Two weeks ago I published an in-depth article into the current state of IT security in the UK P2P Lending Industry.
At the time of my research last month (February 2017), the vast majority of P2P sites simply ignored my direct correspondence, however since publication, a number of companies are now responding.
Their responses are detailed below, and this article will be updated accordingly should further platform responses be forthcoming…
Responses so far:
- ArchOver’s Response
- Bondmason’s Response
- Collateral UK’s Response
- Invest & Fund’s Response
- LandBay’s Response
- MarketInvoice’s Response
- Money & Co’s Response
- PropLend’s Response
- Ratesetter’s Response
- Wellesley & Co’s Response
Ian Anderson, Co-Founder & COO of ArchOver reached out via Twitter.
On the issue of their original “Do you seriously think we would be foolish enough to respond with answers to this kind of query?” response to my email to them, Ian Tweeted:
However, Ian invited me to email him directly with security concerns in the future:
…and also conceded:
An ArchOver representative also responded in the P2P Independent Forum where my research is being discussed:
“We get a lot of speculative approaches so we take a strong stance about sharing any information from a cold email to our info@archover.com email account, especially when the sender keeps an anonymous profile.”
Steve Findlay from BondMason responded in the P2P Independent Forum:
“We don’t reply to questions regarding the specifics of our security set up.
Also, it may be worth noting that the review covers the front end of these websites, which may be structured differently to the back end.
It would be interesting to compare the results of this analysis to the same analysis repeated on more traditional financial services websites – e.g. banks and share dealing services.
Good luck with this initiative.”
“Gordon” from Collateral commented in the P2P Independent Forum:
“I just want to make a couple of observations and comments re your detailed article.
Firstly just to clarify, Peter was a little reluctant initially to engage with yourself because you hadn’t put a signature or introduction to yourself on your email, it was just questions with no idea of who was asking those questions. You explained you wanted to be anonymous, but to be fair it was a little unusual.
As far as we are aware the contact form has always worked, there is an email address for investors when logged in and there is a telephone number on the footer of all the front end pages. So to get in touch with Collateral is quite straight forward.
On another note we were all ready going through security checks etc, and as of the articles date, the 13th of March 2017, you are not correct on five of your key factors.
The two we haven’t done yet are the Forward and Cookie points but are on with these.
I hope you don’t mind me making these points and as the article is dated, we would appreciate the information on Collateral being updated to reflect where we were and are at the time of publishing.
Many thanks,
Gordon”
I’m happy to clarify that my research was correct as of February 2017, and have subsequently added this as a footnote to the original article.
Invest & Fund have responded via email on 15th March:
“Hello @isecguy,
Thank you for your email on 25 February. We’ve now also seen a bit of chat on Twitter and connected the dots.
Your email came in on a Saturday, was anonymous and asked for detailed internet security information. We thought it was either an attempt to get information to aid a cyber attack, or sell cyber security services, so we chose not to respond.
We take internet security and data disclosure very seriously and have a highly skilled team of internal and external professionals in place. In line with our policy, it’s best if we decline your request for further information.
Good luck with your blog.
Matthew.”
Since publishing my original article, I’ve tweeted all P2P companies analyzed (with the exception of The Bridge Crowd – who don’t have a Twitter presence) that hadn’t responded, inviting them to respond should they wish
LandBay were the first of these platforms to respond via Twitter, and requested that I forward them the original email I’d sent them two weeks earlier, which was ignored. I obliged, and LandBay prompted responded with answers to my original questions. Here is there response on 14th March:
“Hi,
Apologies for our delayed response, we have discussed with our support team who initially misinterpreted your email as a secops agency trying to engage us.
1. Our peer-to-peer lending platform is developed fully in-house.
2. We use industry standards for storing passwords (crypto salted hashes) and review this periodically in line with the latest development standards. We also review the new security guidelines and recommendations online regularly and assess any work required as a result.
3. Yes, as per your article, we use Password and PIN on our login interface.
4. Yes – we have independent third parties carry out pen. tests and security audits on all our infrastructure (including online, offline and office infrastructure). We engage them regularly.
