookie disclaimer or unset security flags on cookies that transfer tracking, PII or otherwise sensitive information. The third top cause is missing or inaccessible privacy policy.

Security Vulnerability

Security Vulnerability

Ilia Kolochenko, CEO and Founder of ImmuniWeb, commented: “The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions. At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.

Security Vulnerability

Security Vulnerability

Security Vulnerability

The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.

Security Vulnerability

Security Vulnerability

Fintech

Security Vulnerability

Fintech

Fintech

Full research and infographics at: https://www.immuniweb.com/blog/fintech-application-security.html



About the Author

Jacob Wolinsky
Jacob Wolinsky is the founder of ValueWalk.com, a popular value investing and hedge fund focused investment website. Prior to ValueWalk, Jacob was VP of Business Development at SumZero. Prior to SumZero, Jacob worked as an equity analyst first at a micro-cap focused private equity firm, followed by a stint at a smid cap focused research shop. Jacob lives with his wife and four kids in Passaic NJ. - Email: jacob(at)valuewalk.com - Twitter username: JacobWolinsky - Full Disclosure: I do not purchase any equities anymore to avoid even the appearance of a conflict of interest and because at times I may receive grey areas of insider information. I have a few existing holdings from years ago, but I have sold off most of the equities and now only purchase mutual funds and some ETFs. I also own a few grams of Gold and Silver