Good Intentions, Bad Security – Finding Footing in Fintech
With the global rise in fintech startups, a common theme we see is the goal to improve financial inclusion for people who are traditionally left out. But are the new companies in the space ready for the realities of what it means to be a financial service provider? In this episode of The Finance Frontier, host Eric Hathaway speaks with Patrick Traynor, author of the new report “Digital Finance and Data Security” and Pablo Anton Diaz, research manager at the Center for Financial Inclusion. They explore what happens when systems designed to dramatically expand financial inclusion are poorly designed and executed, and talk through what new companies need to take into account as they break into the market.
Pablo Anton Diaz is a Research Manager at the Center for Financial Inclusion where he is in charge of managing diverse research projects related to innovation in digital finance, consumer protection and financial health.
Patrick Traynor is a Professor in the Department of Computer and Information Science and Engineering at the University of Florida, where he co-directs the Florida Institute for Cybersecurity Research. He is also a research fellow at the Center for Financial Inclusion.
Eric: 00:02 Welcome to The Finance Frontier. I’m your host, Eric Hathaway. This is episode 3 of 5 in our series on financial inclusion.
Eric: 00:11 In our last episode we spoke with Maelis Carraro of the Catalyst Fund about the topic of financial inclusion, and how making financial products available to people, specifically the world’s poorest people, can literally change lives. And we heard about the tremendous promise of the fintech revolution in making access to finance possible for these people.
Eric: 00:29 Today I’m joined by two guests to speak about a new report that was just published by the Center for Financial Inclusion at Accion, which is a global think tank working to advance financial inclusion. The report is titled Digital Finance and Data Security, and set out to measure the security and data privacy of 52 digital lenders around the world. What they found was that many of the products that are serving these vulnerable consumers are not all secure, setting these consumers up for a potentially disastrous introduction to financial products. I do want to note that none of the companies included in the Catalyst Fund portfolio were included in this study.
Eric: 01:04 Joining me today are two people who made this fascinating report happen. Lead author and data scientist Patrick Traynor, and editor Pablo Anton-Diaz. Patrick is a professor in the Department of Computer and Information Science and Engineering at the University of Florida, where he co-directs the Florida Institute for Cybersecurity Research. He is also a Research Fellow at the Center for Financial Inclusion. Pablo is also a Research Manager at the CFI, where he is in charge of managing diverse research projects related to innovation and digital finance consumer protection and financial health.
Pablo: 01:35 Thank you very much Eric for having us. It’s a pleasure to be here.
Eric: 01:39 If you look globally, the World Bank stated that 1.7 billion adults remain unbanked¹. Roughly 43% of Americans are having difficulty getting access to financial products as their credit scores aren’t at the top of the heap². And so we’re seeing banks move to address this population. Not only banks, and we’ve seen that with US Bank recently sort of diving into competing with the sort of quick-loan business, but we’re seeing the fintech revolution bring in, not only in the US but globally, new data sources to try and help the underbanked. So, can either of you give me an idea as to why this topic is so relevant from your perspective today?
Pablo: 02:27 Yeah, yeah. Fintech has become very relevant in our sector in the past, I would say especially in the past five years, because fintech is basically through alternative credit scoring methods, fintech is basically opening for financial institutions the opportunity to work with this huge segment of the population that was previously not eligible for a lot of financial services such as, and specifically credit, just because they didn’t comply with some of the traditional requirements that financial institutions ask from their clients.
Pablo: 03:09 So for clients that don’t have a typical financial footprint and don’t have any previous experience using financial services, or haven’t been using the financial services correctly in the past and therefore don’t have a great credit score, don’t have the adequate amount of credit history, the traditional financial institutions through traditional methods, don’t have a way to be able to work with these clients. And so some of the digital innovations that are being created and expanded by the fintech sector are being created specifically to address this gap so that new other sources of data about how these clients behave when it comes to, I don’t know, repaying their utility bills, or when it comes to paying their taxes or when comes to handling their businesses or when it comes to even what is, so their behavior on social media, that all of these additional data points that we can now have about people in general can also be incorporated into the credit worthiness assessments that financial institutions make of new clients.
Eric: 04:22 I think that driving into the security piece, we’ve seen some of the highest numbers of security breaches over the last couple of years, even in 2018, occur with many of these companies holding traditional data. So security is extremely important as we move into the digital landscape, and the protection of that data is extremely important. And so your report really covers that as these new data sources are coming to market, that there are some challenges.
Patrick: 04:58 If you have a presence online, you’re a, you’re going to be a target. It’s just sort of the reality of the modern day connected world. It doesn’t matter how small or large you are. You’ll be probed by adversaries all over the world who are looking for easy ways to get in. This is especially true in the fiance sector. And so one of the big motivators here was, this is where the money is, certainly for a large set of the world’s population that previously wasn’t included in finance. So we wanted to try and figure out, what did the situation on the ground look like? What were the risks? And were we at least conforming to best practices?
