In this paper, we look at N26, a pan-European banking startup and the poster child for young FinTechs, to see how security is treated by startups that provide disruptive technologies in the financial sector. We find out that, in an area that has been committed to security, FinTechs focus on modern designs and outstanding user experience as their main priority. Even though this strategy is rewarded by a rapidly increasing number of customers, it reveals a flawed understanding of security. We analyzed all aspects of security, including the frontend, backend, protocols, human factors and underlying design concepts, and found issues in all of them. We succeeded to leak customer data, to manipulate transactions, and even to entirely take over foreign accounts, ultimately issuing arbitrary transactions. We reported those findings to N26 and did not disclose them before they have been fixed. Hopefully, by publishing this case study now, we raise awareness for security considerations in the critical banking sector also for other FinTech startups.
Vincent Haupert is a research fellow and PhD candidate with the Security Research Group at Friedrich-Alexander University Erlangen-Nürnberg. His main interests are authentication, system security and software protection of mobile devices. Particularly the security of online and mobile payment solutions is one of his major research subjects.