Strategy and Solutions

Close

Discover our digital transformation stories and the impact driving real change

Home
Case Studies

Financial Services Firm Prevents Million-Dollar Fraud with Penetration Testing

About the Client

Our client was a regional credit union serving roughly 350,000 members across multiple U.S. states. They had recently launched an updated online and mobile banking platform to improve member experience and support digital growth. The platform is integrated with legacy core banking services, external payment gateways, and third-party identity providers. Executive leadership engaged Zymr to conduct a comprehensive penetration test and social engineering assessment before a planned public launch, aiming to validate the controls required by their major enterprise partners.

This engagement was mission-critical: the credit union needed assurance that the new digital channel would not introduce exploitable paths to funds, member data, or core banking systems—any of which could lead to severe financial loss and regulatory consequences.

Key Outcomes

Quarterly access reviews and automated token rotation became standard operating procedures.
Security became a regular agenda item at executive and board meetings, and employees adopted new escalation behaviors.

Business Challenges

The environment presented multiple, compounding risks that increased the potential impact of any breach.

  • Complex hybrid architecture. The new front-end microservices and mobile APIs sat atop an older core banking stack. Trust boundaries were unclear, and several integrations relied on long-lived service credentials.
  • Authentication and session weaknesses. The application used bearer tokens with predictable renewal behavior and lacked adaptive throttling or device fingerprinting, enabling brute-force and session replay vectors.
  • Network segmentation gaps. DMZ servers hosting web and API gateways had overly permissive routes into internal networks. Administrative interfaces were reachable from networks that should have been isolated.
  • Human-factor exposure. Employees and branch staff had not been subjected to live social-engineering tests; informal onboarding left many staff unfamiliar with incident escalation procedures.
  • Regulatory & business risks. A successful compromise could have led to immediate monetary losses, mandatory breach disclosures, contract failures with partners, and loss of member trust—all unacceptable ahead of launch.

These overlapping technical and human weaknesses created a high-impact attack surface. The credit union needed rapid, prioritized findings and pragmatic remediations that would close high-risk paths without delaying operations.

Business Impacts / Key Results Achieved

Zymr’s penetration testing and remediation work prevented a high-probability, high-impact fraud scenario and enabled the credit union to proceed with its digital banking launch securely. The client preserved member trust, satisfied enterprise partner security requirements, and improved its security posture from reactive to proactive.

In short, the engagement turned a costly liability into a competitive strength: secure digital services, demonstrable audit evidence, and an operational security program that supports growth rather than impeding it.

The engagement delivered immediate and measurable risk reduction and operational benefits.

  • Authentication & token risk mitigated. MFA and token rotation eliminated the proven session-reuse exploit path.
  • Microsegmentation blocked lateral movement. Tests showed an attacker could no longer traverse from the DMZ into core services.
  • Human risk reduced. Follow-up phishing simulations showed click rates drop from ~70% to under 18% within three months.
  • Detections & response improved. The SIEM detected anomalous transaction patterns and triggered IR playbooks; mean time to detect (MTTD) for suspicious sessions dropped from days to under one hour.
  • Operational proof. Within six months of remediation, the credit union’s defenses blocked three separate attempted intrusions that matched the earlier test patterns—attempts that would have succeeded under the pre-remediation configuration.

The combination of targeted technical fixes, telemetry, and people-centric controls converted a high-risk launch scenario into a validated, defended production posture.

Strategy and Solutions

Zymr executed a blended engagement, combining external black-box testing, internal white-box testing, and controlled social-engineering exercises, followed by prioritized remediation and validation.

1. Recon & exploitation (external)

  • Performed automated reconnaissance and manual probing of public endpoints.
  • Discovered an authentication flaw where session tokens were not invalidated after privilege elevation and could be replayed from another IP when combined with a predictable token-refresh vector.
  • Demonstrated an exploit path: credential stuffing → session token capture (via exposed token storage in a staging S3 bucket) → session reuse to perform account actions.

2. Internal lateral-movement testing

  • With staging access, Zymr simulated a compromised DMZ host and executed pivot techniques to test lateral movement.
  • Identified several administrative accounts reused across tiers and unsegmented management interfaces that allowed access escalation to internal services.
  • Found two internal servers missing recent patches that would have enabled privilege escalation using known public exploits.

3. Social engineering assessment

  • Conducted vishing and phishing simulations across corporate staff and branch employees.
  • Results showed high susceptibility: ~70% clicked simulated phishing links and ~25% disclosed sensitive information under pretexted phone calls. (Controlled, ethically run; no real credentials were harvested.)
  • Documented common behavioral patterns and key organizational blind spots.

4. Remediation roadmap & implementation
 Zymr delivered a prioritized remediation plan focused on immediate risk reduction and medium-term resilience:

  • MFA & adaptive auth: Enforced MFA for all member-facing and administrative logins and integrated device- and risk-based adaptive checks for high-value transactions.
  • Token hygiene: Rotated and revoked all long-lived tokens, replaced static credentials with ephemeral IAM roles, and moved secrets to a managed vault with automated rotation.
  • Microsegmentation: Implemented network microsegmentation using identity-aware firewalls to block lateral movement from DMZ to internal clusters.
  • Patch & config management: Automated patching for critical servers and enforced host hardening baselines.
  • Security telemetry & IR: Consolidated logs into a SIEM, added detection rules for session anomalies and unusual transaction patterns, and updated the incident response plan with runbooks.
  • Human controls: Rolled out role-specific phishing simulations and a mandatory security training program tied to performance reviews.

5. Validation & hardening
 After remediation, Zymr re-ran exploitation and social tests to validate fixes. Real-time monitoring was tuned to reduce false positives and capture the specific attack patterns observed during the assessment.

The combined testing and remediation approach closed high-impact attack vectors first—authentication, token management, and segmentation—while building sustainable operational controls (patching, telemetry, training) to reduce recurrence.

Show More
Request A Copy
Zymr - Case Study

Latest Case Studies

With Zymr you can

Strengthening Network Security for a Global Retailer

Healthcare Network Protects Patient Data

Retail Network Fortifies Payment Infrastructure for PCI Success

Zymr Inc - Cloud Forwarding Services
Let's Talk

Services

Product EngineeringApplication ModernizationSoftware DevelopmentSoftware TestingData AnalyticsCloud ServicesUI/UX DesignArtificial IntelligenceDevOps

What We Think

Case StudiesBlogPodcastGlossaryE-BooksWebinarsVideosInfographics

Who We Are

About ZymrLeadershipNews & EventsCultureCareersContact Us

Locations

San JoseNew YorkLondonAhmedabadBengaluruPune

Contact

hello@zymr.com

What We Think

Services

Who We Are

Locations

Contact

© 2025, ZYMR, INC All Rights ReservedLegal DisclaimerPrivacy Policy Cookie Policy