Cyber Security Risks in P2P Lending: What Investors Should Look Out For

October 14th, 2019
15 minutes read

The first thing an investor in P2P lending and other types of crowdinvesting must do before investing on a P2P platform is to get an overview of the risks involved and check if the platform is trustworthy. This is a process that may entail many different parts, like looking at financial reports, going over the company history, and doing background checks on the management team.

Since P2P investment platforms handle personal and financial information, they are subject to information security and privacy risks. This is often overlooked by both investors and platforms, simply because information security and privacy risks are not very tangible measures and often are not understood properly.

In this article, we will explain how P2P investors can protect themselves against risks associated with information security and privacy. Our focus will be on security risks in P2P lending, but the article will be applicable to other types of crowdinvesting as well.

Technical issues related to information security and privacy risks can affect investors P2P lending in the following way:

  1. Investors can suffer a loss of funds
  2. Investors can lose the ability to access the funds
  3. Investors can be become offer for identity theft because of unauthorized access

There are multiple technical and process-based security risks that can lead to either 1, 2, or 3, but the main risks to look out for in P2P lending are:

  1. Fraudulent P2P platforms
  2. Unavailable P2P platforms
  3. Identity theft
  4. Unauthorized change of deposit details
  5. Unauthorized change of interest/principal values
  6. Unauthorized withdrawal of funds

Below, we will explain the risk faced by investors in each case, who could expose you to the risk, and what you can do to minimize the risk.

1. Fraudulent P2P Platforms

Risk faced by P2P lending investors:

Anybody can create a website with a fake background story around it – almost regardless of their technical skill level. Just Google “how to create a website” and you will be amazed how easy it is. If you deposit money to a fraudulent account, you will most likely not be able to recover your funds.

What to watch out for:

Scammers are many and usually target highly popular web platforms to maximize their chances of success. Former famous examples include Paypal and Ebay. Even though most P2P lending platforms do not have the same number of visitors as PayPal or Ebay, the visitors at P2P lending platforms are bound to give much higher rewards, thus becoming a good target sooner or later.

How investors can minimise their risk:

Always consider legal, financial and function aspects of a platform rather than its appearance. Having a nice-looking website does not mean you are dealing with a professional or sustainable business. Nor real. The goal is to understand whether there is a real legal entity behind the website and if that real legal entity and website are being ran by real people who seem legitimate enough to run such an operation. Verifying online and offline information as well as direct conversations with platform representatives can uncover shady details.

2. Unavailable P2P Platforms

Risk faced by P2P lending investors:

Technology breaks and websites go down from time to time. This can happen because of internal mistakes or because of attackers performing DDoS attacks specifically designed to disrupt a company’s services. It can even happen as a consequence of the platform having too many visitors at the same time and not being able to handle it. This can impact the overall operation and will make the investor unable to access the funds, either for withdrawal or investing.

What to watch out for:

P2P investing is a relatively new but highly competitive space. There are many platforms out there and most will benefit if their competitors’ platforms are not available. Attackers who simply want a direct financial gain from the platform itself, can threaten to keep the website unavailable with a DDoS attack until a certain amount of money is paid. Attackers do not even need to be technical wizards – anybody can buy such a service online.

How investors can minimise their risk:

This is one of those risks where the investor cannot do too much about it. The P2P platform must implement technologies that can help serve many visitors at once and resist a DDoS attack. Besides this, processes that prevent internal mistakes from happening or that assure a swift recovery must be in place. What the investor can do is to question the platform on how they mitigate this risk. The platform may or may not actually respond truthfully. You, as an investor, may not have the technical capabilities nor the required access to verify this. But, as soon as more and more investors are questioning this the platform will be more inclined to do something about it.

3. Identity Theft

Risk faced by P2P lending investors:

Your personal information, name, email address, bank account, phone number and possibly driver’s license/passport is handled by numerous entities like the p2p platform (including possibly all employees) and contractors/subcontractors used to verify your identity or simply store your information. An attacker could gain access to your personal data and use that to fraudulently withdraw the funds from your account or use that data to impersonate you in other circumstances. This can either be done because you as an investor got hacked or the online services where your personal data resides got hacked. One good example is the identity verification services that platforms rely on to verify their customers identity and trustworthiness (KYC).

What to watch out for:

Attackers often find it more fruitful to go after a company’s contractors and not the platform itself. Regular PC users can get hacked simply through browsing the web.

How investors can minimise their risk:

When it comes to the data residing on your PC, you have control of how you secure it. This comes down to technical security practices, such as having an antivirus and a malicious content filter but also awareness of what to be suspicious of.

