The Hidden Risks in Finance
In a notable incident a few years ago, a Washington-based real estate developer encountered a significant web vulnerability while engaging with First American, a financial services company. While reviewing a document link related to a transaction, he discovered something unexpected: by altering a single digit in the URL, he could access an entirely different document. This simple manipulation revealed access to First American records dating back to 2003, totaling an alarming 885 million records, many containing sensitive information such as bank details and personally identifiable information.
The astonishing ease with which this information could be accessed highlights serious weaknesses in the financial sector’s cybersecurity measures. According to the latest Data Breach Investigations Report by Verizon, the finance industry is the most targeted sectors globally for basic web application attacks. Further supporting this alarming trend, Statista estimates that successful breaches can cost these companies an average of six million dollars each. The International Monetary Fund (IMF) even posits that annual losses from cyberattacks in this industry could reach several hundred billion dollars, potentially jeopardizing financial stability.
In response to rising threats, financial executives have been ramping up investments in advanced defense mechanisms, including Extended Detection and Response (XDR), Security Operations Centers (SOCs), and artificial intelligence tools. However, despite these efforts, vulnerabilities as basic as the one exploited by the developer at First American continue to exist throughout the industry.
A particular type of oversight that rarely gains attention in boardroom discussions is the prevalence of hardcoded credentials within software codebases. Research conducted by a team from North Carolina State University revealed that in a study analyzing over two billion files from GitHub repositories, nearly 600,000 API keys and cryptographic tokens had been embedded in source code and made publicly accessible. This study underscores how simple it is for malicious actors to discover such weaknesses.
The danger of hardcoded credentials only becomes apparent once they infiltrate live applications. For example, a recent investigation by Symantec identified nearly 2,000 public mobile apps exposing sensitive secrets, including AWS tokens that could enable unauthorized access to private cloud services. In this case, several banking apps were found to be using the same vulnerable third-party software development kit (SDK), leading to substantial exposure of users’ biometric data and personal information.
The seriousness of such vulnerabilities is illustrated by high-profile breaches in the past, including Uber’s infamous data loss incidents. Hackers often find access to critical systems through seemingly innocuous means, such as obtaining admin-level credentials from mismanaged scripts, as demonstrated by a 17-year-old hacker who compromised Uber’s internal network in 2022. These incidents expose the significant risks faced by organizations, even those with extensive resources dedicated to cybersecurity.
In light of the finance sector being the primary target for cybercriminals, it is crucial for organizations to enhance their security protocols. Both AWS and GitHub are making efforts to monitor for credential leaks, but these efforts must be bolstered by proactive measures from businesses themselves. Engaging with cybersecurity vendors who specialize in monitoring source code for hardcoded secrets may prove vital for safeguarding sensitive information as the digital landscape continues to evolve.
This analysis serves to remind business leaders of the importance of vigilance against such vulnerabilities within their infrastructures, illustrating that proactive engagement is often the key to thwarting would-be attackers.
Note – This article was authored by Thomas Segura, a technical content writer at GitGuardian, with extensive experience in cybersecurity as both an analyst and consultant.