A recent analysis by ethical hacking platform Ethiack examined 788 UK fintech firms and over 56,000 public digital assets—webpages, servers, and cloud services—to assess common security oversights. The findings reveal that 341 companies (43%) inadvertently disclose their server software type and version in HTTP response headers, potentially giving attackers critical reconnaissance information.
Expired SSL Certificates Increase Risk
The study also found that 19.5% of the analysed platforms use expired or invalid SSL certificates. Customers encountering a browser security warning before accessing these sites face heightened risks of eavesdropping or data interception during their sessions.
Reliance on Three Server Providers
More than half (51.6%) of UK fintechs host their infrastructure on Cloudflare, Nginx, or Apache servers. A vulnerability in any one of these widely adopted platforms could expose hundreds of fintechs—and their customers—to coordinated cyberattacks.
Minor Misconfigurations, Major Consequences
“This information gives hackers a powerful headstart. While revealing the type and version of the software your server runs doesn’t give cyberthieves the key to your house, it is tantamount to telling them the make and model of your lock.”
— Jorge Monteiro, CEO and Co-founder of Ethiack
Monteiro emphasises that although these issues are not direct vulnerabilities, they serve as intelligence for sophisticated attackers. He warns that proactive measures are essential:
“Leaving the details of your server’s software type and version open to view just makes life easy for today’s increasingly sophisticated cybercriminals… Oversights like expired SSL certificates or exposed technology stack details might seem minor, but they can give attackers valuable intelligence” – added Monteiro.
Moving from Reactive to Proactive Security
Ethiack’s passive reconnaissance highlights the need for continuous ethical hacking and security testing. Combining AI-driven scans with expert human analysis helps organisations identify and remediate small misconfigurations before they escalate into critical breaches.
For more on the full methodology and recommendations, visit Ethiack’s website.
