The FinTech industry is injecting modern technologies into traditional financial services and making them more accessible through e-wallets. With safety in mind, app development companies need to make these alternatives secure to increase adoption.
The financial sector hasn’t been immune to the technologies that have permeated industries worldwide. Everything from banking to insurance has been subjected to modernization and imbued with technologies, such as e-wallet apps, to offer alternative payment solutions. For this reason, financial technology—or FinTech—has become a dynamic digital force that has disrupted the way people conduct payment transactions. Indeed, the exponential growth in mobile device usage has nudged it forward. Still, it has become ever more popular during the pandemic due to the increasing demand for cashless, touch-less transactions.
FinTech initiatives have driven the search for a cashless society for the last years, and countless apps and platforms have spawned. Among this proliferation of FinTech apps, digital wallets, or e-wallet apps, are pushing cashless interactions forward. These types of apps, however, aren’t only benefitting financial institutions and their client base. Many governments and companies from various industries, particularly retail, are taking digitized approaches to payments. To drive this point home, the E-commerce Foundation found that more than 25% of the consumers make weekly retail-related purchases via mobile devices. Plus, those figures will undoubtedly keep growing, and mobile payment solutions will become the norm in days to come.
As with any form of sensitive digital data exchange, some questions arise: Are these payment solutions safe? Are developers enforcing the appropriate security measures to keep their users’ data protected? What are these security measures, and how important are they? Let’s find out.
What is an e-wallet?
Digital wallets—or e-wallet apps—are software-based app that allows users to link their bank accounts, store their cards digitally, manage crypto activities, or add funds to make online payments using a mobile device. In layman’s terms, they are the digital version of a real wallet. Unlike traditional banking apps, e-wallet apps allow users to add an amount of cash, or a card number, directly on the app to pay online or in a physical establishment. Depending on whom the e-wallet app’s users are, you can implement payment methods such as QR codes or Near Field Communication (NFC) compatibility to facilitate transactions. Some e-wallets can even interact with a mobile phone’s SIM card, allowing them to work without an internet connection. What makes e-wallet apps so attractive is that they are a safe, fast, touch-less, and reliable alternative to physical payment methods. Banks can create e-wallets for their users to handle payments and accounts, or they can come from third-party providers with different sets of features. Some send and receive money (P2P), others enable payments through the web, and others offer contactless payment options.
• Some of the most popular e-wallet apps are:
- AliPay
- We Chat Pay (Market leader with 600 million users)
- Apple Pay
- Google Pay
- PayPal
- Samsung Pay
These apps’ popularity has grown to reach almost $1449.56 billion in 2020, with $ 5399.6 billion forecasted by 2026. Furthermore, according to Visa, 79% of the transactions carried out in Australia are done electronically, with only 21% in cash transactions. In contrast, the US lags on mobile wallet adoption with a mere 29%, inferior to the 81% adoption rate in China. This lag in adoption rates, however, can be explained by Americans having mobile payment security concerns. A 2019 study by Statista showed that 65% of smartphone owners have fears about fraud and identity theft, which is why they’re not using mobile wallets. Additionally, by the end of the same year, only 1% of the USA population and 5% of the UK were using e-wallets.
Unlike Asia and the Pacific, western cultures, in general, are more reluctant to adopt mobile payment solutions due to safety fears. For this reason, developers of FinTech apps must adopt the appropriate safety measures to safeguard user information and keep doubts that hinder e-wallet adoption at bay.
E-wallet Security Measures
To ensure that mobile payment solutions keep taking the world by storm in a safe way, developers must protect information and its traffic. Contrary to what most people believe, e-wallet apps are safer than real wallets. Even if a user loses their phone, the security measures implemented upon the app will render the e-wallet useless for anyone accessing it unlawfully. However, app developers are responsible for putting in place these safety walls and pushing e-wallet adoption forward.
To provide some context first, here are the top crucial parameters for information security:
- Confidentiality: Only authorized users can access information.
- Integrity: Protect data from unauthorized modifications.
- Availability: Ensure that data is available when authorized users need it.
Considering information is “easily” altered through insecure wireless networks, mobile transactions through e-wallet apps are more vulnerable to attacks. Therefore, implementing the right security controls and protocols helps prevent external access and manipulation of a user’s sensitive financial information.
First and Foremost: Enforce Secure Coding Practices
According to a study conducted by Immuniweb, 92% of mobile banking-related applications contain at least one security vulnerability. Additionally, 97 out of 100 banks are vulnerable to attacks that enable hackers to steal financial data. These numbers shine a light on the fact that no matter what features your e-wallet app has, its success lies in the foundations you set in place when coding. Just like an architect wouldn’t build a house with faulty beams and poor structural support, you shouldn’t develop an app with weak coding and security holes.
