Cyber security in FinTech is a growing concern, with no markets more directly impacted by its rise than banks, payments and Blockchain. Data from banks and other financial organisations is a premium target for hackers, offering clear incentives for their malicious attacks.
With this in mind, we launched the FinTech Hackfest – an event that saw white hat hackers from Entersoft, PwC and others, make Hong Kong Fintech products secure within 24 hours.
From the hackers’ standpoint, the Hackfest was divided into three phases:
Phase – 1: Hacking
Phase – 2: Fixing
Phase – 3: Retesting
The hackers arrived at Hongkong with a pre-configured CPU (a Kali machine with their own customised scripts to identify High/Critical bugs) containing essential tools for the Hackfest.
FinTech startups solving some “real world problems” signed up for the lengthy exercise, which required them to actively participate throughout the 24-hour period to understand context and execution. Participating FinTechs:
- Gini is the first personal financial management app powered by bank-level security in Hong Kong. Gini links together bank accounts to give users the full view of their financial situation, complete with insightful analysis while curating offers from various sources to let them maximize the utility of their spending.
- Wesurance is an InsurTech startup and a registered insurance agency. They are working with Allied World Assurance to rethink, redesign and re-engineer the entire insurance experience from the ground up. The app is innovative and fresh, but the insurance model is proven and trusted. Wesurance will exceed the performance of traditional insurance by using full digital channels around both claims handling and customer support.
- Peoplewave is Asia’s leading HR software company. It is revolutionising people management with data-driven, transparent feedback and verified performance data. Peoplewave offers 3 key products — the “First 100 Days”: a new hire onboarding tool; “Performance Wave”: continuous 360-degree performance appraisals; And the “HR Command Centre” analytics suite, which unlocks employee data and insights.
- Emotics is a Hong-Kong-based RegTech company that analyzes engagement with online content. They combine browser analytics with facial recognition and micro-expression analysis to provide previously unavailable levels of insight into employee behavior with use cases ranging from compliance training, to financial research automation, to conduct risk mitigation.
- Kristal is an AI-enabled digital asset management platform which gives investors access to curated portfolios from the world’s top portfolio managers. Their proprietary Advisory Algorithm helps users choose the best investment strategies to meet their financial goals.
- Kalepso is a Canada based startup which has built the first end-to-end Encrypted Database System, for both on-prem and the cloud. KalepsoDB boosts compliance with privacy regulations, incl. GDPR, and is the only to protect enterprises against any database attack. It easily integrates with existing applications, without any changes.
- Finchat offers the full spectrum of Compliance monitoring & archiving tools for messaging in regulated industries, for instance, financial institutions. This allows employees to engage clients through client’s favorite messaging apps (WhatsApp™, WeChat™, LINE™, FB messenger™, Skype™ and more) while staying audit-compliant, secure and mobile.
- Diro offers comprehensive & technology-enabled solutions to streamline and enhance business processes. Their expertise in business development and technology lead can help reduce costs, increase market penetration, help with marketing and even help to build a product from an idea.
In order for the hackers to understand the gravity of the application, each company took 10 mins to explain their products and the ideas behind them. The hackers were provided with staging URLs and sample credentials, in addition to product overview and business logic.
The hackers took note of all critical business pressure points/loopholes/soft targets with respect to each product. While educating them about basic social engineering tactics employed by attackers, the white hats gathered information around each company and profiled the individuals. Most business heads present also had a dev background, which helped the hackers build a rapport with them.
The HackFest marathon started exactly at 11:00 PM HKT.
The first two hours were taken by scanners and other reconnaissance tools used to gather sensitive information – this helped, but the scanners’ designs resulted in numerous false positives, sifting through which is always tedious for white hats. A little insight here – if not for repetitive tasks like these, Redbull wouldn’t be a hacker favourite.
After cracking their knuckles and sanitising the raw reports, the hackers then shifted their focus to a more manual approach – which takes time with all the heuristics and trial & error methods involved.
This went on till 7:00 AM in the morning and all the bugs were consolidated and arranged according to their respective priorities on a custom portal created by the hackers, for all the FinTech dev teams. This marked the end of Phase – 1.
A total of 52 vulnerabilities were uncovered.
- Phishing – SPF, DKIM, DMARC DNSSEC Not configured
- Cross Site Request Forgery
- Cross Site Request Forgery
- Stored XSS
- DoS in WordPress < 4.9.4
- Clear Text Submission of Password
- CORS Misconfiguration
- Usage of jwt after logout
- Broken access control
- OTP Bypass at registration
- Insecure Data Logging
- TLS Stripping
- Apache Version Multiple Vulnerabilities
- PHP Version Multiple Vulnerabilities
- Session Token in URL
- HTTP Strict Transport Policy Not Implemented
- Exception in NSAppTransportSecurity
- Logout in GET instead of POST
- Internal Path Disclosure
- Missing Secure Response Headers
- Cookie Without Secure Flag
- Version Disclosure
- Internal path disclosure
- Server version disclosure
- Application Server Version Disclosure
- Web Server Version Disclosure
- Improper Logout Implementation
- Weak Password Policy
- Reflected XSS
- Server Version Disclosure
- Allowbackup flag is true
- SSL Cookie without secure flagset
- Publicly accessible .git allows cloning of website files
- Directory Listing / Sensitive Info Disclosure
- Directory Listing
- IDOR – A user can delete another user favourites
- Internal Link found
- Misconfigured CORS
- Sensitive information
- Insecure Direct Object Reference
- Reflected Cross-site Scripting (authenticated)
- Stored Cross-site Scripting via Whatsapp
- Improper logout functionality
- Other Vulnerability
- Secure response headers missing
- Directory listing
- SSH Server CBC Mode Ciphers Enabled
After completion of Phase – 1, the hackers explained and helped the FinTech dev teams and business heads to understand what have been identified so far and how to fix the issues. All identified bugs were fixed by the end of Phase – 2.
Phase – 3 consisted of back to back retesting to check whether the fixes were implemented properly or not – an iterative process that went on for long.
By 2:30 PM HKT the next day, the objective was achieved – the FinTechs left with secured apps, the hackers left with their bounties.
But the real heroes here were our partners – the Australian Trade and Investment Commission (Austrade), Campfire Collaborative Spaces, PwC and Austcyber who we can’t thank enough, without their constant support and valuable inputs, this would not have been possible.