Characterizing security and privacy practices in emerging digital credit applications

Access to credit can provide capital crucial to both businesses and individuals. Unfortunately, for large parts of the developing world, access to credit is not available because customers often lack the traditional data used by lenders to make such decisions (e.g., verifiable payroll statements, property ownership documents). Emerging online credit services address this need through the use of non-traditional creditworthiness data, which many believe to include user geolocation and social network information. While such systems both potentially expand credit availability and improve usability through instant evaluation, their security and privacy practices remain opaque. In this paper, we perform the first comprehensive security analysis of the emerging online credit space. To provide improved transparency, we select 51 representative companies across the industry, analyze their privacy policies and compare them to the sensitive data types mobile applications actually gather. We then evaluate the configuration of connections between mobile apps and their supporting servers to determine whether they securely handle such data. Our analysis demonstrates significant security and privacy issues across this burgeoning industry, including the gathering of previously undisclosed data types and widespread mis-configuration of encryption. We conclude by discussing our efforts to work with partners in and around the industry to improve these issues.