Trusting Social placed its trust in the CyStack experts to protect the safety and reliability of the EVO payment system with Penetration Testing.
Our client
Trusting Social is a fintech company that utilizes artificial intelligence to provide a comprehensive credit score evaluation system through the use of big data technology, social data, and data analysis from businesses. Their solutions assist financial service providers in emerging markets to reach billions of consumers, particularly those who are not covered by mainstream credit agencies.
EVO represents Trusting Social's unique financial technology ecosystem, which enables customers to quickly and securely connect with the bank's financial products. Through EVO, customers can conveniently access credit products by simply providing basic information and undergoing identity verification on their mobile phones, eliminating the need to visit a bank branch and wait in line.
Trusting Social and TPBank have expanded their collaboration to introduce the TPBank EVO Credit Card, an innovative card product that combines TPBank's offerings with the EVO financial technology platform.
As a custodian of significant financial data, Trusting Social prioritizes data security. The EVO credit card utilizes 256-bit Secure Socket Layer (SSL) encryption technology to ensure the absolute protection of customer information during data transmission over the internet. Additionally, both TPBank and Trusting Social servers are safeguarded by a "firewall" and an "intrusion detection and prevention system (IDS/IPS)" that undergo regular monitoring by administrators to prevent unauthorized and suspicious access. Moreover, customer passwords are encrypted in a one-way format, ensuring that even server administrators cannot access them.
The infrastructure for TPBank EVO Credit Card deployment is built on the cloud platform, utilizing Google Cloud Platform in conjunction with Cloudflare, Flutter, and Go technologies.
Solution
By strictly complying with the Payment Card industry's unique requirements and regulations, Trusting Social proactively chose to use a Penetration Testing solution and sought a third party to evaluate security. After researching, Trusting Social decided to cooperate with CyStack, one of the leading cybersecurity companies in the Vietnam region.
Test object: Customers listed functional groups and URLs that need to be tested on the insurance product information page.
In addition, CyStack recommended and performed testing of the admin page of this information site, receiving test accounts from customers.
Deployment time:
- Phase 1 (May 24, 2023 - June 3, 2023)
During this period, CyStack was onsite at the Trusting Social office for 1 week. With positive results, Trusting Social has trusted and continued to let CyStack perform testing of the phase 2 release.
- Phase 2 (July 25, 2023 - August 4, 2023)
Our client chose a Blackbox testing approach. This is a form of testing without any prior information about the selected system. Experts approach the target environment like a real hacker, looking for vulnerabilities that exist within the system and assessing its ability to resist external attacks. This helps businesses determine the level of risk and develop a security plan to prevent attacks from occurring.
Penetration testing is a suitable solution for the need to ensure the safety and security of products in the payment card industry:
- Comprehensiveness: Allow testing of the entire credit card system from multiple perspectives, including applications, databases, networks, and related services. This helps detect security vulnerabilities from many different perspectives.
- Depth: Conducted by security experts with extensive knowledge of attack methods and prevention measures. They can find vulnerabilities that other automated or less specialized solutions might miss.
- Realistic attack simulation capabilities: Allow simulation of realistic attack scenarios that hackers can use to break into credit card systems. This helps identify and fix security vulnerabilities before they are exploited by hackers.
- Continuous updates: Typically performed periodically or after each system update, help ensure that credit card products are always protected from the latest threats.
- Compliance with regulations and standards: Help businesses ensure that credit card products comply with regulations and security standards, especially PCI DSS (Payment Card Industry Data Security Standard).
Our working process with Trusting Social includes the following steps:
- Planning and reconnaissance: In the first step, CyStack defines the scope and goals of the test, including applications, databases, and network infrastructure; identifies potential risks related to information security, personal data protection, and potential vulnerabilities in the credit card system; simultaneously, collect information about the target environment to better understand how the target operates and potential vulnerabilities in Trusting Social's testing environment.
- Vulnerability analysis: During this phase, CyStack experts identify potential vulnerabilities in Trusting Social's testing environment by using in-depth techniques such as vulnerability scanning, scanning the network system, and evaluating the configuration for common vulnerabilities such as 1-day flaws and CVEs.
- Exploitation: This is the actual attack step, where CyStack experts perform techniques to gain unauthorized access to the system to exploit security vulnerabilities in the credit card system.
- Post-exploitation: CyStack experts continue to maintain access to EVO's system and escalate privileges (if possible) to search for additional security vulnerabilities that may still exist.
- Report: Upon completion of the project, CyStack prepares a complete report that includes a summary of the testing process, and details of discovered security vulnerabilities, and provides recommendations and suggestions for measures to improve the security of Trusting Social's products.
Result
After conducting two stages of testing, the results were as follows:
Phase 1:
- Total of 5 vulnerabilities, including 1 medium, 2 low, and 2 info.
- How we fixed: