How Apps for P2P Mobile Payments Secure Transfers

Mobile P2P payments and transfers are on the rise, and there are no reasons for slowing down. In 2017 PayPal announced that $155 billion in transactions were made via its mobile app worldwide. By 2021, the volume of mobile payments in the USA will overcome $300 billion, while it will reach $6.3 trillion in China as soon as next year. There are lots of players on the market, although it’s still early days for its saturation. One of the main features of mobile payments/transfers apps is security, according to official documentation and marketing materials. How apps manage to keep users’ data safe and private?

Photo by Liam Tucker on Unsplash

What risks can you face when transferring money

Money transfer via an app is basically sending your sensitive information to the world wide web. There are three significant data security risks:

1) The risk to lose confidentiality, or “privacy”. All measures taken to ensure user’s confidentiality are aimed to prevent user’s account from unauthorized access or hacking. The most common measures taken to provide confidentiality is multi-factor authentication, TLS. We will discuss it in detail later.

2) The risk to lose integrity. Integrity provides accuracy of the data received; protection from changing and hacking.

3) The risk to lose availability. Availability means correct work of the app or user’s hardware. Availability might be lost because of interruptions in connections. All the encrypted data should be backed up for those occasions.

Confidentiality, integrity and availability form a “holy trinity” of the data securitization known as CIA model.

Let’s have a close look at the ways used by money transfer apps to protect users’ data.

The most common security measures

There are several ways to protect users’ data in mobile transfer apps. The most known method is a multi-factor — or its subset — a two-factor authentication (2FA). Most often it is just setting up the password, and then authentication comes via email or mobile phone (a voice call or an SMS with a verification code). Sometimes, the app offers you to generate a unique answer to the question of your choice (mother’s maiden name, etc.) and asks this question when there is an attempt to access the app or perform some operation in the app.

Another method to secure mobile transfers is data encryption. It encodes information in such a way that only those with access keys can decrypt it. The key could be either in the form of binary data, a passphrase, or even a hardware dongle. There is symmetric cryptography, which uses the same key to decrypt and encrypt a message, and asymmetric cryptography, which utilises different keys — a public and a private one.

There are two most known cryptographic protocols, Transport Layer Security (TLS) and Secure Sockets Layer (SSL), with the latter being slightly older. Both protocols use asymmetric encryption for authentication, symmetric encryption for confidentiality, and message authentication codes to preserve message integrity. These protocols are not only used for messengers like WhatsApp but also to protect money transfer apps; because sending money via the Internet can be considered as sensitive data exchange.

The use of blockchain technology can also help to solve information security problems. It guarantees the immutability of the data placed there (or at least tremendously complicates attempts to modify it). There are many methods to secure data on the blockchain, for instance, to sign every block of data with a cryptographic signature. If the signature is changed on one block, it will not be changed all across the nodes thanks to the decentralized nature of blockchain. Moreover, the changed signature will be marked as invalid. Lack of a single authority also makes the blockchain very secure. It is harder to hack something written in the distributed ledger.

Those methods are just a few. Let’s see how the most popular money transfer apps are implementing different security measures.

Security measures: best practices

PayPal

PayPal uses several security measures:

• Email confirmation. Every time a user sends or receives a PayPal payment he/she gets a confirmation email. PayPal has detailed information on how an authentic email from them will look like so that users won’t fall victims of fraud or scam;
• PayPal Security Key. In addition to a password the user enters an OTP — a One Time Pin which is unique for each login. This temporary security code is sent via SMS;
• Data encryption. According to PayPal’s documentation, they use multiple methods of end-to-end encryption like TLS. When a user registers or logs into PayPal account (either from a computer or a mobile), the system makes sure that connection is made with TLS 1.0 or higher;
• Key pinning. A specific feature implemented in iOS and Android apps — ensures that when TLS connection is established by the user’s device, it connects to a valid PayPal server only;
• Data protection. Set of methods including PCI-DSS (Payment Card Industry Data Security Standard) and regular security reviews by independent organizations like American Institute of Certified Public Accountants SSAE16 SOC1, AT101 SOC2, Sarbanes-Oxley.

