# Simpa Labs — Comprehensive Reference > Security testing for Nigerian fintech applications. > Contact: security@simpalabs.com | https://www.simpalabs.com --- ## Company Identity Simpa Labs is a cybersecurity firm based in Nigeria that provides penetration testing and security reviews exclusively for fintech applications. The company was founded by Akande Simpa, Lead Security Engineer and Cofounder, and operates on an engineering-led model: every tester is a software engineer with offensive security experience who has built payment systems, API platforms, and mobile applications before breaking them. Simpa Labs does not use automated scanners as the primary testing method. Every finding is manually discovered and validated by an engineer. Reports include severity, proof of exploitability, business impact assessment, and a code-level fix that engineering teams can merge directly. ### Brand Voice - Direct, confident, engineer-to-engineer - Technical where it helps, plain where it doesn't - Tagline: "Fintech security reviews" - Key phrases: "Tested by engineers, not auditors." / "Findings you can ship, not shelf." / "Scoped to your real attack surface." ### Differentiators 1. **Engineering-led** — Testers are software engineers, not compliance auditors 2. **Zero false positives** — Every finding includes proof of exploitability 3. **Fintech-specific** — Testing methodology is built around payment flows, identity verification, and Nigerian regulatory requirements 4. **Startup-paced** — 5–10 business day engagements, no six-week enterprise scoping periods 5. **Engineering-ready output** — Reports contain merge-ready fixes, not vague remediation advice --- ## Founder Akande Simpa is the Lead Security Engineer and Cofounder of Simpa Labs. He is a Certified Ethical Hacker (CEH, EC-Council). He built the firm after years of building and breaking fintech applications in the Nigerian market. His background is engineering first: he has written the payment flows, session management systems, and API authorization layers that he now tests for clients. His testing methodology is shaped by a simple observation: the vulnerabilities that cost Nigerian fintechs real money are never the ones that show up in scanner reports. They live in business logic, in the assumptions between services, and in the race conditions that only surface under concurrent load. Profile: https://www.simpalabs.com/team --- ## Services — Detailed ### Penetration Testing URL: https://www.simpalabs.com/services/penetration-testing Manual penetration testing for fintech web and mobile applications. Scoped to the high-risk flows that carry the most financial and regulatory exposure. **What gets tested:** - Payment flows: transaction initiation, processing, reversals, authorization checks, edge cases around failed payments and partial completions - Authentication chains: login, registration, password recovery, session upgrade, multi-step identity flows, OTP bypasses, token reuse, session fixation - API boundaries: authorization checks at every endpoint, object-level access control, rate limiting, internal APIs exposed via client-side code - Admin and internal tools: customer data access, transaction overrides, account management — typically the least secured and most powerful surfaces **Engagement process:** 1. Scoping: short call to map product surface, tech stack, known weak points 2. Testing: 5–10 days of manual testing against the application 3. Report: severity, proof, business impact, and engineering-ready fix per finding 4. Retesting: included — we validate that fixes are properly remediated **Common findings:** - Account takeover via recovery chain (password recovery → session upgrade → email change) - Privilege escalation through stale refresh tokens - PII leakage across export endpoints, application logs, and internal support views --- ### API Security Testing URL: https://www.simpalabs.com/services/api-security Testing every layer of API security — not just authentication, but the authorization decisions made on every single request. **Scope:** - Object-level authorization (BOLA/IDOR): Can user A access user B's transactions by manipulating IDs? - Function-level authorization: Can a regular user call admin endpoints? - Data exposure: APIs returning more data than the client