State of Application Security at Top 100 Global Fintech Startups

Read Time: 9 min.

98 of 100 most prominent and well-funded fintech startups are vulnerable to phishing, web and mobile application security attacks.

CB Insights has recently compiled a report entitled “The Fintech 250: The Top Fintech Startups Of 2018”. According to the report, the 250 companies have raised approximately $53 billion in aggregate funding across 947 deals. The report includes companies at different investment stages of development, from early-stage (seed/Series A) to well-funded unicorns.

Today, we’re observing a digital transformation and an increasing impact of emerging fintech companies on traditional banking models. Everyone has likely heard of Revolut, a prominent example of a game-changing unicorn. Rapid proliferation of uberization, blockchain and AI technologies contribute into the overall disruption and trembles global financial industry.

Given a positive feedback we have received about our research “State of Application Security at S&P Global World's 100 Largest Banks”, we decided to run similar research covering the top 100 fintech startups from the abovementioned CB Insights report.

This research aims to shed some light on the overall state of web and application security of the fintech companies and compare it with the results of traditional banks.

Key Findings

Security

100% of the companies have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains.

8 main websites and 64 subdomains of the companies have at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk.

The most popular website vulnerabilities were XSS (Cross-Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).

The oldest unpatched security vulnerability is CVE-2012-6708 impacting jQuery 1.7.2 being publicly known since 2012.

100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.

56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.

Compliance

62% of the companies failed PCI DSS compliance test even for their main website.

64% of the companies likewise failed GDPR compliance test for their main website.

Table of Contents

Methodology and Data Sources

We leveraged an enhanced methodology from our previous banking research that covered web and mobile application security of world's 100 largest banks by S&P Global ratings.

Using OSINT discovery and non-intrusive testing techniques, we carefully studied external web applications, APIs and mobile apps of the companies from the above-mentioned CB Insights report that encompasses companies from 6 regions and 17 countries:

Diagram 1: Number of Fintech Companies by Region

The following external assets and applications of the companies were tested during the research:

Tested Assets Quantity Main websites (the “www.” domain) 100 Subdomains (e.g. “subdomain.example.com”) 3580 Mobile applications 61 Backend APIs of the mobile applications 1444

We conducted various non-intrusive security, privacy and compliance checks. All of the testing tools are available online and can be freely used to reproduce the results of the research as well as to validate improvements after remediation of the described security flaws:

PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version 3.2.1 of the standard (assuming the websites fall within the Cardholder Data Environment).

GDPR compliances testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation (assuming websites handle and/or store PII of the EU residents).

Non-intrusive Software Composition Analysis (SCA) of Open Source and proprietary web software verified fingerprinted software versions for publicly disclosed vulnerabilities from the OWASP Top 10 list.

Additionally, Content Security Policy (CSP) and others security and privacy-related HTTP headers were audited.

Domain security and malicious squatting are as well covered in this research.

Website Security

Only 2 main websites had the highest “A+” grades both for (1) SSL encryption and (2) website security fully meeting applicable PCI DSS and GDPR compliance requirements:

Brex Inc (www.brex.com) A+

N26 GmbH (N26 Inc) (www.n26.com) A+

On the remaining main websites we identified 64 security issues related to outdated web software or its components. One website had as many as 17 outdated JS libraries and other external software components.

On average, each website contained at least one third-party component, such as JS library, web framework or other third-party code. Below are security grades for the main websites:

Diagram 2: Website Security Test for Main Websites

Grade Quantity Brief explanation (see above for detailed methodology) A+ 9 No single issue or misconfiguration found A 37 Minuscule issues found or slightly insufficient security hardening B 15 Several minor issues or insufficient security hardening C 33 Security vulnerabilities or several serious misconfigurations found F 6 Exploitable and publicly known security vulnerabilities found

Given the importance of the main website, as many as six failing “F” grades are an alarmingly important number.