5. No – we have not. [ever had a data breach]
6. Yes – please email security@landbay.co.uk
Best wishes
Landbay”
Bilal Mahmood, Head of Media Relations at MarketInvoice responded via email on 27th March:
“Please accept my abject apologies for the delay in getting back to you. We do not, in general, discuss our security setup with anonymous third parties However, on this occasion, here are responses to your questions and some points to the published blog.
1) Do you outsource development of your website, or is development fully in-house?
Our platform is developed entirely in-house.
2) How do you store passwords and other personal information of your users? (i.e. what encryption methods are used?)
This is strictly private and confidential information. Passwords are salted and hashed. Our databases and platform files are encrypted at rest.
3) Does your site support 2-factor authentication (2FA)?
2FA is not currently supported but it is something we keep under review
4) Has your site/infrastructure undergone a professional independent 3rd party security audit? If so, are you able to provide evidence of this?
Yes, we have undergone external penetration testing and redo on a regular basis. The reports are not for external distribution.
5) Have you ever had a security breach of your IT infrastructure?
Our platform has never had a security or data breach.
6) Finally, do you have a dedicated in-house security contact within your organisation that I can convey some security concerns to directly?
Yes, we do. However, could you channel your concerns or requests to our press office (press@marketinvoice.com) who handle our external relations.
About the concerns raised in your blog post:
- Password reset: we believe you are mistaken. The password reset functionality does not expose if anyone has an account. Feel free to forward any evidence this is not the case to security@marketinvoice.com
- Server fingerprints: We are reviewing removing these, though note that you have tested our static marketing site which has fewer security implications.
- SSL & Security Headers: Again, it looks like you have tested our static marketing website (www.marketinvoice.com) rather than our platform whose security infrastructure is far more robust.
- Cookies: The “remember me” functionality is clearly to be used only on a user’s local machine. The usefulness of this feature is being reviewed.
Kind regards,
Bilal”
It should be noted that MarketInvoice’s password reset does not expose accounts – and this was noted in my original research.
Nicola Horlick, CEO of Money & Co responded via email on 21 March:
“Your message was passed to me. Please can you give me more information about who you are.”
I subsequently replied, explaining my research and providing a link to this blog and the original article.
Nicola responded:
“What is your name please?”
I explained to Nicola: “I myself am an active investor in a number of the P2P platforms I looked at (but not in all 39). It would therefore have been unfair and biased to engage with some platforms from the stand point of an existing investor, and others from the perspective of an “outsider” (i.e. a independent security researcher/ potential future borrower/investor, etc). Consequently, to ensure fairness and a level playing field in my research article, I haven’t provided any of the 39 platforms with personally identifiable details that could be used to identify me as an investor (or otherwise) on their particular platform. – there’s no malicious intent behind behind this, it’s simply to ensure as neutral an analysis as possible.”
Nicola replied:
“I can’t give out details of our security policies to an anonymous person. Suffice to say that our system was originally built for J P Morgan and so security is at the heart of it.”
Brian Bartaby, Founder & CEO of PropLend responded on 14th March via email to my initial email (sent some three weeks prior):
“I have just read your article, which can I say is very thorough.
I was unaware of your email below but would have expected it to be ignored by our staff as it was a blast out, was not signed by anyone and there were no contact details to follow up with, a classic example of someone trying to get info out of a company.
Our policy on something like this is ignore it.”
When I questioned why they couldn’t just hit the “Reply” button, rather than the excuse that they didn’t have any contact details, Brian promptly responded to say:
“Contact details to me means more than an email address, a wordpress site and no contact (phone, address or name) which we all provide on our platforms. Our policy is not to ignore security related correspondence but to ignore correspondence that we cannot follow up with, i.e. know who we are engaging with. Don’t get me wrong, you have gone to a huge amount of effort to pull together this detailed a report, it’s a shame you cannot or are not willing to reveal yourself.
If you had provided proper contact details (name, tel etc) we would have been more than likely engaged with you as we try to take security seriously. You would not believe, or you may the number of scam emails that people try to hit us up with.
I must thank you as you have pointed out something. Proplend does have a current EV certificate but it had not been properly uploaded, which is why it shows the shared certificate you rightly pointed out and this is being actioned.
We have previously undertaken pen testing (third party Crest registered) and have another booked within the next 5 days. It’s an ongoing practice.”
