Technology Risks Of P2P Loan Platforms Compared

Shadows of human figures in darkened room, with computer cabinets

Security around crowdfunding and peer-to-peer lending usually means financial security: knowing that client funds are segregated, that a business has made adequate provisions for liability, and due diligence has been done to ensure that a platform's offerings are realistically priced.

Today we look at a different of security risk: question of hacking, computer intrusion, data theft and other actions that might compromise the integrity of a platform's systems and procedure.

Our source is the award-winning blog InfoSec Guy.  The blogger describes himself (or herself) as "a professional UK software developer with over 30 years of programming experience (over 20 of which have centered around the internet and web based technologies)."  The blog is anonymous. The full report is published at The State Of Security In The UK P2P Lending Landscape.

Our commntary is in four parts:

  • Why we feel glad that this information has been published (and why we're passing it on.) 
  • What the information tells us about P2P lending platforms
  • How it fits with the FCA's regulatory approach.
  • What we expect to happen next.

Why we feel glad that this information has been published

The motivation for the blog is  “responsible disclosure”. That's a common professional stance among software developers who believe that the best way deal with bugs and vulnerabilitiesis to have as many people as possible look at them.

Note that the survey covers 39 platforms, and each one has been tested against eight criteria. It isn't just highlighting one or two, and it isn't saying subjective or consistent things about them.

There is no competitive advantage in not talking openly about computer security. It just means that criminals know more than honest businesses.

These are allegations from a single anonymous source, so we should treat them sceptically - but the way to be sceptical is for the platforms to repeat the tests, and if they find a problem, fix it. 

What the information tells us about P2P lending platforms

If you want to find out how your favourite platform performed, and compare it to the others, check the tables in  InfoSecGuy's report.    In summary, we would say that most of the platforms have vulnerabilities, and their security could  be improved. But we don't see anything to makes us want to say "switch from platform X to platform Y".

Remember that cyber security is only one aspect of a much bigger picture of what makes a platform trustworthy, and an investment deliver a return..

How it fits with the FCA's regulatory approach

The Financial Conduct Auority (FCA) expects regulated firms to protect their key assets - including information, and computer equipment. Nausicaa Delfas, Director of Specialist Supervision at the FCA  delivered a speech at the FT Cyber Security Summit in December 2016 that we recommend to anyone who is interested in discovering more about the topic. We reproduce two key points:

"Cyber risk is an ever evolving and asymmetric threat. It impacts each one of our objectives – market integrity, consumer protection and competition – whether through markets being disrupted through loss of availability of platforms, sensitive market or customer data being stolen or compromised, or access to core banking services."

"Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too."

What we expect to happen next

How the platforms respond to this report depends on whether they have the security culture the FCA wants them to aspire to, and whether they take a robust approach to addressing InfoSecGuy's allegations of failings in perimeter security.  

We hope they will ask their IT people to do appropriate tests, and fix any flaws they find.  They can do that without talking to the blogger, if they don't want to. See if you can reproduce the results, then set about fixing the problems.

Platforms may feel more comfortable, and get more benefit, from talking to other peer-to-peer lenders who have similar problems.

@isecguy Responses from CEO's of some of the #P2Plending platforms highlighted in my research are now starting to come in... will update post shortly

What we've observed tonight is that the blogger is already engaging with several platforms on Twitter - check the timeline of @isecguy for the details.

In Conclusion

You, gentle reader, should look after your data and your accounts. You should already be using strong passwords on anything that involves your money, or sensitive data that a criminal can use to commit identity fraud.

As Sgt Esterhaus used to say on Hill Street Blues: "let's be careful out there".