CFI Fellow Patrick Traynor, an Associate Professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida, is launching his research effort on the security of data in mobile lending applications.
Mobile phones and networks are transforming the world of financial inclusion. However, we know that we cannot simply “copy and paste” traditional financing mechanisms into this mobile context and expect widespread inclusion. For example, the traditionally-excluded often lack the standard data lenders use to underwrite credit decisions (such as government audited tax forms, formal pay stubs, property deeds, and so forth). A plethora of companies are attempting to measure creditworthiness using alternative data – including the data trail created through mobile money applications. Alternative data for underwriting holds the potential to dramatically expand access to credit if successful, but it also poses new challenges.
For instance, how secure is data used in digital credit?
In my CFI Fellowship I will measure the state of data security in the mobile money space and provide both a goal and a path towards responsible online credit.
My team and I are performing an extensive teardown of mobile applications including those offering online credit. After a technical analysis of these applications and how they handle user data, we plan to evaluate the privacy policies for each application to see if they describe how the data will be protected, how it will be used, and the recourse available to users should it be incorrect.
It is only by having deeply characterized the behaviors of the industry that we can begin to offer recommendations for what responsible online credit looks like and how far the industry is from achieving it. We expect to find that the integrity of data gathered from mobile money applications will vary dramatically and that the lack of a process to verify and/or challenge such information will limit the reach of alternative efforts to establish creditworthiness.
My past research looked at the security of mobile money applications for the Android mobile platform. Through that work, I was able to demonstrate that much of the industry fails to adhere to security best practices. Moreover, the terms of service dictated by companies in this space hold users liable for all fraud. These findings have called the industry to attention and provoked corrective efforts. Under the CFI Fellowship, I will conduct a similar analysis targeting specifically online credit applications for mobile money users.
App Identification and Gathering: The first step is to work with stakeholders throughout the community to identify candidates for analysis. This process will allow to identify the most relevant players in this space (i.e., those with the largest potential market and impact), and ensure a geographically representative sample.
App Teardown and Analysis: Analysis of the collected mobile applications will involve automated techniques. The tools that allow rapid assessment of the state of communications security between the mobile device and the online credit provider’s back end servers. This analysis will include not only a determination of whether or not the mobile application properly determines identity at the other end of communications, but also whether the back end servers are properly configured against the most up-to-date attacks against the SSL/TLS security suites.
Policy Analysis: Each application comes with a terms of service document. My past experience demonstrated that such documents place the consequences of fraud solely upon the user regardless of the technical soundness of the application. Accordingly, in this round, I will analyze terms of service documents for online credit providers, looking specifically for language that indicates 1) which data will be targeted by the provider, 2) how it will be used to determine creditworthiness, 3) how users can challenge or confirm the validity of such data, and 4) if such data can be resold to other parties without further explicit notification to the user.
All technical advances made as part of this work will be offered to the public as free, open-source projects. One broad objective of the work is that these tools will enable students from universities across the world to be trained in the security analysis of applications, and that the companies in this industry will recreate the methodology and apply it to future offerings of their products to improve security.