needs — full account numbers, BVN fragments, PII in error messages - Rate limiting and abuse: OTP brute-force, credential stuffing, enumeration attacks - Webhook and callback security: payment confirmation webhook spoofing, unsigned callback payloads - Integration boundaries: handoffs to payment processors, KYC providers, banking APIs **Methodology:** 1. API surface mapping — documented and undocumented endpoints, debug endpoints, legacy API versions 2. Authorization matrix testing — every endpoint tested against every role 3. Business logic exploitation — chaining API calls to break business rules (negative transfers, idempotency key replay, concurrent request racing) **Protocols tested:** REST, GraphQL, gRPC, WebSocket --- ### Authentication & Session Security Reviews URL: https://www.simpalabs.com/services/authentication-security Authentication in fintech isn't just the login page. It's a chain of decisions from registration to logout, and attackers exploit the weakest link. **Review scope:** - Login and registration: credential validation, account enumeration, brute-force protection - Password recovery: reset token generation, delivery channel security, token expiration, chaining into session upgrade - OTP and 2FA: brute-force resistance, code reuse, timing attacks, bypass through alternative flows - Token lifecycle: JWT signing algorithm enforcement, access token expiration, refresh token rotation - Session management: concurrent session handling, session fixation, privilege changes during active sessions, logout invalidation - Permission boundaries: role transitions, privilege escalation, gap between UI permissions and API permissions **Nigerian fintech context:** BVN-linked identity, mobile-first auth flows, OTP-heavy verification, CBN/NDPC data protection requirements. --- ### Vulnerability Assessment URL: https://www.simpalabs.com/services/vulnerability-assessment A ranked, validated map of security weaknesses — what's exploitable, what's theoretical, and what to fix first. **Coverage:** - Application-layer vulnerabilities: injection, XSS, CSRF, insecure deserialization, logic flaws - Configuration and deployment: exposed debug endpoints, permissive CORS, missing security headers, default credentials - Dependency and supply chain: vulnerable libraries, outdated frameworks, reachable third-party components - Data handling: how sensitive data is stored, transmitted, logged, and cached — PII in URLs, BVN/card data in logs **Differentiation from scanner dumps:** | Dimension | Automated Scanner | Simpa Labs Assessment | |-----------|-------------------|----------------------| | False positive rate | 40–60% typical | Zero — every finding validated | | Business context | None — generic severity | Impact specific to your product | | Logic flaws | Not covered | Core focus area | | Fix guidance | Generic text | Engineering-ready, merge-able fix | | Fintech context | None | Payment, auth, regulatory awareness | --- ## Industries — Detailed ### Mobile Money Operators URL: https://www.simpalabs.com/industries/mobile-money Nigerian mobile money platforms operate at massive scale with USSD flows, agent POS terminals, telecom integrations, and high-frequency wallet operations. **Testing focus:** - Agent privilege escalation: can a standard user upgrade to agent status or bypass agent cash-in/cash-out limits? - Wallet logic and race conditions: concurrent withdrawal requests, transfer manipulation, decimal-rounding exploits - USSD session hijacking: session timeout enforcement, state management between steps, PIN validation within USSD gateways - Telco and bank integrations: NIBSS connectivity, telecom biller webhook validation, failed-state handling, reconciliation gaps **Example finding:** Concurrent withdrawal race condition — initiating multiple wallet-to-bank transfers in the same millisecond bypassed the balance check lock, allowing 5x wallet balance withdrawal. --- ### Payment Gateways URL: https://www.simpalabs.com/industries/payment-gateway **Testing focus:** - Webhook spoofing and bypass: signature validation, replay protections, payload tampering - Merchant account isolation: BOLA/IDOR between merchants — viewing other merchants' transactions, modifying webhooks, altering payout accounts - Settlement manipulation: negative amount