Introduction

KINFO is small company acting on a big market, though being small in the fintech market doesn´t mean you can neglect the importance of security. Once you launch security becomes as important for a small company as it is for an enterprise. KINFO is designed to be secure from ground up and in this document we will explain some areas of interest and the way we look at security.

Design & Architecture

The environment the KINFO platform runs in is made up of several layers of security ranging from the actual physical protection of hardware to network protection in terms of firewalls. KINFO runs in Amazon AWS utilizing a broad set of Amazons security services to ensure the environment is protected from threats.

Designing with security in mind also means that many parts of the environment is separated into different containers within it´s own security context with a defined ruleset controlling which environment has access to others.

Cryptography

Cryptography is a key companent in any security design. KINFO uses different types of cryptography for different purposes, here is a list of the most important parts covered.

Communication to & from clients

Users communicate with the KINFO backend either through the browser or a mobile app. All communication between clients the KINFO backend is encrypted using 256-bit SSL encryption which is the same level of encryption banks & brokers use from communication between clients & backend.

This type of encryption is important to prevent anyone controlling the network or equipment between you and KINFO from listening and seeing sensitive data.

Communication to brokers

KINFO partners with TradeIt for communication between the backend and your broker. The communication between the KINFO platform and TradeIt and from TradeIt to your broker is encrypted using the same strong encryption technology as the communication between your browser or app and the KINFO backend.

Encryption of passwords

(This applies to your KINFO password, for details on how broker connections are handled, see this section)
When you enter your password for the first time it´s encrypted using an industry standard best in class cryptography algorithm which includes multiple iterations of encryption and salting.

What this practically means is that passwords stored in the database can´t be decrypted with any computational power accessible today.

When you enter your password during the login process your password will be necypted agian the same way and compared to the computed value which you enterd when registering you password. This way there is no way to read your password from the actual database and it´s not accessble even by KINFO employees.

Communication between KINFO & broker

KINFO partners with TradeIt to hadle the communication between the KINFO backend and broker services. TradeIt is relatively new on the market compared to it´s competitors. Even though the are relatively new, TradeIt have gained trust and acceptance as the most secure way for consumer facing fintech solutions to broker services.

To learn more about TradeIt, visit their website.

The big difference

While may of the old players in the field supports thousands of brokers TradeIt only supports 10. The reason is that TradeIt has a fully supported OAuth based authentication solution with all it´s partners while competitors still base integration on screen scraping the banks interfaces.

OAuth based solution

  • Credentials are never stored at the application provider (KINFO)
  • Credentials are never stored at the aggregation provider (TradeIt)
  • A Supported solution by all connected brokers
  • Brokers can monitor, identify & revoke access anytime
  • The authentication process never passes application providers servers

Screen scraping

  • Requires the integration partner to store your credentials
  • Credentials can be decrypted at the integration partner
  • No way for brokers to monitor activity
  • No way for brokers to identify & revoke access without changing your credentials
  • Unsupported by most brokers

Why does this matter to you?

OAuth is a technology which allows the broker to give out a temporary access to a third party without having the third party seeing your credentials. This means that the only information stored by both TradeIt & KINFO is a token specifically assigned by the broker. The use of this token can be monitored, controlled and revoked at any time without affecting your credentials.

Furthermore the token is not usable outside the integration between KINFO and the broker which in turn is protected by another layer of security with firewalls. This means that the token can´t be used to login to your brokers interface.

If (god forbid!) your data within the KINFO platform should end up in the wrong hands, your credentials are still safe and the broker can revoke the token.

What are the security implications of screen scraping?

Screen scraping on the other hand, uses your credentials to read your financial data from the brokers web interface. The only way to do this is to store your credentials in the integration partners database. Even if it´s encrypted in the integration partners database it has to be decrypted to be used when updating your account data. Furthermore this means that strong one way encryption technologies can´t be used.

There is also no way for the broker to monitor or destinguish between your own access to your broker and a third party service using screen scraping technology.

If the system using screen scraping technology is compromised there is a relatively high risk that your actual credentials are exposed which in turn can be used to login to via your brokers interface.

 

Proactive measures

Protection agaist threats is a continous process and while architecture & design is an important first step any environment containing sensitive data need to have a continous process to ensure the environment is protected over time.

Vulnerability analysis & penetration tests

New threats arise every day in the form of automated use of vulnerabilities arising in operating systems and applications, therefore it´s important to have an automated way of discovering and mitigating threats as soon as they are discovered.

[fusion_table]

 Vulnerability scansPenetration test
PurposeIdentify, rank and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system.Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components.

[/fusion_table]

We perform continous vulnerability scans and penetration tests to ensure new potential vulnerabilities are discovered at the earliest possible timepoint, these scans are performed by third party providers and provides us with alerts and reports to take immediate action on.

Conclusion

Ensuring protection of sensitive data is massively complex and requires a both and initial design and measurements to ensure protection over time. While this document doesn´t cover everything we do in detail it should give you an overview of the initial and proactive measurements we take and show you how seriously we take security.

Feedback

If you have any questions or feedback, don´t hesitate to contact us. Email us at security@gokinfo.com