Total Tests:

98% of fintech start-ups exposed to cyber attacks

By Grace Barnott for Software Testing NEWS
Tuesday, August 20, 2019

A huge 98% of global fintech start-ups are vulnerable to phishing, web, and mobile application security attacks, research from web security company ImmuniWeb has exposed.

The investigation was conducted on the top 100 most prominent and well-funded fintech start-up companies according to machine intelligence firm, CB Insights. Its purpose was to look at the state of application security.

Key Security Findings

When carrying out various non-intrusive privacy, compliance and security checks, ImmuniWeb found a range of flaws and vulnerabilities. The firm was trying to identify security flaws and conducted the checks on the main websites and subdomains of the fintech start-ups as part of the research.

The web security company found that 8 main websites and 64 subdomains have at least one exploitable security vulnerability of a medium or high-risk.

Flaws that occurred the most often were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6). Whilst the oldest unpatched security vulnerability is CVE-2012-6708 impacting jQuery 1.7.2.

Every single site tested has security, privacy and compliance issues related to abandoned or forgotten APIs, subdomains and web applications.

Flaws on mobile applications

Another problem for all the companies was that 100% of the mobile applications contain at least 1 security liability of a medium risk with 97% having at least 2 medium or high-risk vulnerabilities.

It was also found that 56% of mobile app backends (REST/SOAP APIs) have privacy issues or serious misconfigurations related to SSL/TLS configuration and insufficient web server security hardening.


Due to outdated commercial software and open-source, 62% of the companies’ main websites failed PCI DSS compliance test. 64% of the companies’ main websites also didn’t pass GDPR compliance.

The main reason for these failures is thought to be because of vulnerable web software. The second cause is due to missing cookie disclaimer or unset security flags on cookies that transfer tracking, PII or otherwise sensitive information. The third biggest reason is missing or inaccessible privacy policy.

Ilia Kolochenko, CEO and Founder of ImmuniWeb, commented: “The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions. At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.

“The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.” He continued. Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential