The State of IT Security in the UK P2P Lending Industry

Very detailed thorough article.
Must have taken a lot of time and work to compile this.

isecguy
I would find it interesting if you extend this experiment to some of the continental European marketplaces.
While I don't expect them to be more professional overall, I did notice that two factor authentification via mobile is more common then with the UK sites. 

Sadly investors typically are not very interested in this aspect of p2p lending, as long as nothing goes wrong. But if it goes wrong, it might be too late. And it is outside the scope for investors to perform the technical analysis you did. 
So maybe there is an opportunity for you to do regular audits and then publish them here (or on my blog).
The questions is how you'd be compensated for your efforts (donations, the platforms paying the audits, the blog paying you for compiling the information ...)
It should be in the interest of the platforms that trust is not endagered by a meltdown among them, so maybe via p2pfa?

Great analysis but I find white text on black background almost impossible to read.

Hi treeman - thanks for your comment!

Yes, I am indeed a P2P investor myself, and invest in a number of the sites analysed in my report.

However, all 39 sites were analysed from an entirely neutral stand point, and in my private correspondence to all 39 platforms I didn't disclose whether or not I was an investor on their particular platform, in order to ensure a fair and level playing field and not to prejudice or taint their responses (although, it really shouldn't make any difference to a platform whether an individual wishing to raise security concerns with them is an investor/borrower or not!)

As for my own investments (and just to pre-empt anyone saying "he obviously isn't THAT concerned about security if he invests in these platforms himself") - as I indicated in an earlier response in this thread; my perception of the attitude and approach to security of each platform has somewhat shifted from what it was before I embarked on this research. It's fair to say it's put me off certain sites I'd previously had my eye on potentially investing with in the near future, and at the same time it's made me rethink other sites that I'd previously completely ruled out from ever investing in. Similarly, I'll likely be increasing my investment with at least one platform, and possibly reducing my investment in a couple of others as a direct result of my research.... but I'll hold off for the time being whilst the dust settles to see what (if any!) further responses/reactions may now be forthcoming from the various platforms themselves...

Firstly, can I say a very big thank you to isecguy for doing this. It is a lot of work and doing it so systematically as you have done is excellent.

Now, a bit of a background. IT security is an area that I have, in the past at least, had considerable hands on experience, both working in IT in a listed public company and running a few websites (not P2P) which had to deal with real IT security issues.

To P2P sites, I'd like to add that as a P2P investor I did some testing (around september last year) before signing up to P2P sites and in several cases the results where so bad I choose not to sign up. So I just want to get that out there that poor IT security means less real world customers, at least in my case for several sites.

Passwords.
I really dislike that people in general think 'passwords' when considering IT security, it is really over focusing on a minor outdated thing, however just to clear something up. The password length is what makes it secure or not, other rules are not so important. Adding length increases entropy more efficiently than replacing letters with symbols etc. Personally as a site provider I would ensure a 10 character minimum password length on any site that I dealt with. However, as long as any IT security minded investors can create a very long password, then a P2P site can pass the password security test for me. As an investor I won't rule out a site that allows only 1 character passwords because I certainly would be creating a very long one!

From the blog I learnt many new technical things. I had no idea about issues with CloudFlare before nor had I encountered the site securityheaders.io/ before, so that was a nice treat!
I don't really agree with the analysis on the 'email communication' section, to me no response would be a success, because the more revealed the more the chance of an exploit, in the same way providing nothing on Server Software “Fingerprints” is a success. I'm open to be convinced otherwise, but right now it looks like the email responses did reveal a few things that would best be not answered.

Did any of the sites reveal a clear text password in a password reset? I'm assuming none did because it didn't seem to be covered in the blog.

It would be useful if some consideration could be given to the potential damage of common issues like a DDOS outage or an expliot such as a breach of an investors account. Few P2P sites are like banks in the scale of damage that could be done, with most banks allowing transfering funds out to anyone. By comparison most P2P sites have little that can be done. On ratesetter for example, the most damage I've found that could be done by a password hacker having access to an investors account is to return an investors money bank to there own originating bank account! So hardly a major issue in that case. P2P sites that have nothing a hacker can take have got to be less attractive to hackers and that ideally wants to be part of an IT security round up.

Overall I found the results from P2P sites sloppy but not poor. Sloopy because by in 2017 sorting out SSL, hiding version numbers in software fingerprints, securing cookies and not sharing a domain certificate with a porn site should be standard practice!





 

Thanks puffin !