Remember, the code is a crucial component to protect the sensitive financial data saved on the server and the user’s device. Therefore, it is good to map out the app’s security layout upfront and be aware of potential flaws in the code that could lead to a breach. This way, taking a security-first approach when coding will deliver a better product and reduce future damage mitigation costs.
Additionally, your e-wallet app needs to have a robust IT infrastructure that supports input validation, and reviews received data in the app. Also, be careful when granting external access and define access rules based on roles and permissions to protect sensitive data. Determine whether it is necessary to keep debit, credit, account numbers, or other valuable information. If the e-wallet app can function efficiently without this delicate financial data, then don’t store it.
Finally, always make sure you:
- Introduce the use of complex passwords and disable them after multiple failed attempts.
- Keep logs of the geolocation, IP address, and actions every user performs.
- Monitor transactions and enforce a payment blocking feature for suspicious transactions.
- Enforce multi-step authentication for large transactions.
- Ensure API and web server security.
- Educate users on passwords, device sharing, and protection practices.
- Always implement quality assurance procedures and testing.
Employ User Authentication Protocols
Since user authentication provides the first security layer, one-factor authentication methods such as password/username aren’t always the most secure. These authentication methods, although widely used, are neither convenient nor secure. CSO Online found that financial cybercrime will cost $6 trillion annually by 2021, up from $3 trillion in 2015. Therefore, you need to implement more complex authentication schemes such as 2FA or MFA. Note that some encryption techniques can also double as authentication methods, and since encrypting is not optional for FinTech apps, you usually can also authenticate while enforcing encryption. We’ll dive into this later on.
• Two-Factor Authentication
Two-factor authentication requires the app’s user to verify their identity in two different ways before accessing an account. 2FA usually requires a token delivered through a method that is only accessible to the user. However, other different second factor approaches such as biometrics, fingerprints, or retina are also acceptable. Whichever the case, the system must validate both verification steps before granting access to the app. 2FA is a fool-proof approach to safety in e-wallet apps because it ensures that a compromised password isn’t enough to access the user’s assets. Without knowing the method and having access to the second factor, the password is useless, and the account is protected. Some of the most popular 2FA methods developers can enforce are:
- SMS token: A 5-10 digit code sent to the user’s phone.
- Email token: A 5-10 digit code or link sent to the user’s email.
- Software token: The user installs an app (like Duo Security or Google Authenticator) on their mobile device that generates unique tokens.
- Hardware token: The user has a device that generates tokens.
- Biometrics: The user’s physical characteristics are the token.
2FA can be independently coded and programmed into your app, but tools and platforms, like Auht0, which we often use, provide this service. Auth0 enforces 2FA depending on your choice of method and prompts the user to use said tokens to access their e-wallet app.
• Multi Factor Authentication (MFA)
MFA, on the other hand, combines two or more protocols of user authentication to grant access. In e-wallet apps, MFA is useful when a transaction needs further security measures that go one step further from 2FA. MFA compiles the same procedures and principles as 2FA but with additional factors that need verification. Most e-wallet app developers find 2FA enough for user authentication.
• Access Tokens
In the context of mobile banking solutions, developers use access tokens in token-based authentication as a security barrier to authenticate users. For FinTech, access tokens represent the authorization acceptance of an application to access specific parts of a user’s financial data. In e-wallet apps specifically, they are widely used to establish a connection between the application and a third-party API. Keep in mind that your app must secure the storage of access tokens to make sure they are not accessible to other applications on the same device.
Access tokens also help users not to have to authenticate again for each request to the server. However, they are time-sensitive, so if the user logs out or the usable time frame runs out, the token expires. These time frames enable session expiry protocols that protect user data from lost devices or open sessions in public establishments.
Furthermore, access tokens are in JWT standard, which also specifies what content the user can access, how long that permission lasts, and what they can do while logged into the app. At Foonkey Monkey, we often program our own JWT/access token protocols, but we also use Azure Ad and Okta tools for safer, cost-cutting authentication processes
Enforce Encryption
As stated above, data confidentiality and integrity are two of the pillars of enforcing security protocols in FinTech apps. Safeguarding data is not optional in e-wallet apps. Henceforth, cryptographic methods are a must to avoid data interception, leakage, and theft.
