Paying The Price For Disruption: A FinTech Allowed Account Takeover presented at deepsec 2017

by Tilo Muller, Dominik Maier, Vincent Haupert,

Summary : In this paper, we look at N26, a pan-European banking startup and the poster child for young FinTechs, to see how security is treated by startups that provide disruptive technologies in the financial sector. We find out that, in an area that has been committed to security, FinTechs focus on modern designs and outstanding user experience as their main priority. Even though this strategy is rewarded by a rapidly increasing number of customers, it reveals a flawed understanding of security. We analyzed all aspects of security, including the frontend, backend, protocols, human factors and underlying design concepts, and found issues in all of them. We succeeded to leak customer data, to manipulate transactions, and even to entirely take over foreign accounts, ultimately issuing arbitrary transactions. We reported those findings to N26 and did not disclose them before they have been fixed. Hopefully, by publishing this case study now, we raise awareness for security considerations in the critical banking sector also for other FinTech startups.