A short while later, Brian got in touch again with an update to confirm that they’ve now resolved their EV certificate issue, which is no longer shared with a porn site:
After Tweeting RateSetter, they responded asking me to re-send my original correspondence, which I did. RateSetter’s Head of Information Security, Neill Newman swiftly responded on 15th March:
“Dear Sir/Madam,
I have been passed the below message from our communications team.
I have read your article with interest, there are lot of accurate observations of RateSetter in there, there are also some areas which, (with the benefit I have of inside information), for RateSetter are inaccurate assumptions/conclusions due to the external framing of your tests (no offence implied or intended).
More than happy to engage in a conversation at a mutually convenient time. You are more than welcome to visit our offices in London if you are able and would prefer a face-to-face meeting. The sensitivity of this area means I will need some kind of verification of who you are in order to provide certain answers, I am sure you understand the reasons why. I can provide assurances that your online anonymity will not be breached by RateSetter or by myself.
Feel free to independently verify who I am, you will find I have headed up information security for a global financial organisation which is considered critical national financial infrastructure to a number of countries in Europe, including the UK. I also used to be a pentester (a long time ago) so I can engage in meaningful technical discussions.
I am currently traveling to Liverpool to present at the NCSC CyberUK conference, so will have to meet/discuss next week if that is ok with you?
Regards
Dr. Neill Newman”
Aldwyn Boscawen, of Wellesley & Co responded via email on 22 March:
“I trust this email finds you well, I apologise that your email has not been dealt with thus far. It was channelled into the inbox of a staff member who has subsequently left the company (without having replied!).
I have Cc’ed in to this email Ed Vigors, who should be able to help you with any enquiries of this nature. I have read your article and find it informative and I believe Ed will be able to give you any information that we feel it appropriate to give that does not compromise our security!
Best Regards,
Aldwyn”
Responses Pending…
The following platforms have reached out via Twitter, indicating they would respond:
Growth Street
“Chris” from Assetz Capital, commented in the P2P Independent Forum on 15 March:
“In terms of the AC response, the original questions made their way to me this morning and I’ve sent our response to our compliance officer and head of marketing for clearance. Any public response will then be down to them, taking into account wider considerations than just the technical insights I can provide.
At time of publication, responses from the above platforms have not yet been received, however, this post will be updated if/when further responses are received.
Responses Outstanding…
The following platforms covered in my original research have all been invited to respond, but have so far declined to comment:
|
|
Analysis
Quite a range of responses and differing attitudes towards security there from the various P2P lending platforms who have responded! (and my sincere thanks to all those who have!)
There are certainly some recurring themes though:
Security Through Obscurity
A number of platforms presently adopt an approach of “Security-Through-Obscurity“. This is the reliance on the “secrecy” of the platform design or implementation as the main method of providing security for a P2P platform. A P2P platform relying on obscurity may well have security vulnerabilities, but their management or developers believe that if the flaws are not known, this will be sufficient to prevent a successful cyber attack.
Security experts universally warn against such a “Security Through Obscurity” approach. Leading standards bodies also agree; The National Institute of Standards and Technology (NIST) for example specifically recommends against this practice, and instead promotes “Open Design”, stating “System security should not depend on the secrecy of the implementation or its components.”
Asking a platform, for example, how passwords are stored does not provide an “attack vector” for someone to then launch a cyber attack against them, as some platforms seem to be worried it does! As per my original article, if a platform is confident that they are storing passwords securely, there should be no reason not to disclose this. Doing so would actually instill customer confidence that the platform understands how to correctly and securely store passwords, using strong encryption/hashing.
As a rule of thumb, Security Through Obscurity ≠ Security
Slowness To React
The last paragraph of my original email corresponded to all 39 platforms read: “Finally, do you have a dedicated in-house security contact within your organisation that I can convey some security concerns to directly?”
This clearly indicated that I’d identified security concerns that I wanted to bring to the attention of the relevant person/dept within their organization.
Any business (P2P or otherwise) that takes security seriously and who receives an email from someone who wishes to responsibly disclose a potential security vulnerability they’ve identified, should seek more information/clarification from the reporter as soon as possible. The fact that it’s taken some platforms nearly an entire month to respond to such correspondence, and others still haven’t responded at all, is rather worrying!
