Mobile devices are becoming the way consumers access banking services. It is not anymore complementary to internet, desktop banking, but rather replacing it. That means that mobile app security is often undersestimated. It’s great that it can fit in our pockets but it also means that it can be accessed over untrusted networks or worse. Fintech Review asked a few questions to Victor Tusau Palau, CTO of global financial services firm Ebury.
Tell us more about Ebury. What is your elevator pitch?
Ebury specialises in international cash management solutions, including cross-border payments, FX risk management, and business loans. We help businesses prosper and grow in a highly competitive environment. We do so by eliminating boundaries and making international finance accessible to all.
Unlike other financial service providers, we’ve built our own technology to create a secure end-to-end payment infrastructure. And we have established partnerships to provide global reach and diversified our solutions to support the growth of our clients.
What is your background and what is the story behind the company?
Over the last 20 years, I have led engineering teams in Financial Services, Cloud Infrastructure and Mobile/Embedded Operating Systems. I also organise the Tech In Finance Conference.
I joined Ebury nearly 5 years ago, when it was halfway through its journey. It was originally founded in 2009 by Juan Lobato, a serial entrepreneur, and Salvador García, an expert in Financial Services. Ebury was created to help organisations trade and transact globally. As well as providing compelling financial solutions so our clients can make the most of international markets.
What is the main trend in mobile app security?
The main trend in mobile app security is a growing focus among regulators and consumers for extremely robust and secure financial mobile apps.
Mobile devices are increasingly becoming the main platform to access banking services. As such, they can be accessed over untrusted networks, stolen or simply left unattended in public places.
Since these apps often have access to highly confidential personal information and finances, it is critical that the application is solely operated by the account holder.
Just like online banking portals, all financial services apps that have to actively defend against theft or loss, have to protectother sensitive data such as location information and camera access.
The mobile ecosystem is more fragmented than the web with a wide variety of operating systems, devices, and app stores, which can make it even more difficult to secure mobile devices.
How is Ebury responding to these trends?
First of all, we assume a zero-trust approach.
This begins with the design and architecture ensuring all business logic is implemented in the back-end, and served to the applications by a secured API. Then, we make sure the application can only talk to our API that is digitally signed.
As part of the design, we also ensure that the bare minimum of personal information is stored in the device, with most sensitive information being reloaded from the backend at every launch.
Secondly, we never store the actual user credentials in the device. Instead at login, we obtain a set of credentials that are specific to the device and cannot be used on any other channels. These are then secured on the operating system ‘secure store’ which is only accessible via biometric authentication. Further to this, we ensure that the device has not suffered any modifications like the rooting of the device.
One more step that ensures possession of the device by our customer is second-factor authentication that must be provided with each transaction.
Finally, we employ an external set of experts to white and black box test our application. We keep up with OWASP best practices recommendations and always look to improve the robustness of our apps.
Any innovation in fintech more broadly that you are really excited about?
As an International Payment institution, we are really excited about Central bank-backed cryptocurrencies (CBDCs). Since they are issued by a sovereign central bank, the expectation is that they will be as stable as their fiat counterparts.
Importantly, CBDCs will be a game changer for international payments, especially in foreign exchange-regulated countries such as China and Brazil.
However, they are still some years away from being a reality. China already has functional Digital Yuan and many other countries are following suit, the question is – who will adopt it next!