=Paper=
{{Paper
|id=Vol-3917/paper64
|storemode=property
|title=Investigating vulnerabilities of personal data on financial websites
|pdfUrl=https://ceur-ws.org/Vol-3917/paper64.pdf
|volume=Vol-3917
|authors=Olena H. Fedorenko,Sofiia V. Velychko,Yelyzaveta V. Kaidan
|dblpUrl=https://dblp.org/rec/conf/cs-se-sw/FedorenkoVK24
}}
==Investigating vulnerabilities of personal data on financial websites==
https://ceur-ws.org/Vol-3917/paper64.pdf
Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
Investigating vulnerabilities of personal data on financial
websites
Olena H. Fedorenko1 , Sofiia V. Velychko1,2 and Yelyzaveta V. Kaidan3
1
Donbas State Pedagogical University, 19 Batyuk Str., Sloviansk, 84116, Ukraine
2
National University “Odesa Law Academy”, 23 Fontanska Str., Odesa, 65009, Ukraine
3
Ivan Franko National University of Lviv, 1 Universytetska Str., Lviv, 79000, Ukraine
Abstract
This paper investigates the vulnerabilities of personal data on financial websites. It analyzes potential threats and
attack methods and proposes comprehensive protection strategies from both user and organizational perspectives.
The security of specific financial sites is evaluated, and recommendations are provided.
Keywords
personal data, financial websites, data breaches, cybersecurity, attack methods
1. Introduction
In today’s digital age, personal data security has become a paramount concern, especially in the context
of financial websites. As more individuals rely on online platforms for managing their finances, the risks
associated with data breaches and unauthorized access have grown exponentially [1]. The consequences
of compromised financial data can be severe, ranging from identity theft and fraudulent transactions to
long-term damage to credit scores and reputation [2].
The vulnerability of personal data on financial websites is a multifaceted issue involving a complex
interplay of technological, human, and organizational factors. Attackers employ an ever-evolving
array of techniques to exploit weaknesses in web application security, such as SQL injection, cross-site
scripting (XSS), and phishing [3]. These threats are compounded by the increasing sophistication of
cybercriminals and the proliferation of hacking tools on the dark web [4].
Recent high-profile data breaches, such as the Kyivstar incident in December 2023, have highlighted
the devastating impact of successful attacks on financial platforms. In this case, hackers managed to
infiltrate the mobile operator’s infrastructure, disrupting services for millions of users and compromising
sensitive customer data [5]. The breach not only caused immediate financial losses but also eroded
public trust in the security of online transactions [6].
Effective protection of personal data on financial websites requires a multi-pronged approach, involv-
ing both proactive measures by organizations and informed vigilance by individual users [7]. Financial
institutions must implement robust security controls, such as encryption, access management, and
regular auditing, to safeguard customer data from unauthorized access [8]. At the same time, users
need to adopt best practices for online security, including strong password hygiene, enabling two-factor
authentication, and being cautious when sharing personal information [9].
This paper aims to provide a comprehensive analysis of the vulnerabilities threatening personal data
on financial websites and propose strategies for enhancing security in this critical domain. The primary
objectives of this research are:
1. To identify and categorize the most common vulnerabilities and attack methods targeting financial
websites based on industry reports and academic literature.
CS&SE@SW 2024: 7th Workshop for Young Scientists in Computer Science & Software Engineering, December 27, 2024, Kryvyi
Rih, Ukraine
" fedorenko.elena1209@gmail.com (O. H. Fedorenko); sofiavelichko33@gmail.com (S. V. Velychko); kaidan.yelv@gmail.com
(Y. V. Kaidan)
� 0000-0002-1897-874X (O. H. Fedorenko); 0000-0002-2728-6796 (S. V. Velychko); 0000-0002-2350-2228 (Y. V. Kaidan)
© 2025 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
451
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
2. To conduct a security assessment of two prominent financial websites – OLX.ua and Privat24.
The remainder of this paper is structured as follows: section 2 presents an in-depth analysis of common
vulnerabilities and attack methods targeting financial websites; section 3 explores user-oriented and
organization-oriented strategies for enhancing personal data protection; section 4 offers a detailed
security assessment of OLX.ua and Privat24; and finally, section 5 concludes with a summary of key
findings and recommendations for future research.
