Banking Security Audit Across Digital Channels

Client:

A major financial institution serving over 500,000 clients

Industry:

Finance

Focus:

Protection of personal, financial, and corporate data across mobile applications, web portals, and internal infrastructure

Main challenge:

Assessing the resilience of digital services against attacks, safeguarding sensitive data, and ensuring compliance with international security standards

Market:

Georgia

Services provided:

Security Code Review, Black-box and Gray-box Pen Testing

Key Takeaways

Strengthened security of web, mobile, and APIs

Prevented potential DoS and found 106 issues

Pentest and Code Review were conducted for digital services

A detailed report and practical recommendations were provided to enhance security and ensure compliance with PCI DSS and ISO/IEC 27001 standards.

48 hours

from detection to remediation

critical vulnerabilities identified

DoS attack anticipated and blocked

Banking Security Audit Across Digital Channels

Jan 31, 2025

14 min

How resilient are banking services to modern cyberattacks? To find out, a major financial institution turned to Datami for a comprehensive penetration test and code review. The result: 106 vulnerabilities identified and a potential DoS attack on the call center successfully blocked.

A major financial institution in Georgia serves over 500,000 clients through mobile applications, web portals, and APIs. The company handles sensitive data and operates in a regulated industry governed by PCI DSS and ISO/IEC 27001 standards.

Information security is critical to preventing data leaks, financial fraud, and unauthorized access, while regular security assessments help strengthen cyber resilience.

Objectives and challenges

The banking institution initiated a scheduled security assessment to evaluate the resilience of its digital services against attacks and ensure compliance with regulatory standards, particularly PCI DSS and ISO/IEC 27001.

The project's goal was to identify vulnerabilities, assess cyber threat risks, and strengthen the protection of personal, financial, and corporate data.

Conducting black-box and gray-box penetration testing of client-facing web portals, mobile applications, APIs, a POS terminal, and part of the internal IT infrastructure.
Performing a code review of critical components to verify business logic, authentication mechanisms, and module interactions.
Assessing configurations, identifying vulnerabilities, determining risk levels, providing recommendations, and validating compliance with security standards.

Penetration Testing & Security Code Review

Web portals, mobile applications, APIs, POS terminal, and internal network

Risk Analysis

Risk assessment, logic flaws, and configuration weaknesses

Report & Recommendations

Vulnerability descriptions, risk levels, and remediation steps

Datami Methodology: Digital Security Assessment for a Financial Institution

Our approach

Before testing, we analyzed the client’s technical documentation to accurately model potential threats.

The team conducted black-box and gray-box penetration testing of the bank’s key digital services, along with Security Code Review of selected components. Datami tested web portals, mobile applications, APIs, internal infrastructure, and POS terminals.

We combined automated scanners with manual testing, applying OWASP Top 10, MITM analysis, fuzzing, and custom scripts. We assessed configurations, authorization mechanisms, and component interactions with partial access to the client’s infrastructure, simulating the most likely attack vectors in a real-world environment.

Black-box

External testing without access to internal information — simulated attacks by third parties or hackers with no access rights.

Gray-box

Partial access allowed us to examine internal system logic, identify vulnerabilities in APIs, mobile applications, and service configurations.

Main project stages and solutions

Throughout the process, Datami adapted the work plan to fit the specifics of the infrastructure, delays in access provisioning, and newly added testing targets that emerged after the project began.

The team rotated IP addresses during scanning to avoid being blocked. Temporary privilege escalation was approved, and tunnels were created through restricted zones to reach isolated systems.

Preparation:

Collection of technical information and documentation analysis, confirmation of testing targets, and development of a plan tailored to the specifics of a regulated industry.
Testing:

Penetration Testing (black-box and gray-box) of digital services — including mobile applications, APIs, web portals, POS terminals, and parts of the internal network. Security Code Review focused on logic, authorization, and inter-module interactions.
Analysis & reporting:

Risk assessment, issue prioritization, and creation of a detailed report with actionable recommendations for vulnerability remediation and security enhancement.

Fewer critical risks — more confidence

Results and recommendations

Before the project, the client had a fairly secure system, but testing revealed a number of critical and high-risk issues, including the absence of CAPTCHA and DoS protection, weak security event monitoring, and vulnerable access points via APIs.

The Datami team identified 106 vulnerabilities: 7 critical, 15 high, 44 medium, 36 low, and 4 informational. Among them, a potential DoS attack on the call center — through mass creation of callback requests — was discovered and blocked.

The client promptly implemented initial measures: part of the issues was resolved within 48 hours.

implement CAPTCHA and rate limiting on critical interface elements;
improve logging and security monitoring;
review access policies for APIs;
regularly update the protection system in accordance with PCI DSS and ISO/IEC 27001.

Due to the scale and complexity of the infrastructure, the project lasted 5 months, including additional targets that appeared during the course of work.

Key project outcomes

The project helped the banking institution timely identify critical vulnerabilities, prevent a DoS attack on the call center, and strengthen the protection of client-facing services.

The client received an in-depth security assessment and practical recommendations from Datami on how to eliminate vulnerabilities and enhance cybersecurity.

This case study confirms: even well-protected financial companies require regular penetration testing and security code review to reduce risks and stay compliant.

Direction

Before the project

After implementation

Security posture

Partial security coverage, no in-depth analysis

106 vulnerabilities identified, remediation plan created

Critical vulnerabilities

Potential DoS, risks via API, and feedback form

7 critical threats, some resolved within 48 hours

Account compromise

Risk of call center disruption, data leakage due to weak traffic limits

Rate limiting implemented, monitoring and logging recommendations provided

Security compliance

Partial compliance with PCI DSS and ISO/IEC 27001 standards

Technical report and action plan provided for full compliance

Timeline

Planned: 5 months

Tasks completed on schedule despite increased project scope

Preparing a smart contract for release on Web3

The code was prepared for certification.
The project was secured against 99% of known threats.

Services:

Smart contract audit (White-box source code review)

Sep 16, 2025

Web3 Project Random Walk: Smart Contract Audit

Secure launch on Polygon mainnet ensured within 5 days
Risk level reduced from medium to minimal

Services:

Smart contract audit (White-Box source code analysis)

Sep 2, 2025

Smart Contract Audit of a Web3 Company

The product was prepared for a secure market launch.
The risk was reduced from high to minimal.

Services:

Smart contract audit (White-box source code analysis)

Aug 20, 2025

Back to all cases

Datami articles

Web Applications Penetration Testing: A Pentest Guide

Oleksandr Filipov: Security engineer at Datami, author of articles

Web Applications Penetration Testing: A Pentest Guide

Web applications are targeted by attacks every day - from simple scanners to deliberate breaches. To understand how vulnerable a web application is and how to protect it from hackers’ actions, a special assessment is conducted - penetration testing (pente

Oct 1, 2025

Microsoft enables email bombing protection

Datami Newsroom

Microsoft enables email bombing protection

Microsoft announced a new update to Defender for Office 365 that automatically detects and blocks email bombing attacks. The rollout started in June, and most users will receive the feature by mid-July 2025.

Sep 12, 2025 3 min

Cloudflare Repelled a Record DDoS Attack of 11.5 Tbit/s

Datami Newsroom

Cloudflare Repelled a Record DDoS Attack of 11.5 Tbit/s

Cloudflare reported that it stopped the most powerful UDP flood DDoS attack aimed at exhausting system resources. In 35 seconds, the attackers flooded the company with traffic at 11.5 Tbit/s.

Sep 5, 2025 2 min

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.