Penetration Testing for Fintech companies: what are the main challenges?

Fintech companies are generally more exposed to risks and more mature than the average in terms of cybersecurity. The nature of their activities implies the need to take into account the risks of fraud and cyberattacks right from the design of a new product.

The pentest then confronts the security choices and protections in place with the real threat. Depending on the nature of the product (payment solution, credit platform, banking management, private equity, etc.), the business stakes will be different. However, here are a few details on the main risks and the most frequent pentest priorities according to our experience with fintech companies.

Payment solution security

Payment is the most “obvious” risk at first glance. It is a very sensitive aspect, due to the stakes related to payment, which therefore concentrates a lot of security efforts.

In-house payment solutions

Some fintech companies are specialized in the development of payment solutions.

The security of electronic payments is regulated by the PCI DSS, which was set up to meet a dual objective: to improve the security of all banking transactions and to strengthen the security of user data.

To meet compliance obligations, fintech companies developing payment solutions must conform with a set of security requirements. These requirements include the obligation to carry out penetration tests in order to assess systems related to the processing of banking data (core systems and technically linked applications such as an administration back-office).

It is very rare for fintech companies having other core businesses to develop home-made payment solutions. Most of them rely on the use of recognized and certified third-party solutions.

Third-Party Solutions

The main issue when using a third-party solution lies in the choice and above all the integration of the payment solution.

It is strongly recommended to choose a payment service provider who is well-known in the field and who provides sufficiently detailed documentation to facilitate technical integration.

The pentest will then enable to verify the possibilities of attacks, not by testing the infrastructure and applications made available by the service provider, but by focusing on calls to the payment system and exchanges between the two systems that may be a source of vulnerabilities (non-compliance with the technical integration process, exposure of endpoints enabling payments to be validated without them actually being validated, for instance.).

Workflows security

The study of the business logic is crucial in order to identify the controls in place as well as possible bypasses.

Fraud and circumvention of business logic

Business-related vulnerabilities exist when the natural user journey of an application, or a step in the intended process can be bypassed. The examples are almost endless: validating an order without paying, changing the shipping address of an order, applying for a credit by bypassing controls, etc. 

By its nature, this type of vulnerability is difficult to identify by automated scanning tools. The most effective approach is to thoroughly study the business logic in order to determine the constraints and controls that are supposed to be in place, while following a comprehensive methodology. This makes it possible to set up custom test scenarios in order to identify specific circumventions possibilities.

Identity control

The control of user identities is one of the central issues for the workflow of many fintech companies. Forcing users to prove their identity by providing various documents (ID card or passport, tax certificates, etc.) enables to strongly limit the attempts of fraud and cyberattacks.

The pentest will assess that these controls cannot be bypassed or avoided by providing fancy information. Identity control also implies constraints on the security of users’ personal data.

Data security

Data security is crucial for companies that process sensitive data: personal data, banking data (e.g. related to the aggregation of accounts), usage data (e.g. related to the amount of a credit application), but also company “business” data (e.g. billing data, or a company’s payroll).

In the case of SaaS platforms, checking that data is properly partitioned between customers is a key issue. The pentest will enable to test the rights “horizontally” (between a client A and a client B) and the possibilities of “vertical” rights escalation (between a “standard” user and an “admin”) rights.

There are numerous potential vulnerabilities that allow access to data of any kind. These may be technical vulnerabilities related to the infrastructure hosting the systems, to the applications that are present, or logical vulnerabilities in which access control fails. Here are some concrete examples: injection flaws (in databases, code), taking control of other users’ sessions, access to a management back-office, poorly controlled access to other users’ resources, etc.

Perform a pentest?

A pentest enables to go through all the aspects listed above, in order to look for potential vulnerabilities. It allows to confront the technical and functional choices made by the R&D team with an external attacker’s viewpoint (pentester). And it is of course possible to deepen the tests on certain aspects, according to the specific security priorities of a product.

To discuss this subject and the approach best adapted to your needs, do not hesitate to contact us directly.