2. Analysis of attack methods and vulnerabilities
Financial websites are prime targets for cybercriminals due to the sensitive nature of the data they
handle and the potential for direct financial gain. Attackers employ a wide range of methods to exploit
vulnerabilities in web applications, servers, and user behaviours [3].
Typical attack methods:
1. SQL Injection (SQLi) is a technique where malicious SQL statements are inserted into application
queries. This allows attackers to manipulate the database, bypass authentication, or extract
sensitive information [8]. SQLi vulnerabilities often arise from improper validation or sanitization
of user inputs in web forms or URL parameters [10].
2. Cross-Site Scripting (XSS) involves injecting malicious scripts into web pages viewed by other
users. When executed, these scripts can steal session cookies, perform unauthorized actions, or
redirect users to phishing sites [9]. XSS vulnerabilities typically result from inadequate encoding
or filtering of user-generated content [11].
3. Cross-Site Request Forgery (CSRF) tricks authenticated users into performing unintended actions
on a web application by exploiting their active session. By crafting malicious links or forms, at-
tackers can make unauthorized transactions or changes to user accounts [8]. CSRF vulnerabilities
arise when web applications fail to include proper authentication tokens in sensitive requests
[10].
4. Phishing and social engineering use fraudulent emails, websites, or messages to deceive users into
revealing their login credentials, personal information, or financial details [5]. Social engineering
techniques exploit human psychology to manipulate victims into taking actions that compromise
their security [2].
5. Malicious software (malware), such as viruses, trojans, or spyware, can infect user devices to
steal sensitive data, monitor keystrokes, or perform unauthorized transactions [3]. Ransomware
attacks encrypt user files and demand payment for their release, causing significant financial
losses and operational disruptions [12].
Common vulnerabilities:
1. Weak authentication and session management occur when financial websites implement weak
password policies, lack multi-factor authentication, or handle sessions improperly. These vul-
nerabilities expose users to brute-force attacks, credential stuffing, and session hijacking [10].
Attackers can exploit these weaknesses to gain unauthorized access to user accounts and perform
fraudulent activities [9].
2. Insecure data storage and transmission arise when sensitive financial data is stored without
proper encryption or transmitted over unencrypted channels. This makes the data vulnerable to
interception and theft [8]. Failure to secure data at rest and in transit is a significant weakness in
many web applications [12].
3. Misconfigured or unpatched systems affect financial platforms running on servers with improper
configurations, outdated software, or unpatched vulnerabilities. These systems are susceptible
to known exploits and zero-day vulnerabilities [1]. Attackers can leverage these issues to gain
unauthorized access, escalate privileges, or compromise the entire system [7].
452
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
4. Insufficient input validation and output encoding results when web applications fail to validate
user inputs or encode output data adequately. These vulnerabilities make the applications prone
to injection attacks, such as SQL injection and cross-site scripting [11]. Lack of input sanitization
enables attackers to manipulate application behaviour and extract sensitive information [10].
5. Broken access control and privilege escalation occur when weak access control mechanisms
and improper privilege management are in place. Attackers can bypass authentication, access
unauthorized resources, or elevate their privileges within the application [3]. Insecure direct
object references and broken role-based access control are frequent examples of this vulnerability
[9].
Figure 1 presents the OWASP Top 10 Web Application Security Risks, which encompass many of the
aforementioned vulnerabilities and provide a standardized framework for assessing and prioritizing
security weaknesses.
Figure 1: OWASP Top 10 Web Application Security Risks (https://owasp.org/www-project-top-ten/).
The complex and interconnected nature of financial systems amplifies the impact of these vulnerabil-
ities. A single compromised account or system can serve as an entry point for attackers to laterally
move through the network, escalate privileges, and access a wide range of sensitive data [13]. The
consequences can be devastating, including financial losses, reputational damage, legal liabilities, and
erosion of customer trust [2].
To effectively mitigate these risks, financial organizations must adopt a proactive and multi-layered
approach to security. This involves implementing robust technical controls, such as encryption, secure
coding practices, and regular security testing, as well as fostering a culture of security awareness
among employees and users [1]. The following section explores specific strategies and best practices for
enhancing personal data protection on financial websites from both user and organizational perspectives.