Patrick: 05:41 So I appreciate that any time the security guy shows up, in just about any enterprise I’ve ever been in, people will kinda get a little wary. And the security guy never has good news. And one of the things I’ve heard from a lot the folks that we’ve been talking to is, “Patrick, this isn’t fair. We’re young or agile companies. We’re very, very small. It’s not fair to say that we have to have all of the same security apparatus as, say, a traditional financial institution would have. If you put that burden on us, we simply wouldn’t have the money and we’d fail.”
Patrick: 06:19 What we wanna do here is actually something much simpler. And I’d like to give you a simple analogy using cars. If you buy a car in the United States today, whether it’s a Kia or a Tesla, I guarantee you that both of those cars are gonna have seat belts and airbags. That is the bare minimum, in terms of safety, that you have to have to have your car approved to drive on the road. It would be wonderful if every car had an autopilot feature. It had an extensive roll cage that protected passengers at all times. But they don’t.
Patrick: 06:55 And I think what the report shows is that we see a pretty wide-spread set of configurations and security standings. And some of them are actually downright dangerous.
Eric: 07:06 Thank you. I love the analogy of seat belts and airbags versus all of the other technology. What are the risks that you uncovered in this report?
Patrick: 07:16 So the first thing of course that we’re risking here is money. Of course we’re in the finance space. And any ability of an attacker to listen in on a transaction could result in the loss of that vulnerable population, that vulnerable customer’s funds. So you could imagine a scenario when a, where a customer is actually paying back, say, one of these electronic or digital loans. And those payments are getting changed and not necessarily showing up. Or, and this is I think the longer-term kind of scarier question, what happens if the adversary maybe isn’t taking the money but is then taking the data? And so what if I’m taking all of the data about you, and then I’m using that data to then apply for a loan somewhere else. So I could rack up charges for someone who is just, just getting integrated into this new digital financial system, across multiple lenders, potentially taking out loans and then leaving them with very little recourse.
Patrick: 08:21 So the threat of money certainly is one that the finance world is very familiar with, but the threat of the loss of data, and then sort of an out of control system where my data may end up in lots of places, and the ability to verify and question and to see what the policies are for my recourse, those are all really significant challenges and one that, I hope, sort of comes out in the report is, something that we need to be looking towards.
Eric: 08:49 So I have another question for either of you. Where does the responsibility lie? Does it lie with the investor? Does it lie with the regulators? Or does it lie with the company collecting that data? Or all three for that matter?
Pablo: 09:07 Yeah, I don’t think there’s a single culprit for this, or a single stakeholder who should bear all of the responsibility on this. I agree with what you said. I think it’s a joint [inaudible 00:09:21], it’s a shared responsibility of everybody who plays a role in this sector. It’s a shared responsibility among the regulators, yes, but also the institutions themselves, and certainly the investors and the donors that are supporting all of the development that are happening currently in the fintech sector.
Pablo: 09:45 And that is why we thought this topic was so relevant, and that was, that is our main purpose with putting this paper out there and publishing this paper. And also sort of the PR that we’re doing around this paper is precisely because of that, because we do feel that, yes, the new fintech sector is growing tremendously. And a lot of the tools that the fintech companies are bringing to the market are wonderful and they’re helping to solve a lot of the challenges that we had with sort of traveling that last mile to reach the most under served customers. Yes, all of that is true.
Pablo: 10:26 But in this hype, I think we are forgetting to be cautious and we are forgetting that, also with all of these new opportunities come new and additional risks that were not present in traditional financial services. And some of these risk are the ones that the paper that Patrick wrote highlight. And with these risks, we just wanna make sure that the, that investors and regulators everywhere are aware of these risk and are doing something to address these risk in the companies that they’re engaging with and supporting.
Patrick: 11:08 Yeah, I just wanna add very briefly to what Pablo was saying, and I liked one of the words you use, and that was opportunities. Think back to cars. Certainly, it took a massive regulatory move to improve the safety of automobiles such that most auto accidents are survivable these days, to the point where it actually turns out that safety is a sellable feature that many manufacturers tout when they’re selling their vehicles. And in fact, many consumers will only go to vehicles with a certain rating in crash tests. We see this not simply for the risks, which are very, very important. I mean if we get this wrong, we risk [inaudible 00:11:49] generation being excluded from the global financial infrastructure. And that would be a tragedy.
Patrick: 11:57 But if we get it right, then this can be something that can be a real differentiator between these companies. So I think it’s, I think there’s a part to play here from regulators, from donors, from investors, and from the companies themselves.
Eric: 12:11 You bring up a great point, and it’s interesting, where the entire idea here is to address the excluded. But with these potential data breaches and maybe the lack of security on the back end, we’re potentially excluding more. And so as you address regulation, one of the things, and it’s gonna steer my next question, in the US we probably have some of the highest regulation around the financial services industry mainly, or most likely because we have longevity and we’ve really dove into the industry. And sometimes that regulation can stifle some of the newer businesses that are coming to play. Most recently I think there’s been a new government regulatory body to look at fintech regulation.
