Penetration Testing for Fintech companies: what are the main challenges?

Fintech companies are generally more exposed to risks and more mature than the average in terms of cybersecurity. The nature of their activities implies the need to take into account the risks of fraud and cyberattacks right from the design of a new product.

The pentest then confronts the security choices and protections in place with the real threat. Depending on the nature of the product (payment solution, credit platform, banking management, private equity, etc.), the business stakes will be different. However, here are a few details on the main risks and the most frequent pentest priorities according to our experience with fintech companies.

When a good time pentest

Performing a pentest can be part of your objectives, without it being the priority of the moment. This for various reasons: developments are in progress, a migration is planned, a budget has not yet been allocated, etc. Given the different constraints and priorities that need to be respected, when is the right time to perform a pentest?

We will present various situations in which the question arises and give you some keys to identify the right time to perform a penetration test.

Security and HTTPS certificate validity

Currently, since March 2018, SSL/TLS certificates (more commonly called HTTPS certificate) can have a maximum lifetime of 825 days. 
But in March 2020, Apple announced that they only will allow SSL/TLS certificates on Safari that have a maximum validity of 398 days (13 months). And Google will follow this path (announced by the chair emeritus of CA/B Forum on Twitter in June 2020).

In July, Mozilla has confirmed it will reduce certificate lifespans too.

IT Security Audit

There are several types of IT security audits: organizational audits, technical audits and penetration testing.
All these variants are complementary and enable to analyze optimally an organization’s level of security. In this article, we will voluntarily leave aside the organizational audits in order to focus on the technical aspects of security audits.

Storing passwords database

Storing passwords securely is a recurring concern.
But what are the main methods, how do they work, and what are they worth against current password cracking techniques?
In this article we explain the main principles of secure storage (hash, salt, pepper, iteration) and highlight their importance for resisting password recovery methods. Finally, we will talk about a reliable hash function for secure storage.

Cybersecurity Issues for Businesses in 2020

Penetration Testing: Approach, Methodology, Types of Tests and Rates

The current trend is to strengthen the security requirements for customers, partners and investors. Security audits have been democratised to small and medium-sized companies, for whom they represent a prerequisite to be able to collaborate on IT issues with large companies. In fact, large accounts almost systematically integrate requests for security audit reports into their purchasing processes. The introduction of the GDPR 2 years ago also enabled companies to become aware of data security issues in business sectors where risk awareness was previously low. Security certifications (ISO 27001, HDS, PCI-DSS, SOC2, etc.) are increasingly popular among small and medium-sized companies, as a way of differentiating themselves and making security a quality issue.

Doing a Pentest for Less Than €1,500

Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.

Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe.

Knowing its attack surface

What does it tell us? That preparation is key. 
You cannot protect what you don’t know, therefore knowing your attack surface is the first essential step to protect it efficiently. 

Introduction to Public Key Certificate

A digital certificate is a data file that allow, on the one hand, the non-repudiation and the integrity of data, and on the other hand, to identify and to authenticate a person or an organization and also to encode communications.

A digital certificate includes several information, as:

  • A public key
  • Authentication information
  • A validity time
  • An issuer that signs the certificate

This last point is crucial to verify the trustworthiness of a certificate. For this, when a certificate is received, a chain of trust is built to a certificate authority.

To explain the working of the chain of trust, let’s present some notions:

The Metasploit framework is an open source tool, allowing searching, analysing and exploiting vulnerabilities. It has many modules and tools that can be very useful during intrusion tests, whether on Web applications or on a company’s information system.
Although often used relatively basically, for example to launch a simple exploitation module on a target, this framework has options and tools that make it a key ally for a pentest. We will therefore see here how to use the Metasploit framework in an optimized way.