Even fintech startups battling to meet cyber security challenges

A study shows that most fintech startups, like most banks, are failing to address vulnerabilities in the web and mobile applications, underlining the scale of the challenge

Some 98% of the world’s top 100 financial technology (fintech) startups are vulnerable to web and mobile application attacks, despite being well-funded, research reveals.

In addition, 100% have security, privacy and compliance issues relating to abandoned or forgotten web applications, application program interfaces (APIs) and subdomains, according to non-intrusive checks by web security company, ImmuniWeb.

The security firm has revealed a similar level of vulnerability among banks, with an earlier study showing that 97 out of 100 largest banks are vulnerable to web and mobile attacks enabling hackers to steal sensitive data.

Download as PDF

Access this article wherever and whenever you want.



The research into fintechs shows that eight main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high risk, compared with seven in the banking sector.

The most common website vulnerabilities are cross-site scripting (XSS), sensitive sata exposure, and security misconfiguration, despite all of them featuring in the Owasp top 10 application vulnerabilities, which are well-known and have well-established mitigation methods.

All of the mobile applications tested contained at least one security vulnerability of a medium risk, while 97% have at least two medium or high-risk vulnerabilities.

The tests show that 56% of mobile app backends have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.

The report reveals that 62% of the fintechs’ main websites failed payment card industry data security standard (PCI DSS) compliance test. The major cause for compliance failure was outdated open-source and commercial software and its components

At the same time, 64% of the fintechs’ main websites likewise failed General Data Protection Regulation (GDPR) compliance. Vulnerable web software was the biggest compliance issue, followed by missing cookie disclaimers or unset security flags on cookies that transfer tracking, personally identifiable information (PII) or other sensitive information, and missing or inaccessible privacy policies.

Ilia Kolochenko, CEO and founder of ImmuniWeb, said the research emphasises “spiralling cyber security challenges” faced both by dynamic fintech companies and well-established financial institutions.

“At first glance, the fintech industry is doing comparatively better. However, if we correlate the quantity and complexity of managed IT systems per organisation, the conclusion may unequivocally differ in a favour of the banks.

“Nonetheless, the numbers from the research positively emphasise a decent level of cyber security amid the fintech companies, evidencing commitment and care,” he said.

The research likewise highlights that lack of visibility is one of the “most widespread, detrimental and sometimes almost insurmountable obstacles to coherent and holistic information security,” said Kolochenko.

“Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles heel,” he said.

ImmuniWeb recommends that organisations:

  • Maintain a comprehensive and up-to-date inventory of assets located in their external attack surface, identify all software and components used there, and run actionable security scoring on it to enable threat-aware and risk-based remediation.
  • Implement continuous security monitoring of their external attack surface, test new code before and after deployment to production, and start implementing a DevSecOps approach to application security.
  • Consider using machine learning and artificial intelligence capacities to handle time-consuming and routine processes to free up security teams for more important tasks.

Read more about application security

Read more on Application security and coding requirements