3. Personal data protection methods
3.1. User-oriented strategies
Awareness and education are critical for empowering users to safeguard their financial data online.
By understanding common threats such as phishing scams, social engineering tactics, and malicious
websites, individuals can make informed decisions to avoid falling victim to attacks [1]. Financial
institutions play a crucial role in this process by providing accessible educational resources, tutorials,
and regular updates to inform users about emerging risks and best practices for online security [7].
Strong authentication and password management are fundamental to protecting financial accounts.
Users should create strong, unique passwords for each account, avoiding easily guessable information
like names or birthdays. Instead, passwords should include a mix of uppercase and lowercase letters,
numbers, and special characters [8]. Regularly updating passwords and using password managers can
further enhance security [9].
453
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
Enabling two-factor authentication (2FA) provides an additional layer of security for financial accounts.
This method requires users to provide a second form of verification, such as a one-time code sent to
their mobile device or generated by an authenticator app, alongside their password [12]. Activating
2FA significantly reduces the risk of unauthorized access, even if passwords are compromised [11].
Financial institutions should encourage users to enable 2FA and offer guidance on the setup process
[1]. Secure device and network configuration is essential for protecting personal information. Users
should ensure their devices, including smartphones, tablets, and computers, are protected by up-to-date
security software like antivirus programs and firewalls [9]. Regularly applying software updates and
patches is necessary to address known vulnerabilities [8]. When accessing financial websites, users
should avoid public Wi-Fi networks or unsecured connections, which can be intercepted by attackers
[7]. Instead, utilizing a virtual private network (VPN) or mobile data provides a safer alternative [3].
Monitoring and promptly reporting suspicious activities is another key strategy for users. Regularly
reviewing financial accounts and statements helps identify unauthorized transactions or changes to
personal information [1]. Activating account alerts and notifications can aid in the early detection
of potential security breaches [2]. If users suspect fraudulent activities or account compromise, they
should immediately report it to their financial institution and follow instructions to secure the account
and minimize losses [5].
3.2. Organization-oriented approaches
Compliance with data protection regulations is essential for financial organizations to safeguard personal
data and avoid legal consequences. Regulations such as the European Union’s General Data Protection
Regulation (GDPR) and China’s Personal Information Protection Law (PIPL) impose strict requirements
for the collection, processing, storage, and transfer of personal data [1]. These regulations mandate
obtaining user consent, implementing appropriate security measures, and reporting data breaches
within specified timeframes [7]. Failure to comply can result in significant financial penalties and
reputational damage [6].
Secure development and testing practices are critical in mitigating vulnerabilities in financial web
applications. By implementing secure coding guidelines, conducting regular code reviews, and em-
ploying static and dynamic security analysis, organizations can identify and address potential risks
during the software development lifecycle [3]. Security testing techniques, such as penetration testing,
vulnerability scanning, and fuzz testing, further help uncover weaknesses in security controls, allowing
organizations to remediate them before deployment [9].
To protect sensitive data, strong encryption mechanisms should be implemented both in transit
and at rest [12]. Using secure protocols like Transport Layer Security (TLS) ensures the safety of
data transmitted over networks by preventing interception and unauthorized access [1]. Additionally,
sensitive data should be stored in encrypted form using industry-standard algorithms and robust key
management practices. This approach minimizes the risk of data breaches and protects information
from unauthorized disclosure [8].
Access control and privilege management are fundamental to limiting unauthorized access to sensitive
resources. Financial organizations should establish clear roles and permissions for various user groups,
such as customers, employees, and administrators while restricting access based on job functions and
business needs [3]. Regularly reviewing and updating access privileges, coupled with monitoring user
activities through logging and auditing mechanisms, enhances the organization’s ability to detect and
respond to potential security breaches [1].
Continuous security monitoring and an effective incident response plan are essential for maintaining
the security of financial systems and networks [8]. Solutions such as security information and event
management (SIEM), intrusion detection and prevention systems (IDPS), and other monitoring tools
play a vital role in identifying anomalous activities like unauthorized access attempts or data exfiltration
[3]. Establishing a well-defined incident response plan enables organizations to contain, investigate,
and recover from security breaches. Regular testing and updating of this plan ensure its effectiveness in
mitigating potential damages [7].
