43% of UK Fintechs are leaving themselves exposed to cyberattack by revealing software details on their web servers, new research has found
More than four in 10 UK fintech firms are putting themselves at risk of cyberattack by leaving details of their software in plain sight on their web servers, a major new study has found.
Researchers from the ethical hacking platform Ethiack analysed the digital presence of 788 UK-based fintechs, mapping potential cyber risks for more than 56,000 publicly accessible digital assets including webpages, servers and cloud-based services.
341 (43%) of the fintechs studied were found to be inadvertently revealing details of their server’s software type and version in the HTTP response banners displayed by their webpages.
Jorge Monteiro, chief executive officer and co-founder of Ethiack, commented: “This information gives hackers a powerful headstart. While revealing the type and version of the software your server runs doesn’t give cyberthieves the key to your house, it is tantamount to telling them the make and model of your lock.”
In addition, a fifth (19.5%) of the fintech platforms analysed were found to be using expired or invalid SSL certificates. This oversight, which customers can spot as it requires them to acknowledge a browser security warning before accessing the fintech’s website, exposes users to the risk of eavesdropping or interception while logged on.
The research also revealed a heavy reliance on just three brands of server technology. More than half (51.6%) of fintechs’ digital infrastructure is built on servers provided by Cloudflare, Nginx or Apache. Were a vulnerability to emerge among any of these providers, hundreds of fintechs – and thousands of customers – could be placed at risk.
Jorge added: “The UK’s thriving fintech sector is a high-value target for cybercriminals. We carried out passive reconnaissance of more than 56,000 digital assets belonging to UK and Irish fintechs to produce a snapshot of their public-facing security posture.
“While we found average levels of cybersecurity in fintech to be broadly on par with other industries, we did identify several indicators suggesting potential areas of risk.
“Oversights like expired SSL certificates or exposed technology stack details might seem minor, but they can give attackers valuable intelligence. Leaving the details of your server’s software type and version open to view just makes life easy for today’s increasingly sophisticated cybercriminals.
“While these aren’t vulnerabilities per se, seemingly small misconfigurations can increase the likelihood of more serious issues if left unaddressed.
“Last week Ian Stuart, the chief executive officer of HSBC UK, told MPs that cyber threats keep him ‘awake at night’ and that the bank is under constant attack from hackers. Cybersecurity is no less vital for fintechs who handle sensitive financial data that thieves seek to exploit. Fintechs large and small face similar risks and must remain vigilant.
“The security issues we identified were observed solely through publicly available data. Comprehensive vulnerability discovery requires active testing with proper authorisation. However, our findings highlight the importance of moving from reactive to proactive security – in which continuous ethical hacking solutions like Ethiack’s help detect and mitigate weaknesses before adversaries do.
“Combining the scale and speed of AI agents with the intelligence of human ethical hackers allows us to test systems deeply at scale – always with the goal of helping organisations stay one step ahead of cyber threats.”
Image: Desola Lanre-Ologun on Unsplash
Robert Welbourn
Robert Welbourn is an experienced financial writer. He has worked for a number of high street banks and trading platforms. He's also a published author and freelance writer and editor.
