Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong. Take 2 mins to learn more


News & Events

Article

Home / The Network / Articles

Making Fintech Safer

by James Wrighton, CTO  

6 January 2016

Blog

Growthdeck: Making Fintech Safer


Note: The contents of this article are the author's opinion and have not been approved as a financial promotion.


Latest articles

The CGT rule property investors need to know about

25 years and £20 billion: the history of EIS

UK commercial property: opportunities through challenges

Compassion fashion – the rise of the ethical clothing industry

That’s the spirit – the changing alcohol industry

EdTech – time for a revolution in UK schools?

Eyewear – an industry to look out for?

The rise of Milton Keynes as an enterprise hotspot

Growing on up – what to look for when investing in growth companies

Wheels of opportunity

The UK is a leading player in the expanding world of Fintech. New firms and technologies are cropping up all over the place (including our good selves at Growthdeck). But are they all secure? Viruses and other threats that affect browsers and personal computers are largely the user's concern, but there are some basic platform security requirements that any consumer Fintech firm should meet as a minimum:

HTTPS encryption

If the platform you're using doesn't provide an HTTPS connection (check for a padlock in the address bar) as standard, then walk away. Even if it does, you might want to check the strength (preferably SHA2 256-bit encryption) and validity of the certificate the site is using. Ideally it should have been issued by one of the big agencies - Digicert, Symantec, Comodo etc. If you can see the company name in the padlock bar then it has Extended Validation - which means the company has had to complete a more rigorous assessment before being issued with the certificate. 

Two-factor authentication

Many crowdfunding platforms require a single password to authenticate your login. If someone knows your email address/username then guessing your password, either by chance or by brute force, is easier than you might think. Adding a second factor - like a PIN or token number - reduces the risk considerably.

Password reset

A classic weak-spot for many sites is the 'I forgot my password' link. If someone has hijacked your email address (increasingly common these days) then simply requesting a password reset could allow them access, and you would be locked out. Adding an additional field (like a pre-defined challenge question, or the aforementioned PIN) makes it far harder to exploit. Though you'd still have to rescue your email account...

Front-end protection

There are two basic halves to any website - the front-end and the back-end. What you see in the browser is essentially the front-end; you can view the code by right clicking and 'View Page Source'. The back-end is (or should be) invisible to users. As browsers get more powerful so modern websites do more of the work at the front-end, and in so-doing, can leave vulnerabilities. Secure sites make sure that the front-end can only be used in the intended way and include protection against issues like Cross-Script Request Forgery (CSRF) and Cross-Domain Referrer Leakage/Cross-Domain Script Includes.

Database encryption

Authentication data like passwords, PINs etc. and any payment data should all be encrypted on the database using one-way hashing and salting. This means that should anyone hack into the database then the passwords and PINs are useless - they can only be used to verify an inputted value and cannot be decrypted*. Recent breaches, such as Ashley Madison and TalkTalk, have shown that data is not always encrypted as you would expect**. Most companies would be reluctant to tell you how they encrypt their data, but it shouldn't be considered rude to ask.

Needless to say, databases themselves should be accessible only to users/interfaces that possess the necessary permissions. Good, secure platforms will regularly perform a process called 'hardening' where vulnerabilities in the infrastructure are removed - reducing the risk of unauthorised access.

Data enclosure

With the increasing use of APIs to harness the power of third-party apps, the risk of data being intercepted or exploited has risen. Most crowdfunding platforms use specialist payment gateways - like GoCardless, Stripe and Mangopay - to handle transactions. Naturally these providers take security very seriously, but because of the various ways in which gateways can be integrated with platforms, you're giving out your card/bank account details without really knowing how those details are being handled or stored. At Growthdeck we don't use a third-party payment handler but instead let our investors use their own online banking services - so we don't handle, store or pass on any account details.

Other, less sensitive, data passes between platforms and external providers all the time - Google Analytics being the elephant in the room. But a good platform will minimise (or even remove) the need to send personal user data outside of its secure, encrypted environment.

KYC

Security is not just about technology. The risk of identity fraud is significant and platforms should take ID verification very seriously. If someone knows your basic details, like name, email and postal addresses and date of birth - all things that can often be found on the web - then creating an account in your name would be simple on quite a few Fintech platforms. Requesting documents such as a passport or driving licence helps but can be a hassle. A simple alternative is to send a welcome letter to new registrants (something we do at Growthdeck) as well as an email, thereby validating their address.

Testing and versioning

Perhaps the most important security practice of all is keeping up to speed with the latest developments and ensuring that software and hardware is constantly updated, perfected and tested. Cyber threats evolve quickly and as platforms become more complex it gets harder to react rapidly. So it's important to be flexible and enhance software incrementally over time. Regular penetration (PEN) testing, carried out by independent certified professionals, helps identify and mitigate against the latest risks.

Growthdeck is a new entrant to the equity crowdfunding marketplace, so we have the advantage of learning from existing platforms. But we will always be looking to maximise the security and integrity of our users' data, and so provide a reassuring experience for investors.

* No level of encryption is completely impervious. Hackers with sufficient computing power and time can decipher practically any hash/salt.

** Passwords on Ashley Madison were encrypted incorrectly and 11 million passwords were cracked. Talk Talk had not encrypted bank account numbers and sort codes at all and over 15,000 were stolen [Sources: Wikipedia, Telegraph]


Previous Back to index Next