TORCH: Information Security Intro
Are loan platforms prepared to repel a hacker attack? Introducing new TORCH criteria
TORCH reports will soon include a new section, focusing on the measures taken by each platform to protect itself – and investors – against hackers and digital fraudsters. These sections will be written in cooperation with InfoSec expert Victor-Alexandru Truică, who has been doing his own research into loan platforms. You are invited to read his posts on the subject.
Information security is a huge topic, with countless potential risks and countless possible defensive measures. It’s also a sensitive subject, which platforms hesitate to discuss with outsiders. Therefore, we have assembled a short list of criteria that can be legally tested independently. This post will familiarise you with the risks – and the new TORCH criteria.
Like every other topic covered in TORCH reports, my first requirement is transparency. Platforms are expected to inform users of risks related to information security, and provide a basic overview of the measures taken to mitigate those risks. This can be done in the FAQ or a dedicated risk statement.
Every time you access a loan platform, especially from a public WiFi network, a hacker may track the date transferred between your device and the servers to steal your password, bank details and other sensitive info.
To prevent this, the communication between the platform and its users needs to be encrypted using a protocol called TLS (formerly SSL). TLS is usually indicated in your web browser like this:
In addition to checking the existence of TLS, we also check the validity of the encryption certificate and other indicators of encryption strength. We use the website SSL Labs, which provides a simple safety score. Scores A+ / A pass the test. A- passes with remarks. Anything below that fails the test.
The best way of preventing hackers from logging into user accounts, even if they somehow manage to get the passwords, is to add a second authentication method: a temporary code sent to the user’s phone or authentication app. We believe that this feature needs to be offered on every loan platform.
Be aware: 2FA does not protect you in case a hacker physically steals your device, unless the device itself is locked. To regain access to your account in case you lose your device, make sure you have a backup code, or install the authenticator app on more than one device (for example, Authy is a trusted app which can be installed on your phone and computer browser).
If a user account is hacked, the hacker is most likely to try and withdraw money into their own bank account. To prevent this, the platform must either send a verification code to the user for each withdrawal request, or only allow withdrawals to the user’s own bank account.
We check if either of these solutions is implemented, and may also contact the platform to understand exactly how they make sure that the bank account actually belongs to the user.
Phishing and client-side interference
Fraudsters may trick investors to reveal sensitive info or to deposit money into the wrong bank account. Generally speaking, this can happen in two ways:
- “Phishing”: The fraudster creates a copycat version of the loan platform, or sends an email that looks like it’s from a loan platform, and asks investors for their personal details, bank info, username or password.
- A script that runs on the user’s computer and alters the appearance of the actual loan platform. This is less common, but still dangerous. For example, the hacker might show users his own IBAN instead of the platform’s IBAN on the platform’s Deposit screen.
These risks are not tested in TORCH reports, as they are beyond the control of loan platforms. We would still like to see platforms inform users about these risks, but until then, we are here to inform you.
- When you access a platform through a link or online search, check the URL at the top of the browser to make sure you’re in the real website and not a copycat.
- When receiving email correspondence, check the sender’s address and he return address. If you notice a strange addition to the address, or if you are asked a suspicious question like “Please write your password in the response”, ignore the email and send a separate message to the official support address to clarify the situation.
- Finally, we recommend that you avoid the temptation of using scripts, bots or extensions that interfere or intercept your communication with loan platforms. Even if you trust the creator of the script, their code might present a potential breach for hackers.
External security assessments
So far we’ve discussed client-side vulnerabilities, which can be mitigated by simple security measures and user awareness. But there are two other major risk categories:
- Direct attacks on the platform’s servers, which may allow a hacker to interfere in monetary transactions, steal sensitive info, take down the servers or cause other types of damage.
- Man-in-the-middle attacks, where a hacker intercepts the communication between the loan platform and its users. Again, this may allow a hacker to gather sensitive data, or show users a wrong IBAN on the Deposit screen.
While we are sure that loan platforms are aware of those risks, we also believe that their security measures and protocols must be tested by external experts to verify those measures and detect potential breaches.
To pass the test, the platform must conduct security audits using an independent and objective third party, and officially share the results / security certificates. If they claim to conduct such audits but can’t display proof, they pass with remarks.
Listing data processors and 3rd party vendors
Websites often outsource part of their technology-related tasks to third parties, from server farms to specialised services. A good example is veriff, used by several loan platforms to verify users’ identity using a selfie with their ID/passport. Such services handle sensitive data, and need to be as secure as the loan platform itself.
But… how can you even know which services are used by each platform and who has access to your data? Imagine reading on the news tomorrow that veriff was hacked. Would you know which platforms use this service, and how you may be affected?
For this reason, GDPR requires that each website publicly lists their data processors and 3rd party vendors. We check to see if loan platforms adhere to this requirement. As an added bonus, by pushing platforms to publish this list we might be save them from heavy fines in the future.
That’s it. As you can see, the criteria is rather basic due to the limitations of our evaluation methods. This is one of the reasons we expect platforms to conduct official security checks, where a professional team digs into the servers to detect other weaknesses.
As I mentioned before, aside from my TORCH reports, Victor will continue publishing his own articles to shed even more light on these topics and others. Stay tuned.