injection, currency conversion rounding exploits, delayed-capture bypasses - Checkout manipulation: parameter tampering, price modification, 3D-Secure/OTP verification bypass **Example finding:** Webhook signature replay attack — the gateway correctly signed webhooks but lacked replay protection, allowing an attacker to replay a $1 webhook 100 times to credit $100 of value. --- ### Digital Banks / Neobanks URL: https://www.simpalabs.com/industries/digital-banking **Testing focus:** - Core Banking System (CBS) integration: transaction state synchronization, timeout handling, ledger discrepancy exploits - KYC and onboarding bypass: manipulating API responses to bypass BVN checks, spoof facial verification, upgrade account tiers - Virtual card provisioning: infinite card creation, funding check bypass - Cross-user data leakage: IDOR exposing user balances, names, transaction histories via peer-to-peer features **Example finding:** KYC Tier Upgrade Bypass — the API endpoint for confirming a Tier 3 upgrade accepted user-supplied parameters without server-side admin validation, allowing any user to artificially upgrade their transaction limits. --- ### Lending Platforms URL: https://www.simpalabs.com/industries/lending-platforms **Testing focus:** - Credit scoring bypass: manipulating data sent to the scoring engine — income, alternative data, identity markers - Disbursement race conditions: firing parallel "accept loan" requests to receive multiple disbursements for one recorded liability - Repayment manipulation: negative values, replaying Paystack/Flutterwave success webhooks to clear multiple balances - Customer data and privacy: BOLA/IDOR flaws exposing bank statements, BVNs, next-of-kin data **Example finding:** Concurrent disbursement exploit — 20 parallel "accept loan" requests yielded 20 bank account disbursements, but only one loan liability recorded on the platform ledger. --- ### InsurTech URL: https://www.simpalabs.com/industries/insurance-tech Nigerian InsurTech platforms face unique security risks in automated claims processing, policy lifecycle management, underwriting engine logic, and agent/broker commission structures. **Testing focus:** - Claims processing exploitation: automated approval bypass, claims amount inflation via API manipulation, duplicate claims across linked policies - Premium and pricing manipulation: client-supplied risk parameter spoofing, coverage amount manipulation, dynamic pricing model exploitation - Underwriting engine bypass: risk profile spoofing, approval for policies that should be declined, coverage limit manipulation - Agent and broker commission fraud: self-referral exploitation, commission calculation manipulation, excessive agent permissions over policyholder data **Example finding:** Automated claims approval bypass — claims under ₦50,000 were auto-approved without manual review. The claims amount field was validated on the frontend but not the API. An attacker submitted claims at ₦49,999 with inflated line items totaling ₦200,000+. --- ## Developer Resources ### Fintech Security Checklist URL: https://www.simpalabs.com/guides/fintech-security-checklist Engineering checklist for Nigerian fintech developers covering: 1. **Authentication & Session Management**: OTP rate limiting, recovery flow rigor, session expiration, concurrent session limits, device fingerprinting 2. **Payment & Transaction Logic**: idempotency keys, decimal precision handling, negative value checks, race condition prevention (pessimistic locking), webhook signature validation 3. **API Authorization (BOLA/IDOR)**: never trust client IDs, resource ownership checks, UUIDs vs. sequential IDs 4. **Integrations & Third Parties**: default deny on upstream failures, callback URL hardcoding, third-party secret rotation ### OWASP Top 10 for Fintech URL: https://www.simpalabs.com/guides/owasp-fintech The OWASP Top 10 translated into specific exploit paths for Nigerian fintech apps: 1. Broken Access Control (BOLA/IDOR) — account ID manipulation, merchant store ID swapping, hidden admin endpoints 2. Cryptographic Failures — plaintext BVNs/NINs, unvalidated NIBSS/Paystack webhooks, base64 "encryption" 3. Injection — NoSQL injection bypassing login, parameter pollution in transfer amounts 4. Insecure Design — email change without