Being secure is not just a technical matter but a combination between process, awareness and technology. Achieving a state of being secure (enough) is not something that can be summarized in a few lines, and that is the reason why investors needs to educate themselves on the subject on their own. Investors are also welcomed for a further chat on the subject with writer and IT security specialist Victor Truica, to understand what they should be aware of and what to focus on. As an investor himself and an information security professional, he regularly talk with fellow investors about the subject. ​

When it comes to personal data handled by various contractors affiliated with the P2P platform, it is the P2P platform that must make sure that your data is processed adequately. Not only for your sake as a customer, but also for the sake of the GDPR law.

What can be done as an investor is to the question of whether the platform handles your personal information correctly is to question them on how they mitigate this risk. More on what exactly to ask and look for is coming later in the article.

4. Unauthorized Change of Deposit Details

Risk faced by P2P lending investors:

The information on the platform website showing where to deposit the funds OR the payment providers used by the platform can be altered, having investors deposit funds in a fraudulent account. For example, see the screenshot below of a randomly picked website online that has payment details presented on their public pages.

Depositing funds in P2P Lending cyber security

What to watch out for:

Anybody from a P2P platform with access to modify the website can do this. An attacker can gain access to modify the contents of the website by hacking the platform itself.

An attacker with access to 3rd party resources that are loaded on the website can also end up changing the contents. By 3rd party resources, we’re referring to services that a platform has contracted (e.g. design of the website, newsletter pop-up, payment provider) that need to interact with the platform website one way or another (e.g. placing a JavaScript file that will then be executed by the visitor of the website in order to fulfil its service).

A classic example of attackers gaining access to a website via 3rd party resources is the so called “Magecart” – a global operation that affected hundreds of webshops and millions of users and their credit cards.

How investors can minimise their risk:

Verify the bank account details on two different communication channels – and do it every time a change has been announced. For example, if the text is on the website (like in the image above), verify with the platform support via email or phone call before your first deposit, to be sure it is the right account. Simply ask them to confirm, number by number, letter by letter, if the bank account details are correct.

Platforms may legitimately change bank account details or add more options for the investor.  Any change should be verified through at least one communication channel different from the initial one, before depositing any funds. For example, if you as an investor have been informed via email that the bank account details are changing, contact the platform via phone before any deposits are made.

Fake emails can be easily crafted so that they will look legitimate and like they are coming from somebody you know and trust (e.g. the contact email of the P2P platform you are investing on). This is known as phishing and as with other hacking techniques, it does not require very advanced skills to work with Here is an article describing how to produce a phising mail in 5 minutes.

5. Unauthorized Change of Interest/Principal Values

Risk faced by P2P lending investors:

There are many complicated things happening in the “back“ of a nicely designed P2P platform website. This includes calculating, storing and reporting correct interest and principal values. These values can be manipulated in ways that will result in an unnoticeable loss of funds.

What to watch out for:

This can be done by somebody with administrative access to the platform (e.g. a platform employee) or operational/infrastructure access to the platform (e.g. a platform developer). This can be either an employee or an attacker that has gained access to employees with such privileges. Yes, there have been cases of employees of a company stealing money through the means of their access rights in the company that they worked for. If employees are paid unfairly or less than normal, it might increase this specific risk for investors, as studies shows increased employee wages leads to a reduction in employee theft.

How investors can minimise their risk:

P2P platforms that set up their technical operations need to be sure that such changes cannot be done OR if done they are properly logged, thus leaving a trail of what has happened.

This is not something that can really be vetted or checked by the investor. What the investor can do is to question the platform on how they mitigate this risk.

Monitoring any changes in what was promised initially in the contractual agreement in the project that the investor has invested in can be done by tracking the activity on a separate medium, which can help detect discrepancies. This can be done by regular tracking of values like interest and principal on an Excel spreadsheet. Of course, this can be an administrative nightmare depending on the type of platform and the types of values that should be monitored. Yet it should be possible to do sample tests on this even if you are invested in thousands of small loans.

6. Unauthorized Withdrawal of Funds

Risk faced by P2P lending investors:

Your funds could be withdrawn from the platform without your knowledge.

What to watch out for:

This is similar to the access mentioned in risk 5. It can be done by somebody with administrative access to the platform (e.g. a platform employee) or operational/infrastructure access to the platform (e.g. a platform developer). An attacker that has gained access to your account can change the bank account details to which the funds can be transferred.

How investors can minimise their risk:

This is one of those risks where the investor does not have too much control. The only reasonable thing we can do as investors is to inform ourselves about the conditions in which funds can be extracted. Questions to ask ourselves and the platform can include:

  • Is fund withdrawal limited to only the account that has been used to make the deposit?
  • Do I have to provide go through additional identity verification before doing it?
  • What happens if the platform gets hacked and my funds aren’t there anymore?
  • What happens if my account gets hacked and my funds aren’t there anymore?

Setting up automated notifications for any kind of operation on the account can help raising the alarm. But somebody with access to modify your account and withdraw funds can very well disable the notification for that operation.