Had I identified or become aware of a serious security vulnerability that I believed had been or was currently actively being exploited and customer data compromised, for the platform to simply ignore and be complacent about attempts to bring the matter to their attention, is grossly negligent and could ultimately do a lot of damage (both financially and reputationally) to the platform and its customers!
The sooner a platform becomes aware of and understands the extent of a potential vulnerability/data breach the sooner they can react. It concerns me that many P2P platforms don’t seem particularly “reactive” to reported security concerns, based on their speed of communication in my research.
Only two platforms have so far been able to provide a dedicated security@…. email address (LandBay and MarketInvoice), however MarketInvoice – like a few other platforms – would rather security issues are raised in the first instance with their Media/PR teams. Media/PR staff are generally not the right people within an organization to raise security concerns with.
Some platform CEO’s & representatives have also put the delays in their response down to “not being aware of” or “only just” having been passed my original corresponded by their colleagues (some 3-4 weeks later!) ….in which case, I’d hope that as a result of this, internal communication processes will be significantly improved! (an those platforms without dedicated security reporting channels will implement them)
After all, Slowness To React To Security Issues = Potential For Greater Damage
A lack of communication may also be down to…
Confusing Security Research with “Malicious Intent”
It’s evident from a number of platform responses that there are misconceptions over the differences between a “Security Researcher” and a “Malicious Hacker”.
Asking legitimate questions over how a platform approaches security, was in many cases incorrectly perceived as some sort of “phishing” attempt (See for example, ArchOver’s Response) or a “Cyber Attack” (See for example, Invest & Fund’s response)
Asking questions of a platform doesn’t make someone a malicious hacker intent on a cyber attack and bringing a platform to its knees! (and let’s face it, malicious hackers would be unlikely to make contact with a P2P Platform before they carried out such an attack, unless they were trying to extort money or hold the company to ransom, etc.
But these attitudes also serve as a good example of why I choose to remain anonymous! There’s certainly a misconception out there of what a “security researcher” is!
Let’s assume for a moment that I was an existing investor or borrower with a particular P2P platform, and I sent them exactly the same set of questions as I did for my research, but sent it instead from the email account I’ve registered with them as a customer. The P2P platform in their paranoia could still mis-interpret the correspondence in exactly the same way as some have in this instance – as some sort an attempted “cyber attack” – and subsequently suspend/terminate any investor/borrower accounts I have with them!
…and that’s, is a good illustration of why I choose to remain anonymous – it’s not because I’m malicious or have any criminal intent whatsoever – I don’t and as an avid P2P investor myself I want to see the industry thrive! – it’s simply because of the lack of education and grave misconceptions that exist out there towards security researchers like myself, and the fact that a number of the businesses I research, I may also be a customer of too. I don’t wish to be treated any differently for asking legitimate questions on security or raising potential security issues!
I would hope that going forward those P2P lending platforms with current “policies” of simply “ignoring” security-related correspondence from people who don’t provide them with their full name, postal address, telephone number, date of birth, National Insurance number, copy of their passport etc, etc, will consider reviewing them!
Whether my name is John, Jeffrey, James, Jacob, Joshua, Justin, Jonathan, or Joe Bloggs…. Anyone should be able to flag security concerns with a P2P platform, regardless of who they are, and it really is in a platform’s best interests to encourage engagement on such matters.
Remember, Anonymous ≠ Malicious!
Confusion over the difference between 2 Factor Authentication (2FA) and 2 Step Verification (2SV)
Some platforms seem a little confused over 2FA. For example, in response to the question “Does your site support 2-factor authentication (2FA)?” LandBay responded “Yes, as per your article, we use Password and PIN on our login interface“. This isn’t technically 2-Factor Authentication, it’s 2-Step Verification (which isn’t the same, and isn’t as secure) – see my original article for the differences between the two.
Remember, 2SV ≠ 2FA!
Public vs Restricted Areas
It’s been interesting to note that a number of platforms have been a little dismissive over security concerns with their public-facing websites, making the point that only publicly accessible areas of their sites were tested, rather than restricted “members” areas requiring a log in.
The assumption being that platforms feel their “members” areas are “more secure” than “public” areas.