454
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
Employee training and awareness are also critical components of an organization’s security strategy.
Employees are often the weakest link in maintaining security [2], so it is essential to provide regular
training and education on their responsibilities in safeguarding sensitive data [13]. Training programs
should address secure password practices, recognizing and reporting phishing attempts, handling
sensitive data appropriately, and adhering to security policies [1]. Conducting periodic assessments
and simulated phishing exercises can help organizations evaluate the effectiveness of their training
programs and identify areas for improvement [9].
Implementing a combination of user-oriented and organization-oriented strategies creates a multi-
layered defence against threats to personal data on financial websites. By empowering users to make
informed security decisions and establishing robust technical and organizational controls, financial
institutions can significantly reduce the risk of data breaches and protect the confidentiality, integrity,
and availability of sensitive information.
4. Financial website security analysis
4.1. OLX.ua marketplace
OLX.ua is a leading online marketplace in Ukraine, facilitating the buying and selling of various goods
and services. As a platform that handles sensitive user information, including personal details and
financial transactions, OLX.ua has implemented several security measures to protect user data.
OLX.ua provides a detailed privacy policy outlining the types of personal data collected, the pur-
poses for which it is used, and the measures taken to protect user privacy [1]. The platform collects
user information, such as names, email addresses, and phone numbers, to facilitate transactions and
communicate with users. OLX.ua also specifies that it may share user data with affiliated companies
and trusted partners for service provision and marketing purposes [7].
OLX.ua uses the HTTPS protocol to encrypt data transmitted between users’ browsers and the
platform’s servers [12]. This ensures that sensitive information, such as login credentials and financial
details, is protected from interception by unauthorized parties. The presence of a valid SSL/TLS
certificate, indicated by a padlock icon in the browser’s address bar, confirms the secure connection [8].
OLX.ua implements user authentication mechanisms to verify the identity of users accessing the
platform. Users are required to create an account with a unique username and password, which are
used to log in to the system [3]. The platform also provides the option for users to enable two-factor
authentication (2FA) for added security, requiring a second form of verification, such as an SMS code,
in addition to the password [9].
OLX.ua employs monitoring and fraud detection systems to identify and prevent suspicious activities
on the platform [1]. This includes monitoring user behaviour patterns, detecting abnormal transactions,
and flagging potential fraud attempts. The platform also provides a reporting mechanism for users to
notify OLX.ua of any suspicious or fraudulent activities they encounter [7]. Figure 2 illustrates the
process of detecting and preventing fraudulent activities on the OLX.ua online marketplace.
Figure 2: Fraud detection and prevention process on the OLX.ua online marketplace.
455
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
OLX.ua provides educational resources and tips to help users protect their personal information and
avoid falling victim to scams or fraudulent activities [1]. The platform’s blog and support centre offers
guidance on creating strong passwords, identifying phishing attempts, and conducting safe transactions.
OLX.ua also encourages users to be cautious when sharing personal information and to report any
suspicious activities to the platform’s support team [7].
While OLX.ua has implemented various security measures to protect user data, there are still potential
areas for improvement. For example, the platform could consider implementing more granular access
controls based on user roles and permissions, regularly conducting security audits and penetration
testing to identify vulnerabilities, and providing more prominent and accessible security settings for
users to manage their account security preferences [3].
4.2. Privat24 online banking
Privat24 is a popular online banking platform in Ukraine, offering a wide range of financial services,
including account management, money transfers, and bill payments. As a platform handling highly
sensitive financial information, Privat24 has implemented robust security measures to protect user data
and prevent unauthorized access.
Privat24 employs a multi-factor authentication process to verify the identity of users accessing their
accounts [8]. In addition to a username and password, users are required to provide a second form of
authentication, such as an SMS code or a hardware token, to log in to the platform [12]. This helps
prevent unauthorized access to user accounts, even if the password is compromised [11].
