Financial technology startups like to boast that they are more nimble than their counterparts in the traditional banking world.
But if a test of their websites and mobile apps by a cybersecurity vendor is accurate, the startups aren’t necessarily better at protecting their applications.
The study released this week by ImmuniWeb is a follow-up to an identical one released last month that tested the websites and mobile apps of the world’s biggest financial institutions against the free version of the vendor’s tools.
The tests scored external web applications, APIs and mobile apps for SSL security, website security, mobile app security and phishing of 100 fintech startups around the world. A server starts with a score of 100, and then points were deducted for problems — for example, for not complying with PCI, HIPAA or NIST guidelines.
Other experts and vendors might have scored or measured sites and applications differently, resulting in different rankings.
Among the ImmuniWeb findings:
- All of the companies had security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains
- Eight main websites and 64 subdomains of the companies had at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk
- The most popular website vulnerabilities were XSS (Cross-Site Scripting, as described by the Online Web Application Security Project (OWASP) A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6)
- The oldest unpatched security vulnerability was CVE-2012-6708 impacting jQuery 1.7.2 being publicly known since 2012
- All of the mobile applications tested contained at least one security vulnerability of a medium risk, 97 per cent had at least two medium or high-risk vulnerabilities
- 56 per cent of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening
In addition, 62 per cent of the companies failed the Payment Card Industry DSS compliance test even for their main website, while 64 per cent of the companies failed ImmuniWeb’s test for compliance with rules for the European Union General Data Protection Regulation (GDPR) on their main website.
By ImmuniWeb’s scoring, banks were better than fintechs in only three out of 17 categories. However, that may not be saying much. For example, only nine per cent of the main websites of fintechs had the highest “A+” grades, compared to four per cent of banks tested.
“At first glance, the fintech industry is doing comparatively better,” noted ImmuniWeb CEO Ilya Kolochenko. “However, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favour of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.
“The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions.”