Eric: 13:00 I know this report addresses a global population. Are you seeing that kind of governmental regulatory governance occur in other countries around the world as it is starting in the US? And is it enough even with what you’ve seen in the US?
Patrick: 13:17 I wanna note that this section is growing and evolving so quickly. We all know that it’s very difficult for regulators to keep up with industry. So I wanna make clear that I’m not pushing that the solution should necessarily be solely regulatory. That said, when we look in the US market, in this study we do find a number of firms that have problems. And just as sort of specific examples, we saw firms that were using encryption algorithms that have long been known to be weak, and long been essentially bad practice. We saw, in some cases, privacy policies that didn’t match the data that was being taken. And so US companies in general seems to do better in terms of having readable privacy policies, but they were often making the same mistakes the international ones were.
Patrick: 14:12 So I think the opportunity here for US companies to act on this report, to take our recommendations and to do something before, say, heavier regulatory hand, is now. And by the way, there’s a companion guide to the report which talks about some specific requests, some specific steps that C-suite folks can do when talking to their security team or person. I get that security is hard, and sometimes the only question you know to ask is, are we secure? And of course the answer comes back sure, or yes. The companion guide has many more in-depth questions that you can ask, steps that can be taken to get you to that point where you have seat belts and airbags.
Eric: 14:59 Love that point of view, and it’s fascinating to me that this problem is occurring in the US and developed countries around the world. And thank you for that. Can you give us an idea, or maybe some examples, of some of the most alarming things that you found as far as security risks?
Patrick: 15:15 Yeah, so, what we generally look to protect our data in transit is encryption. So these are algorithms that prevent an attacker from seeing the things that we’re sending back and forth. Now, there are good encryption algorithms and there are bad encryption algorithms. We found a small number of cases where no encryption was being used, which meant that an attacker could simply listen in. We found lots and lots of cases where bad encryption was being used. And so even a moderately capable adversary, someone with maybe 10 to 15 machines, could potentially break the encryption and get access to the data. So these were very, very concerning because, I mean, these are the very, very most basic steps that have to be taken to protect the data, and they either weren’t being taken at all, or they were being taken in such an archaic, broken fashion that they were as good as doing nothing at all.
Eric: 16:18 So, out of the report, we’ve covered a number of talks. We talked a little bit about security. We’ve talked about the global side. We’ve talked about the risks. Is there anything else that either one of you would want to bring to the surface, to either organizations investing in some of these fintechs or the fintechs themselves as they continue to develop, and hopefully, help this underbanks or population?
Patrick: 17:42 Now, that data may indeed be important in making a credit decision, even if it’s sensitive. But then companies need to have real thought about how long they keep that data around. So if someone, let’s say, has been a customer but they’ve stopped using our service, is two years a reasonable amount of time to keep their data around? Does their data get deleted immediately? These are discussions that investors need to have because it’s going to help them scope their risk when a breach does occur. And that’s something that I think that we hint at in the report. We show the kinds of data. We couldn’t measure the processes behind the scenes of how the data was being protected at rest. And it’s a very long conversation that each and every one of these organizations needs to start having.
Eric: 18:30 I think it’s a great point, Patrick. And so many of these smaller companies now are focused on a specific data point or a data source, and then they expand that out to try and gain data to see if they can sell it later on. And I think it’s a great point, that it does open up, from a liability perspective, the production of that. And if it is breached, the liability side of things. So, thank you.
Eric: 18:52 Well gentlemen, I wanna thank both of you very much for joining us today.
Pablo: 18:56 Thanks again for the invitation. This was a lot of fun.
Patrick: 18:59 Yeah, it really was. Thank you both.
Eric: 19:00 I’m sure there’s a lot more that we could cover in this report. I would suggest to any one of our listeners, go out and grab the report, Digital Finance and Data Security. And we thank you again for both of you joining us.
Eric: 19:12 Thanks for listening to The Finance Frontier. I’m your host, Eric Hathaway, and until next time, subscribe on your favorite podcast app.
- The World Bank. (2018, April 19). Financial Inclusion on the Rise, But Gaps Remain, Global Findex Database Shows. Retrieved September 17, 2018, from http://www.worldbank.org/en/news/press-release/2018/04/19/financial-inclusion-on-the-rise-but-gaps-remain-global-findex-database-shows
- Frankel, M., & CFP. (2017, September 28). Here’s What Americans’ FICO Scores Look Like — How Do You Compare? Retrieved September 14, 2018, from https://www.fool.com/credit-cards/2017/09/28/heres-what-americans-fico-scores-look-like-how-do.aspx
Love the show? Want to be featured as a guest? We’d love to hear your questions and comments and welcome guest recommendations. Our producer Sara Tatnall can be reached at sara.tatnall [at] zootweb.com.