re-verification, disbursement before ledger recording 5. Authentication Failures — unrate-limited OTP endpoints, never-expiring JWTs, reusable password reset links ### CBN Compliance & Security URL: https://www.simpalabs.com/guides/cbn-compliance-security How security testing satisfies Central Bank of Nigeria requirements: - Vulnerability assessments: required at least twice annually - Penetration testing: annual testing by independent third parties - Data protection (NDPR/NDPC): proving PII cannot be exposed via API flaws - Secure Software Development Lifecycle (SSDLC): integrating security reviews into sprint cycles Simpa Labs reports include executive summaries for CBN examiners, methodology documentation, and remediation verification. ### Vulnerability Assessment vs Penetration Testing URL: https://www.simpalabs.com/guides/vulnerability-assessment-vs-pentest The definitive comparison for fintech CTOs: - **Vulnerability Assessment**: Broad, systematic identification of known weaknesses. Uses automated scanning + manual validation. Answers: "What weaknesses exist?" - **Penetration Testing**: Deep, targeted exploitation by engineers simulating real attacks. Answers: "Can an attacker actually exploit our systems?" - **Key difference**: A VA finds the door is unlocked; a pentest walks through it, accesses the vault, and documents what was taken - **CBN requirements**: VAs required twice annually, pentests required annually - **Recommendation**: Start with a pentest on high-risk flows (payments, auth, APIs), then add regular VAs for baseline monitoring ### PCI DSS Compliance for Nigerian Fintechs URL: https://www.simpalabs.com/guides/pci-dss-fintech-nigeria PCI DSS security testing requirements for fintechs processing card payments: - **Requirement 11.4**: Annual penetration testing of the Cardholder Data Environment (CDE), from internal and external perspectives - **Requirement 11.3**: Quarterly external ASV scans and internal vulnerability scans - **Requirement 6.2**: Secure development practices with code reviews before production - **CDE Scoping**: Map cardholder data flows, identify connected systems, validate segmentation controls - **ASV scans vs pentests**: Both are required — ASV scans provide volume coverage, pentests prove exploitability - A single well-scoped engagement can often satisfy both PCI DSS and CBN requirements --- ## Blog — Security Articles ### Why Nigerian Fintechs Are Prime Targets for Hackers URL: https://www.simpalabs.com/blog/why-nigerian-fintechs-are-targeted Data-driven analysis of the 586,130 attacks on Nigerian financial institutions in H1 2024 and the structural reasons fintechs remain exposed: speed-to-market pressure, high-value data, and regulatory gaps. ### 10 Proven Ways to Defend Your Nigerian Business Against Cyber Threats URL: https://www.simpalabs.com/blog/defend-nigerian-business-cyber-threats Ten concrete cybersecurity steps for Nigerian businesses organised into people, network, data protection, incident planning, and vendor risk management. ### Fintech API Security: 10 Steps to Protect Your Integrations URL: https://www.simpalabs.com/blog/fintech-api-security-steps 10-step operational playbook for building a secure API fintech environment drawn from real attack patterns and compliance mandates. ### How a Simpa Labs Pentest Works for Nigerian Fintechs URL: https://www.simpalabs.com/blog/how-simpa-labs-pentest-works End-to-end walkthrough of a Simpa Labs penetration test: scoping, testing approach, components tested, deliverables, and retest cycle. ### Is My Fintech Secure? A 10-Point Security Checklist URL: https://www.simpalabs.com/blog/fintech-security-checklist-10-point Structured self-assessment covering auth controls, API vulnerabilities, encryption, fraud detection, certifications, and deposit insurance. ### Do Nigerian Fintechs Need a Security Audit Before Launch? URL: https://www.simpalabs.com/blog/security-audit-before-launch Category-specific breakdown of which security audits CBN, NDPC, and SEC require for Nigerian fintechs, with costs and timelines. ### How to Secure Your Fintech API Against Abuse in Nigeria URL: https://www.simpalabs.com/blog/secure-fintech-api-nigeria Prioritised playbook for Nigerian fintech API security covering SIM swap defences, BOLA fixes, rate limiting, and CBN