Privat24 uses strong encryption algorithms to protect sensitive data transmitted between users’
devices and the platform’s servers [9]. The platform employs the TLS1.3 protocol, which provides robust
encryption and secure communication channels [12]. Packet sniffing analysis conducted on Privat24’s
network traffic confirmed that sensitive data, such as login credentials and financial information, is not
transmitted in plaintext and is protected by encryption (figure 3).
Figure 3: Packet sniffing in wireshark.
Privat24 has implemented advanced fraud detection and monitoring systems to identify and prevent
fraudulent activities on the platform [1]. This includes real-time monitoring of transactions, behavioural
analysis of user activities, and machine learning algorithms to detect anomalous patterns [7]. Privat24
also provides users with the ability to set up transaction alerts and notifications, allowing them to
quickly detect and report any suspicious activities on their accounts [2].
Privat24 places a strong emphasis on user education and awareness regarding online banking security
[1]. The platform provides a dedicated security centre on its website, offering information and guidance
on safe banking practices, identifying phishing attempts, and protecting personal information. Privat24
also regularly communicates with users through email and in-app notifications, providing updates on
emerging security threats and reminding users to maintain good security habits [5].
Privat24 ensures compliance with relevant data protection regulations, such as the Payment Card
Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) [1].
The platform follows strict data handling and storage practices, implementing access controls, data
encryption, and regular security audits to maintain the confidentiality and integrity of user data [7].
Figure 4 presents a screenshot of Privat24’s online banking interface, highlighting the platform’s
security features and user authentication process.
While Privat24 demonstrates a strong commitment to user data protection and implements various
security measures, there is always room for improvement. The platform could consider implementing
456
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
Figure 4: Privat24 online banking security features.
biometric authentication methods, such as fingerprint or facial recognition, to enhance user authentica-
tion [8]. Regular penetration testing and vulnerability assessments can help identify and address any
potential weaknesses in the platform’s security controls [3]. Additionally, Privat24 could expand its
user education efforts to include more interactive and engaging content, such as videos and quizzes, to
reinforce security best practices among its users [9].
5. Conclusions
Protecting personal data on financial websites is a critical concern in today’s digital landscape. As the
reliance on online platforms for financial transactions and services continues to grow, so do the risks
associated with data breaches, unauthorized access, and fraudulent activities. This paper has provided
an analysis of the vulnerabilities threatening personal data on financial websites, the attack methods
exploited by malicious actors, and the strategies that users and organizations can employ to enhance
data protection.
The analysis of common vulnerabilities and attack methods highlighted the importance of address-
ing weaknesses in web application security, such as injection flaws, cross-site scripting, and broken
authentication. It also emphasized the need for users to be vigilant against social engineering tactics,
such as phishing and malware, which can compromise their personal information.
To mitigate these risks, the paper proposed a multi-layered approach to personal data protection
involving both user-oriented and organization-oriented strategies. Users play a critical role in safe-
guarding their own data by adopting strong authentication practices, maintaining device security, and
staying informed about emerging threats. Organizations, on the other hand, must implement robust
technical controls, such as encryption, access management, and regular security testing, while fostering
a culture of security awareness among employees.
The security assessments of OLX.ua and Privat24 provided practical insights into implementing
personal data protection measures on popular financial platforms. While both platforms demonstrated
various security controls and user education efforts, there were still potential areas for improvement,
such as more granular access controls, biometric authentication, and interactive security training.
Future research in this domain could focus on developing more advanced and automated tools for
detecting vulnerabilities in financial web applications, exploring the unique security challenges posed
by emerging technologies, such as blockchain and artificial intelligence, and evaluating the effectiveness
of specific data protection regulations in mitigating risks.
Declaration on Generative AI: During the preparation of this work, the authors used Claude 3 Opus to draft content,
translate text, draft abstracts, and provide formatting assistance. After using this service, the authors reviewed and edited the
457
�Olena H. Fedorenko et al. CEUR Workshop Proceedings 451–458
content as needed and took full responsibility for the publication’s content.
References
[1] A. Rohendi, D. B. Kharisma, Personal data protection in fintech: A case study from Indonesia,
Journal of Infrastructure, Policy and Development 8 (2024). doi:10.24294/jipd.v8i7.4158.
