Philippines Fintech: 18 Critical Vulnerabilities Found Before Payment Launch
A Manila-based payment processing fintech preparing for BSP (Bangko Sentral ng Pilipinas) regulated launch engaged EIC's CREST-accredited penetration testing team. The assessment identified 18 critical vulnerabilities — including authentication bypasses and payment API flaws — all remediated before the platform went live.
BSP Launch Gate — Zero Tolerance for Critical Findings
BSP (Bangko Sentral ng Pilipinas) requires a security assessment before payment license approval. For a Manila-based fintech preparing to process card-not-present transactions, mobile wallet top-ups, and merchant settlements, this regulatory gate was the final obstacle before launch — and BSP examiners had made clear that "self-assessed" security would not pass regulatory scrutiny.
The platform was built on a microservices architecture with 23 API endpoints exposed to partners. The engineering team had invested heavily in functionality and speed-to-market, but the security posture had not received the same level of attention. A previous internal scan using automated tools had returned only 2 medium-severity findings, leading management to believe the platform was secure and launch-ready.
A BSP examiner had informally flagged during a pre-examination consultation that self-assessed security — particularly automated-only testing — would not satisfy the regulator's expectations for a payment platform handling real-time financial transactions. The examiner's feedback was clear: an independent, accredited security assessment was expected.
The fintech had a 6-week window before BSP's scheduled examination. Within that window, they needed to complete an independent penetration test, remediate any findings, obtain a clean re-test report, and submit the documentation package to BSP. Any critical findings remaining at examination time would delay the payment license — and with it, the revenue timeline the fintech had committed to its Series B investors.
- BSP (Bangko Sentral ng Pilipinas) requires security assessment before payment license approval
- Platform handles card-not-present transactions, mobile wallet top-ups, and merchant settlements
- Built on microservices architecture with 23 API endpoints exposed to partners
- Previous internal scan only found 2 medium findings — management believed platform was secure
- BSP examiner had informally flagged that "self-assessed" security would not pass regulatory scrutiny
- 6-week window before BSP scheduled examination
CREST Methodology: Beyond Automated Scanning
EIC deployed a comprehensive CREST-accredited penetration testing engagement designed to uncover vulnerabilities that automated tools miss — particularly business logic flaws in payment processing workflows that require human expertise to identify and exploit.
Reconnaissance & Scoping
Mapped 23 API endpoints, 3 web interfaces, mobile app backend. Defined test scenarios for BSP-specific payment flows.
Manual Penetration Testing
CREST-accredited testers performed manual testing beyond automated tools. Identified authentication bypass in merchant onboarding API, payment amount manipulation in settlement API, IDOR vulnerabilities in transaction history endpoints.
Reporting & Risk Scoring
Detailed findings report with CVSS scoring, proof-of-concept demonstrations, and BSP-aligned risk classifications. Board-ready executive summary.
Remediation Support
EIC provided remediation guidance for all 18 critical findings. Re-tested each fix. Final clean report issued for BSP submission.
What the Automated Scans Missed
The fintech's previous automated scan — using industry-standard tools like Nessus and OWASP ZAP — had returned only 2 medium-severity findings. Management had interpreted this result as confirmation that the platform was secure. The reality was fundamentally different.
EIC's manual CREST testing found 18 critical, 12 high, and 34 medium-severity findings. The gap between the automated and manual results was not a failure of the automated tools — it was a limitation of what automated testing can detect. Automated scanners excel at identifying known vulnerability signatures, missing patches, and configuration weaknesses. They cannot reason about business logic.
The 3 authentication bypass vulnerabilities were the most severe findings. These flaws would have allowed any authenticated merchant to access other merchants' settlement data — including transaction volumes, settlement amounts, and bank account details. The bypass exploited a flaw in the merchant onboarding API where the authorization check validated that a user was authenticated but did not verify that the authenticated user had permission to access the requested merchant's data.
The payment amount manipulation flaw was equally critical. The settlement API accepted transaction amount parameters from the client side without server-side re-validation against the original authorized amount. An attacker could modify the settlement amount post-authorization — a vulnerability that could have resulted in direct financial loss for merchants and the platform itself.
These findings are invisible to automated tools because they require business logic understanding. A scanner cannot know that Merchant A should not see Merchant B's data, or that a settlement amount should match the original authorization. Only manual testing by experienced penetration testers — who understand payment processing workflows — can identify these classes of vulnerability.
Measurable Outcomes
Our internal scans said we were secure. EIC's CREST team found 18 critical vulnerabilities in the first week — including authentication bypasses that automated tools simply cannot detect. Without this assessment, we would have launched a payment platform with exploitable flaws.