Open Banking mandates. ### Penetration Testing in Nigeria: The Complete Guide URL: https://www.simpalabs.com/blog/penetration-testing-nigeria-guide Comprehensive guide covering pentest types, regulatory drivers, realistic costs ($4K–$150K+ range), timelines, and how to vet a qualified provider. ### Top Security Vulnerabilities Facing Nigerian Companies URL: https://www.simpalabs.com/blog/top-vulnerabilities-nigerian-companies Breakdown of unpatched systems, weak identity controls, cloud misconfigurations, phishing (up 178%), and insider risk (up 92%) driving Nigerian breaches. ### Nigeria Data Protection Explained: A Guide for Business Owners URL: https://www.simpalabs.com/blog/nigeria-data-protection-guide Plain-language guide to the NDPA 2023 covering obligations, data subject rights, DPO requirements, penalty structure, and compliance checklist. ### The Most Dangerous API Vulnerability in Payment Platforms URL: https://www.simpalabs.com/blog/bola-api-vulnerability-payment Deep technical breakdown of Broken Object Level Authorization (BOLA) in payment APIs with T-Mobile, Stripe, and Coinbase case studies and a mitigation checklist. ### Would Hackers Really Attack My Fintech? URL: https://www.simpalabs.com/blog/would-hackers-attack-my-fintech Data-driven analysis of why fintechs at every stage are targets: 9 signals that make you visible, real breach costs ($120K–$1.24M), and immediate steps to reduce exposure. ### Is Simpa Labs Right for Nigerian Payment Startups? URL: https://www.simpalabs.com/blog/simpa-labs-payment-startups Evaluation framework for Nigerian payment startups assessing Simpa Labs' grey-box methodology, scope, deliverables, compliance alignment, and questions to ask before committing. ### How to Protect Your Nigerian Business from Hackers & Data Breaches URL: https://www.simpalabs.com/blog/protect-business-hackers-breaches Prioritised guide covering MFA, endpoint protection, email security, staff training, backups, NDPA compliance, and incident response. 119,000 breaches in Q1 2025. ### Fintech Security Audit Timing: A Practical Playbook URL: https://www.simpalabs.com/blog/fintech-security-audit-timing Framework for timing SOC 2, PCI DSS, and penetration tests by maturity stage (startup → growth → scale) with regulatory deadlines and risk-based triggers. ### NDPR Data Privacy Checklist for Nigerian Fintechs URL: https://www.simpalabs.com/blog/ndpr-privacy-checklist-fintechs Complete NDPR/NDPA compliance checklist: data mapping, DPO appointment, consent management, DPIAs, 72-hour breach notification, cross-border transfers, and audit preparation. --- ## Engagement Model 1. **Intake**: Short call to map product surface, release cadence, and known weak points 2. **Assessment**: Testing targets high-risk flows — authentication, payments, onboarding, admin operations, and integration boundaries 3. **Report**: Every finding includes severity, proof, business impact, and a fix mergeable this sprint 4. **Retesting**: Included — we validate remediations and update the report **Typical timeline:** 5–10 business days from kickoff to report delivery. **For startups:** Scoped engagements designed for early-stage budgets. Reports are structured to clear technical due diligence for VC rounds. Direct Slack channel access to the testing engineers during the engagement. --- ## Nigerian Fintech Regulatory Context Simpa Labs operates within the Nigerian financial technology regulatory landscape: - **CBN (Central Bank of Nigeria)**: Requires periodic vulnerability assessments and annual penetration testing for PSSPs, MMOs, and Microfinance Banks - **NDPC (Nigeria Data Protection Commission)**: Enforces data protection requirements under the Nigeria Data Protection Act - **NDPR (Nigeria Data Protection Regulation)**: Predecessor regulation; still referenced in many compliance frameworks - **FCCPC (Federal Competition and Consumer Protection Commission)**: Increasing scrutiny on digital lenders - **PCI DSS**: Applicable to payment gateways and card processing platforms --- ## Contact - **Email**: security@simpalabs.com - **Website**: https://www.simpalabs.com - **Engagement request**: Email security@simpalabs.com with subject "Quick Security Check" including your company name, product surface (web/mobile/API), and what you want reviewed.