How Investors and Platforms Should Address Security Risks in P2P Lending

Both investors and platforms can address these risks through detection, prevention, response, and reduction of impact.

In terms of prevention and detection of the issues mentioned above, the platform has the most control while the investor can do little to influence the setup. (are the bullets below meant as suggestions to solutions? Then that should be made more clear)

Detection of issues could be in the form of technical measures such as creating an audit trail for any kind of activity on the account and making that accessible to the investor (a measure to detect issues, relevant to risk #4, #5, #6). The investor would, in this case, regularly verify the activity log on the account or would be notified via email when something is happening.

Prevention of issues could be done through technical and organizational restrictions applied to certain activities on the account or the platform. For example, only one key employee of the platform has complete administrative access to the “back” of the platform. Another example would be that certain platform operations are fully automated and cannot be altered or accessed by employees.

Responding to issues – as investors, we should always make sure we can quickly contact the platform in case of anything suspicious. This would include saving phone numbers from the platform for immediate contact.

Reduction of impact – as with any other investment, we should only invest as much as we are willing to lose. In case any of the above risks materialize for any one of the platforms that you use, the best scenario for the investor is if the funds are diversified across multiple platforms AND the investor can live with an eventual loss. This is not just related to security risks but to also to investing in general.

Ideally, we would always want to prevent the threat from materializing. This is not always possible technically or financially, but it is up to us as investors to make sure these risks are understood by the platforms. And it is the platforms responsibility to address our concerns to the best of their technical and financial resources.

An easy way to do this is to ask the platforms how they are addressing these risks and if they have implemented any controls. I have prepared a set of questions that can help with this exact check and you can download it as a pdf here or view them below.

Questions Peer-to-Peer Investors Should Ask Platforms

Ideally, we would always want to prevent the threat from materializing. This is not always possible technically or financially, but it is up to us as investors to make sure these risks are understood by the platforms. And it is the platforms responsibility to address our concerns to the best of their technical and financial resources.

An easy way to do this is to ask the platforms how they are addressing these risks and if they have implemented any controls. Below, you will find a set of questions directly related to the risks listed above to help you address these issues at any P2P platform. The questions can also be found in PDF, click here to download the questions and sent it directly to the platforms.

The overall approach to security at the P2P platform

  • Do you have a clear idea of the most business-critical information assets?
  • Have you performed a risk assessment on your most business-critical information assets?
  • Do you have an Information Security responsible?
  • Do you have an allocated Information Security budget?
  • Have you ever experienced a security or privacy incident? How was the last one handled?

Handling of investor data and identity details

  • Does the platform have a clear and documented overview of where the personal details of investors are processed/stored/accessed/shared?
  • How does the platform verify the identity of the investor?
  • When (at which stages of platform utilization) is the identity verified?
  • What vendors are used to process personal data and identity of investors?
  • How are these vendors security and privacy posture verified?

Platform bank account details and deposit of funds

  • How does the platform perform changes to deposit details?
  • How does the platform inform investors of any changes to deposit details?
  • Who has access to modify the deposit details?
  • What vendors are used to process investor funds and in which manner?

Platform availability

  • How is the platform addressing the threat of DoS / DDoS attacks?
  • Is there a business continuity plan in place to address scenarios where the platform is not accessible? (how does the platform operate when it is not available online?)
  • Is the plan considering investor access to and withdrawal of funds in the case that the platform is not accessible?

Investor bank account details and withdrawal of funds

  • Is the withdrawal of funds restricted only to the account that they were deposited from?
  • How can the investor change the details to which the funds can be extracted?
  • Who has access and permissions to modify investor account details at the platform?​​

Modification of interest and principal values

  • Where are interest and principal values stored within the platform?
  • Who has access and permissions to change these values?
  • How can changes to these values be detected?

Preferably, these should be addressed in a face-to-face interview with multiple business and technical stakeholders within the platform.

I have already tried doing it online, where I have sent the questionnaires to multiple platforms. The results were unsatisfying as most platforms hesitated to answer or was evading the questions as best as they could. You can read more about this on my blog about IT security, in this article dedicated to understanding how P2P platforms address information security risks.

This information is applicable to all investors, regardless of their portfolio size. At the same time, it is most relevant to the average P2P investor, as it includes relatively common risk scenarios with no real deep dive into the technicalities of the issues. Nor does it include targeted attacks scenarios. By average investor I mean somebody that does not have a substantial portfolio (below 500.000 EUR) and who does not necessarily live off their investments like professional investors.

When it comes to living off your investments by having substantial portfolios and being a high net worth individual, the risk context will change, and thus further assessment is required. Targeted attacks are to be expected. More caution should be applied when handling larger funds. Further awareness and education are required to deal with this, especially if most investor activities are online.

This article is a guest post written by IT Security Specialist Victor Truica with an interest for P2P lending and edited by the team behind P2P Market Data. You can read more about IT security, risk and investing at his blog