PenTest: Fintech Security

Description

Dear PenTest Readers,

This month we would like to take a closer look at one of the pillars of the economy - finance, and how to secure the technology which this sector functions in. We don’t think we need to point out the fact that the companies responsible for storing and transferring customers’ money are obliged to treat the security of technologies that they use as the absolute priority. Recent and ongoing outburst of various companies offering services for financial transactions and assets provokes a reflection on the technical dimension of its safety, as well as the aspect of compliance to the required standards. 

As usual, our authors provided the content related to the main theme of the issue . You can find really interesting articles on social engineering in fintech era, OSINT tools helpful in KYC/AML context, security of the FIX protocol, Amazon Web Services, and PCI DSS standard. Furthermore, there are other articles related to various fields of cybersecurity, among which the ‘Relation From Western Regional Collegiate Cyber Defense Competition in United States’ is highly recommended!

We would like to express our gratitude to every author and reviewer who helped create this issue.  

Without further ado,  

Enjoy the content!

PenTest Magazine’s Editorial Team.

---

Table of Contents

---

Social Engineering in the Age of Fintech

by Jeremy Walker and Sean Butler

Even as Fintech systems become increasingly automated, Social Engineering continues to be a major attack vector. According to the Cyber Security Firm KnowBe4, ninety-seven percent (97%) of malware is targeting users, rather than technical vulnerabilities. This article explores an example of both a remote and an on-prem social engineering method being combined with low sophistication attacks to obtain data associated with Fintech systems.

---

Security of the FIX Protocol: How to Intercept, Modify and Crash FIX Server with Mal-formatted message

by napoleon182

The only confirmation of the counterparty identity during the FIX communication is the check of field SenderCompID (field id: 49). It is possible that by accident the SenderCompID will be revealed (for example, sent to another firm via email), which should be treated as a security breach as knowing the SenderCompID will allow the attacker to steal the identity of the holder and use it in the attack (see chapter on different attack methods and approach). All things considered, firms should practice due diligence and treat SenderCompID as sensitive information.

---

Overview of OSINT use for KYC/AML and Crime Investigations

by Oussama Louhaïdia

Regulatory compliance requires financial service institutions, law and accounting firms and similar organisations to conduct due diligence checks and compliance screening on all prospective clients. These regulatory requirements include Know Your Customer (KYC), Anti Money Laundering (AML), Politically Exposed Persons (PEP) and Countering the Financing of Terrorism (CFT).

---

Powerful Pillar of Fintech: Amazon Web Services

by Dinesh Sharma

AWS pentesting is just like Ext Infra and web app pentests in most cases, but in some cases, we need to perform some tasks that might be specially defined for the AWS environment only. Here we will be discussing some of the techniques that are different from the traditional Infra and web pentest.

---

A Report From Western Regional Collegiate Cyber Defense Competition [February 28, 2019]

by Eric Crutchlow

As the end of day 2 approaches, it’s time to nuke all the Blue Team systems. The goal before was to create just enough havoc in a way that a Blue Team should be able to identify and remediate. This is one of the key areas that Blue Teams can make points, identify and remediate a hack and then report it (aka document the incident). But at one hour before the end of the competition, the Red Team is given the OK to use the nuclear option; take down all systems through any means possible (except DDoS).

---

PCI Requirements And Security For FinTech

by Anandharaj Velu

Payment card skimming devices are placed over top of POS in self-checkout at merchant’s shops. Overlay skimmers are equipped with Bluetooth technology that allow hackers to hack swiped card details and PINs wirelessly using a mobile phone. A Bluetooth signal has a range of 100 meters, so hackers can place skimmer over top of a POS and can access it from outside the storefront and hack the card data wirelessly in real-time.

---

Secure Cloud As Code

by Jonathan Armas

One of the most underestimated vulnerabilities I have encountered is logical access. This means access to a server through an SSH port, access to an Amazon Relational Database Service (RDS) through the port 3306 or 1433, or having the administration server open to the world using port 443. An open port is a window to your infrastructure incrementing the attack surface that we as pentesters can exploit, so why open it to the world? Most of the time, IaC developers set the network access to the services using a 0.0.0.0 wildcard because “all” of the services should have access, but if an attacker has access to a set of credentials for the database, SSH or administration service, either by brute-forcing it or reading it in clear text (we talked about this a lot), he can wreak havoc in your systems.

---

PCI DSS - Is It Enough Nowadays?

by Ahmed Mostafa

PCI DSS can be fair enough to face most threats nowadays but it won’t be the perfect answer if you don’t care about how you implement your compliance as you will need to make sure that an expert team will be able to supervise all operations to make sure that you will achieve the best result that make your business worthy to invest in.

---

Blue and Red Make Purple, but Green Means Go

by David Evenden

The truth of the matter is that some people have uneducated answers because they have only worked in certain positions and have very limited experience. If you work as an organization cyber security engineer, it only makes sense to operate as a Purple Team. However, analysts on MSSP teams don’t have visibility into target organizational infrastructure, therefore operating as a Blue Team simply isn’t an option. Others view the answer to Pentesting as only a portion of Red Teaming because they’ve never been hired to operate on a limited scope during an Assessment.

---

The Penetration Testing Execution Standard, An Overview

by Brandon S. Keath

Based on the client or the scope of the engagement there may be additional things to consider based on the industry of the organization. A health care organization will likely have different requirements and expectations from an organization that does banking and will likely have different metrics they are looking to achieve at the very beginning of the engagement. The last thing to discuss during the pre-engagement is establishing realistic timelines and expectations for when a penetration test will take place, often penetration tests will take place during off hours in order to avoid unwanted disruption. Once all requirements have been gathered, we move to the Intelligence Gathering Phase of PTES.

---