GENEVA, Switzerland—Ninety-eight percent of the world’s top 100 financial technology startups are vulnerable to web and mobile application attacks, despite being well-funded, according to new research.
In addition, 100% have security, privacy and compliance issues relating to abandoned or forgotten web applications, application program interfaces (APIs) and subdomains, according to non-intrusive checks by web security company, ImmuniWeb.
The security firm has revealed a similar level of vulnerability among banks, with an earlier study showing that 97 out of 100 largest banks are vulnerable to web and mobile attacks enabling hackers to steal sensitive data, Computer Weekly noted.
The research into fintechs shows that eight main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high risk, compared with seven in the banking sector. The most common website vulnerabilities are cross-site scripting (XSS), sensitive data exposure, and security misconfiguration, despite all of them featuring in the Owasp top 10 application vulnerabilities, which are well-known and have well-established mitigation methods, Computer Weekly said.
All of the mobile applications tested contained at least one security vulnerability of a medium risk, while 97% have at least two medium or high-risk vulnerabilities. The tests show that 56% of mobile app backends have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.
The report reveals that 62% of the fintechs’ main websites failed payment card industry data security standard (PCI DSS) compliance test. The major cause for compliance failure was outdated open-source and commercial software and its components
At the same time, 64% of the fintechs’ main websites likewise failed General Data Protection Regulation (GDPR) compliance. Vulnerable web software was the biggest compliance issue, followed by missing cookie disclaimers or unset security flags on cookies that transfer tracking, personally identifiable information (PII) or other sensitive information, and missing or inaccessible privacy policies, Computer Weekly noted.