As I’m not an investor/borrower with all 39 P2P platforms I looked at, it would not have been possible to analyze the restricted/members areas of all 39 platforms anyway.
However, whilst I hope that security of their “members” areas once logged in is far more robust than their public-facing areas of their websites, given that these restricted areas are usually first accessed via the public parts of their sites (and in many cases both public/private areas may reside on the same server), security of these public areas shouldn’t be dismissed.
Summary
I myself am personally an active P2P investor in a number of the platforms I’ve researched.
However, all 39 sites were researched from a neutral perspective, and in my private correspondence to the platforms I didn’t disclose whether or not I was an investor on their particular platform, in order to ensure a fair and level playing field and not to prejudice or taint their responses (although, it really shouldn’t make any difference to a platform whether an individual wishing to raise security concerns is an existing investor/borrower, a perspective future investor/borrower, or just a casual outside observer!)
I hope registered investors and borrowers in any of 39 platforms I researched will look at how their respective platform(s) have responded (or otherwise) to this research, and be able draw their own conclusions over their platform’s attitude and approach to security.
For me personally, given I have prior knowledge of and experience as a lender in the UK’s ever growing P2P Lending landscape, it’s fair to say that my own perception of the attitude and approach to security of each platform has somewhat shifted from what it was before I embarked on this research!
For the time being at least it’s put me off certain platforms that I’d previously been on the verge of joining and investing through in the coming financial year. At the same time it’s also made me rethink other sites that until now I’d pretty much ruled out from ever investing in because of concerns over their approach to security.
Similarly, I’ll likely be increasing my investments with at least one of the platforms I currently invest through, and possibly also reducing my investments through a couple of others as a direct result of platform responses/lack of responses to my research….
After all, it’s not just about the specific security issues I identified in my original research (although they’re of course important) – it’s also about the overall approach and attitude towards security that a platform adopts.
It has been reassuring to receive confirmation from a handful of platforms that they regularly engage with an independent 3rd party penetration test companies – independent scrutiny when it comes to security is a very good thing, as it will likely identify issues that may have been overlooked in-house and bring these to the attention of the platform so that they can take appropriate action to resolve. In the absence of such confirmation from the other platforms that their security is routinely externally audited, it should be assumed that they’ve not undergone such external security audits.
It’s also fair to say that I’ve been far more impressed with those platforms which perhaps didn’t come out on top in relation to specific factors I looked at in my research, but who have corresponded with me to some meaningful degree (because it demonstrates to me more of an openness towards security and willingness to engage on such matters!) – than I have been with those platforms who’ve adopted a closed, “Security-Through-Obscurity” attitude of silence or of “our security’s fine – we don’t talk about security – who are you to question it!?”
As I said when summing up my original article, my main hope is that this research will serve as a “wake up” call to all P2P Lending companies to get their security affairs in order, and in some cases also to re-think how they engage and respond to externally reported security concerns/questions.
At the same time I also hope it serves to enlighten borrowers and investors who are members of P2P Platforms and encourage them to challenge these sites over their security approaches! It’s your money, personal, identity, and financial information you’re entrusting them with after all!! …and if a platform can’t/won’t provide answers to pretty basic, legitimate, and straight forward questions like “Have you ever had a data breach?“, etc. you have to ask yourself what have they got to hide!?
All of the security issues I identified in my research can be readily addressed, and to their credit sites like ArchOver and Collateral have already confirmed that they’ve acted upon some of the issues highlighted, with other sites such as MarketInvoice currently “reviewing”. Therefore, I plan to revisit this topic again later on in the year to see whether P2P lending sites have raised their games…
This article will be updated should further platform responses be received…
InfoSec Guy 
“It should be noted that MarketInvoice’s password reset does not expose accounts – and this was noted in my original research.”
To be fair to marketinvoice.com. They are shown with a red X against their ‘account disclosure via password reset’ in the original report so your comment is ambiguous.
LikeLike
Hey, Reg – if you check the column header it says “Account Disclosure?”. Those with a “tick” disclose accounts, those with a “cross” don’t disclose accounts. MarketInvoice’s row contains a “cross” indicating that their site doesn’t disclose accounts.
LikeLike