The situation is, however, considerably worse with the subdomains. In total, we have identified over 2,474 outdated software components across the tested subdomains. Brief numbers related to subdomain insecurity are provided below:

1,074 of the subdomains had at least one outdated software component

64 subdomains had at least one outdated software component with exploitable vulnerabilities

The oldest vulnerable CMS is WordPress 4.7.1 with 26 publicly known security issues so far

Below are website security grades for the subdomains:

Diagram 3: Website Security Tests for Subdomains

Grade Quantity Brief explanation (see above for detailed methodology) A+ 277 No single issue or misconfiguration found A 1134 Minuscule issues found or slightly insufficient security hardening B 554 Several minor issues or insufficient security hardening C 1551 Security vulnerabilities or several serious misconfigurations found F 64 Exploitable and publicly known security vulnerabilities found

SSL/TLS Encryption Security

Implementation and configuration of the HTTPS SSL/TLS encryption is remarkably well done. Only one main website scored with a “B” grade, while all others received laudable “A” or even the highest possible “A+” grades:

Diagram 4: SSL Security Tests for Main Websites

Grade Quantity Brief explanation (see above for detailed methodology) A+ 38 No single issue or misconfiguration found A 61 Minuscule issues found or slightly insufficient encryption hardening B 1 Several minor issues or insufficient encryption hardening

Similarly to the website security issues described above, the situation with HTTPS encryption on the subdomains is alarming. As many as 93 subdomains had the failing “F” grade, 537 had an untrusted or expired SSL certificate:

Diagram 5: SSL Security Tests for Subdomains

Grade Quantity Brief explanation (see above for detailed methodology) A+ 517 No single issue or misconfiguration found A 1060 Minuscule issues found or slightly insufficient encryption hardening B 150 Several minor issues or insufficient encryption hardening C 26 Security vulnerabilities or several serious misconfigurations found F 93 No encryption, SSLv3 or exploitable security vulnerabilities found

PCI DSS and GDPR Website Compliance

Below are PCI DSS compliance tests for the main websites:

Diagram 6: PCI DSS Compliance Tests for Main Websites

As many as 62 websites failed the applicable requirements of the PCI DSS compliance test. The major cause was outdated open-source and commercial software and its components (Requirement 6.2).

PCI DSS compliance tests for the subdomains are, however, comparable to the main websites:

Diagram 7: PCI DSS Compliance for Subdomains

Below are GDPR compliance tests for the main websites:

Diagram 8: GDPR Compliance Tests for Main Websites

64 main websites failed the GDPR compliance test. After vulnerable web software, the second most frequent reason is a missing cookie disclaimer or unset security flags on cookies that transfer tracking, PII or otherwise sensitive information. The third top cause is missing or inaccessible privacy policy.

Perhaps unsurprisingly, most subdomains failed the GDPR compliance test for similar reasons:

Diagram 9: GDPR Compliance Tests for Subdomains

Usage of Web Application Firewalls

A Web Application Firewall (WAF) was used on 95% of the main websites, a remarkably high number.

As for the subdomains a lesser but still large proportion of 65% was protected with WAF that is a comparatively high result if juxtaposed to other industries:

Diagram 10: Usage of Web Application Firewalls

Mobile Applications and Backend APIs

We discovered and audited 61 mobile applications handling personal, financial or otherwise sensitive data. All of the mobile apps were tested for Mobile OWASP Top 10 security and privacy issues. Given the sensitive nature of financial and other data handled by these applications, we find below-mentioned statistics quite frustrating:

100% of the mobile applications contained at least 1 medium-risk security vulnerability

97% of the mobile applications had 2 or more medium-risk vulnerabilities

3% of the mobile applications contained at least 1 high-risk security vulnerability

Three most common OWASP Mobile Top 10 security issues were:

M1: Improper Platform Usage (299 issues)

M2: Insecure Data Storage (210 issues)

M7: Client Code Quality (153 issues)

