CASE STUDY

A Billion-Dollar Save: How a FinTech Security Audit Prevented a Financial Catastrophe

A large FinTech company approached Red Sentry to conduct a security audit as part of its SOC 2 compliance process for a newly acquired web application. What started as a standard FinTech security audit quickly uncovered an impending crisis. Red Sentry’s team discovered a massive vulnerability that exposed complete financial records—including credit card numbers, Social Security numbers, and other sensitive personal information—to potential attackers.

The Challenge: Ensuring a Comprehensive Security Audit for FinTech Applications

A major FinTech company had recently completed an acquisition and needed to ensure its expanded digital infrastructure met security requirements. 

While the company maintained strong security practices in its core business, it hadn't conducted regular penetration testing across its infrastructure. However, in preparation for SOC 2 certification, it wanted a thorough security audit of the web application it had recently acquired. 

The application handled sensitive financial data, including credit card information, Social Security numbers, and other Personally Identifiable Information (PII).  The company sought to identify and mitigate any potential vulnerabilities that could compromise this data. Given the sensitive nature of the newly acquired application’s data, security testing and due diligence were extremely important.

It entrusted Red Sentry with the task because it valued its application security and FinTech penetration testing expertise.

Running a FinTech Security Audit to Identify Vulnerabilities

Red Sentry conducted a comprehensive web application penetration test—including the application’s APIs. The assessment started with a vanilla test, which meant the team was provided with a standard username and password like any regular user would have.

The team simulated a real-world attack scenario by using a mix of manual testing techniques and specialized tools like Burp Suite to analyze the application's behavior and identify potential security vulnerabilities. 

Red Sentry's internal standards for tracking and evaluating penetration tester skills ensured the project was staffed with the most relevant, qualified, and experienced professionals, resulting in a thorough security audit and actionable insights on how to prevent financial data breaches. 

How Did We Uncover Critical Vulnerabilities? 

The Red Sentry team approached the application test from the perspective of a hacker rather than a developer, simulating a real-world attack. 

Its proactive pen-testing process revealed a critical security flaw that could’ve compromised sensitive data. Here are the steps we took to find these weak points.

Step 1: Examining API Calls

Using Burp Suite, Red Sentry captured and analyzed POST requests—the data being sent to the backend when users performed actions within the app.  This helped identify potential areas where security checks were missing and the application could be vulnerable to an attack.

Step 2: Testing Broken Access Control

Red Sentry then examined how the web app validated user privileges when making API calls. 

The team discovered that some backend server calls failed to verify whether a user actually had the necessary privileges to access specific data.

  • The system assumed that if a user was logged in, they were authorized to access certain features.
  • Red Sentry found they could completely bypass the application's security by modifying API requests—even while logged out.
  • The system mistakenly recognized the request as legitimate and returned confidential financial data. This process could be repeated to gain unauthorized access to the entire financial database.

Step 3: Extracting Financial Data

Red Sentry demonstrated the severity of the vulnerability by manipulating API calls.  

Here is what they were able to request and retrieve:

  • Credit card numbers.
  • Social Security numbers.
  • CVV codes.
  • Personally identifiable information (PII).

By modifying customer ID values in the API requests (an IDOR attack), the team successfully accessed unauthorized financial records for three real users as proof of concept, proving the importance of web application pentesting for FinTech.

Here’s What We Found Out

Red Sentry's FinTech security audit findings demonstrated the worst-case scenario: a vulnerability that could expose the financial data of thousands of its users to attackers. Here were the main problems:

  • Critical Broken Access Control: The system failed to validate user permissions for API requests, allowing unauthorized data retrieval. This critical flaw made it possible for attackers to access confidential financial records without appropriate authorization.
  • IDOR Exploit: Attackers could easily modify a request to access financial information belonging to other users. This type of security vulnerability in FinTech allows for the unauthorized extraction of sensitive data.
  • Massive Breach Potential: With sufficient time, a malicious actor could have extracted sensitive financial data for every customer. Given the nature of the vulnerability, this breach could have resulted in major financial loss and legal consequences for the company.

The Rundown of Our Rapid Response & Resolution

Red Sentry provided the FinTech company with detailed documentation of the issue, recommendations, and resources to address the identified vulnerabilities.

Red Sentry provided technical guidance on:

  • Enhanced API Security Validation: Implementing mandatory security checks for every API call, verifying user authorization, and adding multiple layers of authentication.
  • Rotating Privilege Verification System: Introducing a dynamic authorization system where security checks change with each API call, ensuring fresh authentication for every request.

These updates were made so that only authorized users could access sensitive financial data, preventing attackers from exploiting any vulnerabilities—even if they intercepted a successful request.

The FinTech Company’s Security Protocol Moving Forward

The FinTech company swiftly implemented the recommended changes to their API, and Red Sentry verified the effectiveness of the changes through retesting. 

Here is the long-term impact of the engagement:

  • Shielding the company from billions in potential fraud-related losses
  • Safeguarding against massive regulatory fines and legal liabilities
  • Preserving the company’s reputation and maintaining customer trust
  • Strengthened security measures across the company’s infrastructure
  • Ensuring the company moves closer to achieving SOC 2 certification
  • Fostering a culture of security awareness and best practices within the development teams

A New Partnership For A More Secure Financial Future

Red Sentry’s proactive approach and extensive expertise helped the FinTech company avoid a potentially devastating financial data breach. By identifying and resolving a critical security gap, Red Sentry saved the company billions in potential losses and protected the sensitive financial data of countless customers. These are just a few of several reasons why security audits are crucial for all companies.

The FinTech company now has a trusted, long-term cybersecurity partner in Red Sentry. And your business could benefit from the same level of protection.

When you’re ready to talk about your company's security, drop us a line. We’re here to assist with all your FinTech security audit needs. 

FinTech

Read more case studies

See all case studies
Keeping Patient Data Protected In Healthcare Services

In a time where healthcare organizations are heavily targeted by hackers, United Networks of America uses Red Sentry to protect their network of healthcare organizations.

Read more
Small SaaS Startup Hit With $2M Ransomware

Learn how Red Sentry helped a startup recover from a $2M ransomware attack with fast, affordable pentesting in just days.

Read more
Defeating the Russians Through Cybersecurity

Find out how Red Sentry helped a U.S. energy company uncover 167 vulnerabilities amid Russian cyber threats.

Read more

Protect your organization with Red Sentry's expert penetration testing. Choose a trusted and comprehensive assessment to identify and address security risks.

Get Started

Penetration Testing

HomePenetration TestingWeb App PentestingEducation Penetration TestingEnergy and Oil Penetration TestingFinTech Penetration TestingHealthcare Penetration Testing
Law Penetration TestingSaaS Penetration TestingAbout UsCase StudiesClient TestimonialsArticlesPartners
Terms of UseCookie Privacy PolicyPrivacy Policy

Copyright © Red Sentry 2025

RedSentry, LLC was founded in 2020. Disclaimer RedSentry, LLC is not responsible for misuse of the platform.
If you have any questions please contact us at (888) 337-0467.