It’s also noteworthy that PayPal has a dedicated transfer service specifically for business needs. They encourage users to separate personal and business accounts and transactions to make sure that different needs are secured by a corresponding set of security measures.

Venmo

Venmo uses the same measures as PayPal, plus an additional set of security layers. Venmo advises setting up multi-factor authentication and adding a PIN code in the app. If this feature is enabled, the app will ask for the PIN every time it’s opened. There are three types of privacy settings in the app:

• Public: the transaction is shared on Venmo public feed and is visible to anyone on the Internet. This option is set by default, although the amounts are not listed;
• Friends only: sharing with Venmo friends;
• Private: information is shared on the user’s feed only.

It’s possible to change the privacy settings for each payment and purchase. There is also an option to “hide” past transactions either making them completely private or available for friends only. Another security layer is an opportunity to receive a unique code which confirms that the person to whom Venmo user has sent money is an intended recipient.

OFX

OFX offers the following security measures:

• Identity protection: passwords, security questions and other sensitive information (including automatic time-outs) are in place to keep users’ account secure;
• Fraud prevention: the OFX “fraud system” uses a multi-layered approach to detect phishing, malware, and fraudulent apps;
• SSL encryption: to create a secure connection with the user’s browser when he/she registers or logs into online services.

Before starting to use OFX an identification procedure should be completed. There are two different forms of identification required: either a passport, a driver’s license or a utility bill for photo identification and as a proof of address.

Another important thing about OFX: it has offices worldwide, and therefore it is regulated in several countries, like the USA, Canada, Australia, the UK and others. Moreover, in the US OFX has to comply with regulations of each state where the company operates.

USDX Wallet

With the ongoing cryptocurrency hype — which is on and off, but doesn’t actually die — it’s useful to review security measures taken by apps operating in this market. USDX Wallet app offers instant crypto transfers with no fees for P2P users. To guarantee the safety of the network, USDX Wallet implements security at multiple levels:

• The use of DLT (distributed ledger technology) ensures that all transactions are irreversible;
• Users access their accounts by logging in with a relatively short password; then they’re able to make transactions. Here’s where asymmetric cryptography comes in: each transaction is encrypted with the private key of a user while witnesses decrypt transactions with a public key. The private key of a user is complicated: it’s generated from user’s password by a powerful algorithm called “scrypt”; it’s also stored in an encrypted form on a mobile device. This means brute-force attack to obtain a user’s password will require lots of time and very powerful processor;
• The account is linked to a user’s mobile phone number, which enables 2FA. Every transaction must be confirmed with a code from a push notification or SMS;
• Phone number linked to an account also prevents unauthorized access: each time the user logs in from a new device he/she needs to input a code from SMS.
• All user’s private data and history of transactions are transferred from server to the client app in a ciphered form with the use of TLS protocol. This protocol employs both symmetric and asymmetric cryptography.
• The app auto-locks after several minutes of inactivity and requires a PIN code, Face ID or Touch ID (one of these is also required upon each entry).

All these security measures ensure that only account owner who knows the password can make transactions since it requires a private key. If a user will lose a device, he/she can recover access to the wallet from a new device, as encrypted private keys are backed up. Yet, if the user forgot the password, nobody can recover it. That’s why it is strongly recommended to set up the password recovery in app’s Settings.

Summary

Aside from built-in security measures and technologies, each app encourages consumers to use common sense while performing activities. Recommendations and detailed step-by-step guides and FAQs are freely available on websites and via developers’ support. Here are general rules one must follow to stay secure and to use P2P mobile payments apps to their full potential:

• Don’t use default settings: some apps have weak pre-set security and privacy settings and not many users take time to review them;
• Lock up the app with a PIN or a password;
• Review app’s security and privacy rules;
• Set your account to private (some apps have a “social networking” features making transactions visible on the feed);
• Separate private and business accounts;
• Don’t tell anyone verification codes, passwords; Send transfers to only those you know — that’s a seemingly simple and basic rule, but you will be surprised at how many times it is abused.