Cyber security in FinTech is a growing concern, with no markets more directly impacted by its rise than banks, payments and Blockchain. Data from banks and other financial organisations is a premium target for hackers, offering clear incentives for their malicious attacks.
With this in mind, we launched the FinTech Hackfest – an event that saw white hat hackers from Entersoft, PwC and others, make Hong Kong Fintech products secure within 24 hours.
Dropped in to Campfire Hong Kong to catch up with the team at @officialeis Before their weekend #Cybersecurity hackfest. Well done to all the #FinTech companies rising to the challenge to have their products tested by the White Hat back community! pic.twitter.com/QTMj8ShEa1
— Danielle Szetho (@mdm_z)
From the hackers’ standpoint, the Hackfest was divided into three phases:
Phase – 1: Hacking
Phase – 2: Fixing
Phase – 3: Retesting
Mohan Gandhi, CEO, Entersoft gives a brief about the rules and arrangements
The hackers arrived at Hongkong with a pre-configured CPU (a Kali machine with their own customised scripts to identify High/Critical bugs) containing essential tools for the Hackfest.
The Entersoft White Hat Team – (From left); Sri, Jos, Charan.
PwC Cybersecurity and Privacy Team
FinTech startups solving some “real world problems” signed up for the lengthy exercise, which required them to actively participate throughout the 24-hour period to understand context and execution.
is the first personal financial management app powered by bank-level security in Hong Kong. Gini links together bank accounts to give users the full view of their financial situation, complete with insightful analysis while curating offers from various sources to let them maximize the utility of their spending.
In order for the hackers to understand the gravity of the application, each company took 10 mins to explain their products and the ideas behind them. The hackers were provided with staging URLs and sample credentials, in addition to product overview and business logic.
“Gentlemen, this is a war room.”
The hackers took note of all critical business pressure points/loopholes/soft targets with respect to each product. While educating them about basic social engineering tactics employed by attackers, the white hats gathered information around each company and profiled the individuals. Most business heads present also had a dev background, which helped the hackers build a rapport with them.
They’re off and hacking at the @officialeis @PwC @AustradeHK & @Campfire_Spaces FinTech #hackfest in Hong Kong. Check back in 24 hours to see how many bugs were found and fixed! #GameOn pic.twitter.com/3ogXpH0iLl
— AustCyber (@AustCyber)
The HackFest marathon started exactly at 11:00 PM HKT.
The first two hours were taken by scanners and other reconnaissance tools used to gather sensitive information – this helped, but the scanners’ designs resulted in numerous false positives, sifting through which is always tedious for white hats. A little insight here – if not for repetitive tasks like these, Redbull wouldn’t be a hacker favourite.
After cracking their knuckles and sanitising the raw reports, the hackers then shifted their focus to a more manual approach – which takes time with all the heuristics and trial & error methods involved.
This went on till 7:00 AM in the morning and all the bugs were consolidated and arranged according to their respective priorities on a custom portal created by the hackers, for all the FinTech dev teams. This marked the end of Phase – 1.
A total of 52 vulnerabilities were uncovered.
After completion of Phase – 1, the hackers explained and helped the FinTech dev teams and business heads to understand what have been identified so far and how to fix the issues. All identified bugs were fixed by the end of Phase – 2.
The team shares a light moment.
Phase – 3 consisted of back to back retesting to check whether the fixes were implemented properly or not – an iterative process that went on for long.
#Hackfest is complete! An amazing experience for all FinTech and epic work by #whitehat hackers @officialeis @PwC_China @AustCyber @Campfire_Spaces pic.twitter.com/hYXuMQLGVx
— Austrade Hong Kong (@AustradeHK)
By 2:30 PM HKT the next day, the objective was achieved – the FinTechs left with secured apps, the hackers left with their bounties.
But the real heroes here were our partners – the Australian Trade and Investment Commission (Austrade), Campfire Collaborative Spaces, PwC and Austcyber who we can’t thank enough, without their constant support and valuable inputs, this would not have been possible.