Around two months ago a fintech was hacked in Mexico. This company is focused in credit card payments through different kind of devices, and it had a database leak.
In this leak the database showed personal information about the customers, but no credit cards information.
For example, there were name, address, the latest numbers in the cards, the thing that the customer bought, city, etc.
For every person related with security, this is so worrying, with all this information, you can attempt with vishing, phishing, and others shings… but the most important thing for me is that, this database included the things bought by the customer, so you can know a lot of things related with their habits.
With this information you can attempt these attacks with a lot of effectiveness, for example if you detect that someone has a Centurion card and most part of his shopping is related with traveling, could be very easy to attemp a vishing using a golf promo, or if you see a lot of beer, you can offer beers by mailbox, etc.
When I talked with the CSO of whis company, he told «Scarlett, esto no es grave, porque no fue fugada la tarjeta de crédito, ni los datos de validación del cliente».
Hum.. maybe, but I don’t need to do a fraud, in the other hand, in Mexico there is a law named «Ley Federal de Protección de Datos Personales en Posesión de los Particulares», that protecs the customer’s information.
I tried to explain to him the risk of the leak, and I presented a proposal to assess and protect the API used by the devieces to process the payments. It was very expensive for the CSO.
In average, no it wasn’t expensive, but ok, the point is not there, the justification made by the CSO was scary: «nosotros somos una fintech, no tenemos que invertir esas sumas como la banca tradicional, ellos si porque son grandes, nosotros no, operamos con tecnología».
Hum.. if tomorrow a traditional bank is hacked, maybe a lot of people will be outside of the bank screaming for their money. But the bank is still operating. What happend if a fintech is hacked?, where will be the customers?, how much will it loose? what about it’s reputation?.
I think this guy don’t understand his bussiness.
Well, this week I received a job offer in another fintech. It is strange, because in other countries this is a bank, in Mexico they are just a fintech, but very sucessfull.
I just talked with him to know about the company and the position. But it waas so scary, almost as the hacked fintech.
Yup… basically this CSO told me that his bank has the most advanced technology, due to that hey are not doing any kind of security testing, actually they are not validating any kind of QA, he thinks that is not possible to apply any methodology or framework, because its technology is so new. They don’t have any development methodology, because they are cool.
I didn’t want to discusss anything. But after dropped off , I just was thinking.. «How did they get the MasterCard license for the credit card?, I’m very sure they aren’t in compliance with PCI or at leat with the CNBV»
The funny thing is that I applied to get a credit card from there, just because there are places where is not accepted AMEX, but fortunately I didn’t finish the process.