Fintech startups struggle to battle cyber attacks2 min read

New research suggests that the vast majority (98%) of the world’s top 100 financial technology (fintech) startups are vulnerable to web and mobile application attacks. And this is despite being well-funded.

Web security firm ImmuniWeb also found that all of these companies have security, privacy and compliance issues relating to abandoned or forgotten web applications, application program interfaces (APIs) and subdomains, according to non-intrusive checks.

The company’s research has revealed a similar level of vulnerability among banks, with an earlier study showing that 97 out of 100 of the largest banks are vulnerable to web and mobile attacks, enabling hackers to steal sensitive data.

The research into fintechs shows that eight main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high risk, compared with seven in the banking sector.

The most common website vulnerabilities are cross-site scripting (XSS), sensitive data exposure, and security misconfiguration, despite all of them featuring in the Owasp top 10 application vulnerabilities, which are well-known and have established mitigation methods.

All of the mobile applications tested contained at least one security vulnerability of a medium risk, while 97% have at least two medium or high-risk vulnerabilities.

The tests show that 56% of mobile app backends have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.

The report reveals that 62% of the fintechs’ main websites failed payment card industry data security standard (PCI DSS) compliance test. The major cause for compliance failure was outdated open-source and commercial software and its components

At the same time, 64% of the fintechs’ main websites likewise failed General Data Protection Regulation (GDPR) compliance. Vulnerable web software was the biggest compliance issue, followed by missing cookie disclaimers or unset security flags on cookies that transfer tracking, personally identifiable information (PII) or other sensitive information, and missing or inaccessible privacy policies.

Off the back of their findings, ImmuniWeb recommends that organisations:
• Maintain a comprehensive and up-to-date inventory of assets located in their external attack surface, identify all software and components used there, and run actionable security scoring on it to enable threat-aware and risk-based remediation.
• Implement continuous security monitoring of their external attack surface, test new code before and after deployment to production, and start implementing a DevSecOps approach to application security.
• Consider using machine learning and artificial intelligence capacities to handle time-consuming and routine processes to free up security teams for more important tasks.

Find out more via the link to ComputerWeekly.com.