Supplementary, we tested web security and SSL/TLS encryption for the mobile backend APIs where users’ data is being sent to or is received from. The most popular grade was almost-failing “C”, highlighting a widespread and insufficient prioritization of mobile backend security:

Diagram 11: Web Security Tests for Mobile Apps Backends

Grade Quantity Brief explanation (see above for detailed methodology) A+ 64 No single issue or misconfiguration found A 327 Minuscule issues found or slightly insufficient security hardening B 232 Several minor issues or insufficient security hardening C 812 Security vulnerabilities or several serious misconfigurations found F 9 Exploitable and publicly known security vulnerabilities found

SSL/TLS encryption of the data sent and received via the APIs is considerably better, though 9 backend APIs contained exploitable vulnerabilities or used clear text HTTP protocol instead of secure HTTPS:

Diagram 12: SSL Security Tests for Mobile Apps Backends

Grade Quantity Brief explanation (see above for detailed methodology) A+ 128 No single issue or misconfiguration found A 292 Minuscule issues found or slightly insufficient encryption hardening B 34 Several minor issues or insufficient encryption hardening C 12 Security vulnerabilities or several serious misconfigurations found F 9 No encryption, SSLv3 or exploitable security vulnerabilities found

Trademark Infringement and Brand Abuse

We detected that 90 out of 100 companies are victims of cybersquatting, having at least one domain taken over by competitors or unscrupulous third parties to steal web traffic.

We also identified that 86 companies have at least 1 typosquatted domain forwarding inattentive users to spam gateways, adult-oriented shops or even websites infected with malware and ransomware:

Diagram 13: Trademark Infringement and Brand Abuse

Benchmark with S&P Global World's 100 Largest Banks

Below is a visual comparison of the FinTech companies from this research with the largest banking institutions from our previous research:

Benchmark Fintech Banks Main websites with the highest “A+” grades: 9% 4% Main websites with the failing “F” grades: 6% 5% Subdomains with “A+” grades: 7,7% 2,5% Subdomains with “F” grades: 1,7% 11% SSL encryption of the main websites with “A+” grades: 38% 25% SSL encryption of main websites with “F” grades: 0% 13% SSL encryption of subdomains with “A+” grades: 28% 15% SSL encryption of subdomains with “F” grades: 5% 15% PCI DSS compliant main websites 38% 62% PCI DSS compliant subdomains 40% 37% GDPR compliant main websites 36% 39% GDPR compliant subdomains 13% 12% Main websites protected with a WAF 95% 92% Subdomains protected with a WAF 65% 53% Mobile apps with high-risk vulnerabilities 3% 20% Mobile backend API encryption with “A+” grade: 27% 15% Mobile backend API encryption with “F” grade: 1,9% 6%

Such an alarming discrepancy probably stems out from the following factors:

Incomparably larger, complicated and long-existing IT infrastructure of the banks is much harder, longer and expensive to inventory, maintain and protect

Business-critical legacy applications and omnipresent in the banking industry, while startups usually build their technology from scratch avoiding many challenges of compatibility

Decision-making processes, exacerbated by a growing number of regulatory frameworks and compliances, is much longer in the banking industry

Not that infrequent, FinTech startups have comparatively larger and virtually uncontrolled funds to invest into cybersecurity and talent acquisition after raising money from generous investors

Recommendations and Conclusion

Ilia Kolochenko, CEO and Founder of ImmuniWeb, says: “ The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions.

“At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.

The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.

At ImmuniWeb, we are firmly committed to tackle and disperse these grey areas with ImmuniWeb Discovery. It is tailored to illuminate external attack surfaces, provide measurable risks and actionable security ratings, and enable a well-informed and data-driven decision-making process. ”

ImmuniWeb suggests the following recommendations to avoid most of the security issues detailed in the report:

1. Consider implementing Gartner’s CARTA strategy to enhance your cybersecurity.

2. Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security.

4. Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks, suggested reading: “4 Practical Questions to Ask Before Investing in AI”.

Need further help or expert advice? Request a free trial now or get in touch!