Answering the questions I put to all 39 platforms themselves wouldn't have revealed "exploits" or attack vectors, provided the platforms were doing security right! For instance:

1. Asking a platform whether their site is developed "in-house" by their own staff or by 3rd party developers in itself doesn't reveal any "exploit" or attack vector - what it does do however is provide a good indication as to whether or not a platform has sufficient in-house IT knowledge/experience to be able to understand potential security issues
2. Asking a platform how they store passwords (i.e. what encryption method is used) shouldn't be an issue or concern if they're storing passwords correctly! (See the DropBox example in my post). As I mention in my article, not all "encryption" methods are sufficiently secure by today's standards, and if a platform won't tell you exactly how they're storing your passwords, how do you know whether they're sufficiently secure or not?! ...it's likely that if they won't tell you how passwords are encrypted that they're not 100% confident that they ARE storing them securely!
3. Asking a platform whether they support 2FA or not does not reveal any "exploit". This information should be public and present on their site's FAQ's anyway!
4. Asking whether a platform has undergone an independent security audit doesn't reveal any "exploit" - it's merely a further indication of how seriously they take security. Again, if a platform HAS undergone - and passed - an independent security audit, there should be no issue with disclosing a simple one-page confirmation letter/statement/certificate from the independent auditors confirming that there were no serious issues found. I would not expect to be furnished with intimate details of the audit or the full report itself, but a simple confirmation that they "passed" would not reveal any "exploit", but would instil confidence in the platform.
5. Asking whether a platform has ever had a data breach SHOULD be a matter of public record (there is an obligation under ICO rules to report such breaches), however, sites which do have breaches are often reluctant to come forward - and often don't - for fear of reputation damage. But again, if a platform has never had a data breach, why won't they say so?!
6. Finally - and this is perhaps the most important question I asked - there should be no issue with asking a platform for a named security contact to convey security concerns to. How does providing me with a named person at their organization who understands security and who I can communicate concerns to make a platform more "exploitable"?!

The failure of platforms to engage with security researchers - as evident by the majority of them simply ignoring my direct correspondence - is a dangerous stance to adopt, as it discourages responsible disclosure from members of the security community.

It's fair to say reputable and responsible security researchers will ALWAYS strive to responsibly disclosure any issues/concerns they uncover with affected parties privately and directly first, and work with them or allow them adequate time to address these, before going public.

It's when a security researcher doesn't get any response from an affected party, that they then have to consider going public in order to force the affected party into acting to fix their issues, which in turn may end up causing more reputation damage than it would have done if they'd simply engaged with the security researcher in the first place!


As noted in my blog, all sites now have "password reset" features, rather than "password reminder" features, meaning a user can't simply "retrieve" or "recover" their forgotten password. Any site that allows you to retrieve your existing password will be storing passwords insecurely!

However, as evidence here in the forums, up until very recently Collateral at least were doing this and sending users their passwords in plain text.

It is unknown how many platforms currently store user passwords in plain text (I suspect there are a few, but in the absence of responses from platforms, the exact number remains unknown)


We need to consider the "bigger picture" - P2P sites likely hold a wealth of information that's attractive to malicious hackers - personal information, financial information, identity information (copies of your passport/bank statement/utility bill, etc - which they may need to retain & store in order to comply with anti-money laundering regulation), all of these pieces of data could be used to steal a person's identity, and then used to take out credit cards, loans, etc in their name.

Even if a hacker wasn't able to withdraw money from a platform directly, if they still had access to all the data on users that the platform has stored, they could potentially "trick" a P2P platform into believing they are a legitimate user, and convince them to make account changes (i.e. updating bank account details). As the hacker has access to the user's data, they would potentially be able to pass any identity checks/questions, etc the P2P platform throw at them in order for them to make account changes.

We should also not neglect "Password Reuse" as it's a major issue in today's society - this is when a person uses the same password across multiple sites/services. If passwords are insecurely stored on a P2P site, and a malicious hacker obtains them, they may try using the passwords on other sites - and so the potential damage caused by a breach of a P2P site can extend far beyond the P2P site itself!

...so to say that P2P sites hold nothing that would be "attractive" to a malicious hacker is, in my opinion, a little naive.

As written above, there is a simple mechanism against that. Allow bank account changes only after verification of the name on a deposit from the new bank account.

We agree with you puffin - We get a lot of speculative approaches so we take a strong stance about sharing any information from a cold email to our info@archover.com email account, especially when the sender keeps an anonymous profile.