[2] L. Bean, Are you protecting your employee’s data?, Journal of Corporate Accounting and Finance
23 (2012) 13–19. doi:10.1002/jcaf.21778.
[3] C. C. Echefunna, J. Osamor, C. Iwendi, P. Owoh, M. Ashawa, A. Philip, Evaluation of Informa-
tion Security in Web Application Through Penetration Testing Techniques Using OWASP Risk
Methodology, in: 2024 International Conference on Advances in Computing Research on Science
Engineering and Technology, ACROSET 2024, Institute of Electrical and Electronics Engineers
Inc., 2024. doi:10.1109/ACROSET62108.2024.10743903.
[4] Y. Mundada, A. Ramachandran, N. Feamster, SilverLine: preventing data leaks from compromised
web applications, in: Proceedings of the 29th Annual Computer Security Applications Conference,
ACSAC ’13, Association for Computing Machinery, New York, NY, USA, 2013, p. 329–338. doi:10.
1145/2523649.2523663.
[5] D. Elmaleh, Phishing fordidden, Card Technology Today 19 (2007) 12–13. doi:10.1016/
S0965-2590(07)70137-8.
[6] A. S. Choudhury, J. Kwon, A study of the effect of regulations on different types of information
security breaches across different business sectors, in: Pacific Asia Conference on Information
Systems, PACIS 2016 - Proceedings, Pacific Asia Conference on Information Systems, 2016.
[7] E. Velinov, I. Leroy, H. Cetlova, Marketing Process in Information Security Context: Comparison
Between Czech Republic and Belgium, in: S. I. Ashmarina, V. V. Mantulenko (Eds.), Proceedings of
the International Conference Engineering Innovations and Sustainable Development, volume 210
of Lecture Notes in Civil Engineering, Springer International Publishing, Cham, 2022, pp. 567–577.
doi:10.1007/978-3-030-90843-0_64.
[8] A. E. Hafez, M. M. Almustafa, Detecting Security Vulnerabilities in Web Applications: A Proposed
System, International Journal of Safety and Security Engineering 14 (2024) 1933–1940. doi:10.
18280/ijsse.140627.
[9] G. Yasmeen, S. A. Afaq, The Critical Analysis of E-Commerce Web Application Vulnerabilities,
in: M. S. Husain, M. Faisal, H. Sadia, T. Ahmad, S. Shukla (Eds.), Advances in Cyberology and
the Advent of the Next-Gen Information Revolution, IGI Global, 2023, pp. 22–37. doi:10.4018/
978-1-6684-8133-2.ch002.
[10] E. Karafili, D. Sgandurra, E. Lupu, A Logic-Based Reasoner for Discovering Authentication Vulner-
abilities Between Interconnected Accounts, in: A. Saracino, P. Mori (Eds.), Emerging Technologies
for Authorization and Authentication, volume 11263 of Lecture Notes in Computer Science, Springer
International Publishing, Cham, 2018, pp. 73–87. doi:10.1007/978-3-030-04372-8_7.
[11] B. Kiruba, V. Saravanan, T. Vasanth, B. Yogeshwar, OWASP Attack Prevention, in: 3rd In-
ternational Conference on Electronics and Sustainable Communication Systems, ICESC 2022 -
Proceedings, Institute of Electrical and Electronics Engineers Inc., 2022, pp. 1671–1675. doi:10.
1109/ICESC54411.2022.9885691.
[12] L. Amasala, M. Ponnuru, P. Srideviponmalar, Secure Goods Storage and Anti-Theft Approach
using Ethereum Blockchain, Procedia Computer Science 233 (2024) 1–11. doi:10.1016/j.procs.
2024.03.190.
[13] A. Mahalle, J. Yong, X. Tao, Ethics of IT security team for cloud architecture infrastructure in
banking and financial services industry, in: W. Shen, H. Paredes, J. Luo, J. P. Barthes (Eds.),
Proceedings of the 2019 IEEE 23rd International Conference on Computer Supported Cooperative
Work in Design, CSCWD 2019, Institute of Electrical and Electronics Engineers Inc., 2019, pp.
506–511. doi:10.1109/CSCWD.2019.8791928.
458
