SPECIAL FEATURE
32
The day prior to our meeting , Knight had presented the results of her findings in more detail . After her opening gambit – “ are you guys all sitting down ? I don ’ t think any of you are doing anything correctly ” – she proceeded to explain that , contrary to what many may have expected , the research was not focused on community banks or small credit unions . Rather , she took the 100 largest banks from a Wikipedia list and set about her work . The one that survived was an ( unnamed ) German bank , the rest were large US and European financial institutions .
“ There ’ s some really bad hygiene out there ,” she explained to us . “ There are so many vulnerabilities that have just kept reappearing over the last 20 years .” Over the next 20 minutes or so of her presentation , Knight blasted through some of her key findings , including the hard-coding of both bank and third-party payments processor keys ; gaining access to credentials for the likes of Amazon Web Services and Amazon S3 buckets ; banks publishing their API documentation so any hacker worth their salt can jump straight in ; developers leaving access to merged production and private keys with no password ; hard-coded credentials (“ when I found it , it was an ‘ oh my god , it ’ s amazing ’ moment ”) and more . In short , everyone , everywhere is not delivering on their cybersecurity developments .
And while she conceded that “ the research took on a life of its own and became more about API security than the other vulnerabilities ,” she added that “ there were dozens of other vulnerability categories that were problematic across all the apps .
DECEMBER 2019