Following the template described in defining the risk context, this post will now break down the elements that build the bigger picture.
- Use case - Investing in P2P Investment platforms - current post
- Addressing the threats - how is the P2P Investment platform and handling your information and what can you do about it
User activity and actions
NOTE - there are other actions done prior to this, like using a computer and a browser. they are not in scope for this use case and the present use case will focus only Web Shopping specific actions
1. Choose a P2P Lending Platform
There are many P2P Lending Platforms out there and investors will typically select them based on the advertised return on investment rate and financial risk specifics such as buyback-guarantee.
2. Create account
P2P Lending Platforms make it easy for the user to create an account with any kind of email address. A verification of identity might be included as part of account creation but not in all situations.
3. Deposit funds
The user will be presented with multiple methods of depositing funds, usually via bank transfer or 3rd party apps.
3. Invest / set auto-invest
P2P Lending platform will present the user with a dashboard where funds can be invested as the user sees fit. This usually involves choosing between various risk ratings and various offerings. If it's lending platform, this will involve choosing between various loan originators or countries.
Some platforms offer the possibility of auto-investing, where risk and investment profile is created and funds are automatically invested based on the criteria defined.
4. Withdraw funds
The user has the possibility to withdraw funds from the account at any moment, given that they are not currently invested. There can be restrictions as to which account can the funds be withdrawn to, usually in the same account that was used to deposit.
- end user personal information - name, email, password, identity documents (passport, drivers license)
- end user financial information - bank account, 3rd party payment platform reference like username, amount of funds invested, amount of funds available
- loan documentation - legal contract, legal and financial analysis
Note - the below enumerated adversaries are considered the most relevant for this use case. There can be other adversaries as well, but they might be restricted only to specific scenarios.
script kiddiez - P2P lending platforms are usually built using a known web content management system under which some additional coding has been done. This makes them a regular target for simple scammers and other low prepared adversaries
organized crime groups - millions of Euros and Dollars are invested in these platforms, which can attract more sophisticated adversaries
money launderers - as mentioned in the adversary perspective, marketing and sales are dramatically boosted when using (potential) consumer data, making any kind of personal information valuable
Threats for the platform
1. Fraudulent accounts used to launder money
Banks have been used to launder money in various ways in the past. Being so easy to use, P2P Lending platforms provide a good ground for money laundering.
2. Loss of money via manipulated values in interest/principal
Values related to interest rates and amount of funds can be manipulated resulting in artificially inflated or deflated funds. This can generate an issue for both the investors and the platform, as the financials won't add up at the end of the day (or month) but may not be noticed until it's too late. Lack of visibility into the databases and their security isn't something that's out of the ordinary - it's quite common and worrisome.
3. Unavailable platform
The investment service is only available online and if the platform is rendered unavailable, the company cannot continue to deliver its service. This can happen either due to :
- a human error resulting in a misconfiguration in the platform OR
- a DoS/DDoS attack, which is more likely that one believes
Investors cannot deposit or withdraw and the whole business is halted.
4. Regulatory fines
GDPR fines are not a myth anymore and they have been used on various companies in various industries. Investor personal data leak via their platform or via the 3rd parties used to process that data is very likely scenario for any online service.
Threats for the End User
1. Fraudulent platform
Even though they provide financial services, P2P Lending Platforms are not regulated as banks or other known financial institutions. This opens the possibility for fraudulent platforms to appear and simply absorb as much funds as they can, after which they are either closed by official investigation or simply dissappear with all funds. And yes, it did happen already and is most likely going to happen again.
2. Unavailable platform
Since the service is available online, it will be a target of cyber attacks. As a consequence, the platform can become unavailable and users are delayed from withdrawing money and investing
3. Identity theft
Attackers can also get access to your personal information and use it to either extract funds on your behalf or to steal your identity in relation to other services. This can happen either because :
- the platform and its data processors have mishandled your information. The platform will tend to say that is not likely, but data breach statistics proves that wrong
- you, as and end user, have mishandled your information allowing others to use it (e.g. your passport or identity card has been photographed). Cannot happen to you, right ? Going through some statistics on identify theft may change your mind.
4. Unauthorized change of deposit details
Attackers can manipulate information on the website which lists the bank account details to which investors deposit money. This can happen by :
- having somebody working for the platform making the change. This is known as an insider threat and is not something unheard of
Or attackers can compromise the company's communication platforms (email, chatbot, phone number redirect) and use them to mislead investors into depositing their funds into fraudulent accounts.
5. Loss of money via manipulated values in interest/principal
Attackers can manipulate information resulting in either funds being transferred from one account to another or artificially inflated funds which can then be withdrawn, thus affecting the investors balance.
6. Unauthorized withdrawal of funds
An attacker can gain access to your account and request to withdraw the funds to one of the attackers accounts. The attacker could also gain access to the database holding this information and change the withdrawal account details in there. When you initiate a withdrawal, the funds end up in a different account than expected.
Since the risk context is now built, it is now time to move on to how we address the threats related to Investing in P2P Lending Platforms.