Given their rapid spread and growth, this question urgently needs answering. As part of its ongoing CFI Fellows Program, CFI asked Patrick Traynor, professor at the University of Florida’s Department of Computer Information Science & Engineering (CISE) to find out.
Traynor and his team of computer science researchers looked at the security of online fintech applications using a collection of both automated and manual standard analysis techniques widely available in the computer science toolkit. They examined the apps and websites of 52 digital apps, mainly digital lenders, from all across the world to see how they handle user data. Additionally, after the technical analysis, Traynor’s team also evaluated the privacy policies for each application to see if they described how users’ data would be used and protected, and the recourse available to users in case of any misuse. Read the full report.
These tests allowed for a rapid assessment of the state of communications security between users’ mobile devices and each institution’s backend servers. The tests determined whether the mobile application properly determined the identity of the other end of communications, and whether the institutions’ backend servers were properly configured against the most up-to-date attacks against the SSL/TLS security suites. A thorough analysis of the apps’ public code included, among other things, a review of the process for registration and login, user authentication, money transfers and techniques used to isolate the website or application’s data from other potentially malicious) applications on the phone. Through such an analysis, the researchers were able to determine how easily an adversary could inject false transactions or alter legitimate transactions in the platform.
The results of the study were surprising. No company studied was perfect, some were good enough, and some had real vulnerabilities. The researchers found that the integrity of data gathered from mobile money applications varied dramatically across the sample. Interestingly, neither presence in a developed market nor company maturity predicted better security performance: similar security vulnerabilities were found in both early stage startups and more established providers and in institutions from all world regions in the sample. No company is immune from security gaps, and mobile fintechs are no exception.
In an effort to motivate and enable companies to address these vulnerabilities, CFI sent individual results to each of the companies reviewed in the study. Additionally, Traynor prepared a short guidebook with instructions on how to correct the most commonly identified security vulnerabilities uncovered by this study. The recommended changes will provide significant security improvements for a low time and monetary investment.
Through Accion’s Venture Lab, we organized a private webinar with Traynor for six companies in the sample. He walked participants through the tests and addressed questions on how to implement his recommended changes. We recognize and commend these companies for their dedication to address the issues this study encountered in their systems, and would like to encourage other companies in the study to do the same by reaching out to us directly. Our aim as CFI is to motivate better data security practices and we are available to support any company taking action on this matter.
Accion Venture Lab is also working to create and share resources for their portfolio companies and the broader industry. Focused on developing a set of practical resources to help early-stage fintech startups implement better information security and data privacy, their approach is to leverage insights from industry experts and portfolio companies to create actionable and accessible content. The tools they are building include:
- Diagnostic: checks and tests that companies can use to identify major gaps in security and privacy
- FAQ: resources to answer the most salient questions from companies about data protection
- Data policy outline: key components of a quality data policy for financial services companies
- Implementation guide: best practices to implement changes to data practices
Additionally, Venture Lab is working on relevant questions for due diligence. The goal is not to screen out a company based on these, but rather to identify areas where Venture Lab can help develop more robust policies and practices.
At both CFI and Venture Lab, we believe that integrity of client data gathered from mobile applications is important to secure. Companies don’t always dedicate the time and resources to understand their vulnerabilities and compromising incidents with data will damage the credibility and limit the reach of digital apps. By measuring the state of security in this space and providing targeted resources for digital fintechs, we can enable responsible digital financial services and greater financial inclusion.