• PKI
As you probably already know, the purpose of encryption is to turn the shared financial data or “plaintext” into random characters or “ciphertext.” One of the most implemented encryption methods is Public Key Encryption (PKI). PKI is useful in e-wallets apps because it provides a trusted base for securing electronic transactions through financial applications.
Furthermore, it serves as both an encryption mechanism and an authentication method, so it’s a win-win for developing a secure FinTech app. PKI encryption systems consist of a key pair with one secret key (private key) and one public key. In other words, the sender of the data encrypts it with a public key, and only the receiver can read, or decrypt, that message with a private key. Consequently, since data can only be decrypted with the private key, and the recipient is the only one who has it, access to the financial data is controlled, and confidentiality is assured.
• SSL Certificates
Like PKI encryption, SSL (Secure Sockets Layer) certificates help with data security when in transit and provide cryptographic authentication to prevent attacks. SSL protocols use asymmetric and symmetric encryption methods to transfer data securely by authenticating the communicating parts and encrypting the message. They need to be purchased to provide HTTPS to your e-wallet app. SSL certificates are even more relevant now due to Google enforcing HTTPS usage everywhere. HTTPS serves to identify a site’s authenticity and allows end-to-end encryption of all communications between the app and the server. They are a useful encryption method for e-wallets because they secure the app’s transport channels to transmit financial data and tokens to a back-end service.
There are other types of encryption methods and algorithms such as Triple DES, Blowfish, and FPE that use either symmetric (one) or asymmetric (two) keys for decryption. JWT, as stated previously, can also be a safe way of transferring data, and it can either be encrypted or verified by a digital signature.
Implement Payment Tokens (Tokenization)
Payment tokens help replace the stored payment confidential data with non-confidential data or tokens. This “tokenization” converts payment information to a string of random digits with no value. Merchants receive the token and store it in token-form, never knowing the actual data behind it. Payment tokens are only valid in their specific context; consequently, the token is useless outside that context. A single credit card can have several tokens and be used on several devices safely.
Use Blockchain
Since its birth, Blockchain has been one of the most useful technologies for financial service security. Using Blockchain is a no-brainer, mainly if your app deals with Bitcoin or other cryptocurrencies. For e-wallet apps, Blockchain is useful due to its inherently tamper-proof and immutable structure. According to statistics, the global blockchain market will reach $20 billion by 2024, and as of 2020, 69% of the banking industry was using blockchain technology. This number comes as no surprise considering its benefits to the financial sector as a publicly accessible ledger for recording digital transactions.
For FinTech apps, Blockchain has increased data privacy, and its hash-based encryption technique is considered impassable. Furthermore, it has a decentralized architecture, which annuls the risks of third-party apps or users removing an entry and breaking the safety chain. Since individuals must add data blocks in sequence, they are connected in a network and form an irreversible chain, which means no information can be modified or erased except by authorized users. This way, FinTech app developers can create an all-inclusive payment and financial ecosystem. This ecosystem remains fast, traceable, and affordable while protecting sensitive account data, transaction information, and personal information every other piece of documentation shared on e-wallet apps.
We at Foonkie Monkey use Blockchain technologies, especially the Ethereum Blockchain, to develop secure, traceable, and functional FinTech apps. Hyperledger, R3 Corda, and Dragonchain are other types of Blockchain tools with different features but preserve the safety and immutability principles associated with Blockchain.
Implement Proper Testing Techniques
Lastly, you must ensure that your e-wallet app is tested, not only at the last stages of its life cycle but during the early stages of programming. Testing the security of your app is pivotal to pinpoint soft spots and flaws before launching it. Whether you decide to do automated or manual testing, make sure to enforce procedures that detect bugs and errors at every stage of your development process to reduce failure costs and problems due to data leaks significantly.
Additionally, use adequate Quality Assurance (QA) techniques to identify and eliminate vulnerabilities and double-check all weaknesses in authentication and authorization, encryption techniques, and all the other aspects discussed in this article.
At Foonkie Monkey, we often work with automated testing tools such as Postman, Selenium, Cucumber, Serenity, Appium, and Azure DevOps to report issues, errors, or considerations regarding app testing.
What the Future Holds?
As we learned earlier, e-wallets and other mobile payment apps are still not fully adopted globally, and the main reasons are all related to safety concerns. Although it is quite a challenge, building a safe and functional e-wallet app will be your badge of being a trustworthy development company and will help propel the industry forward. Not only that but enforcing security practices will also give your e-wallet app a distinct advantage over competitors. Moreover, even though mandatory and necessary, all the security mechanisms described above must be smart and light. They should promote the usability and efficiency associated with mobile payment alternatives; if using the app is more challenging than just opening your wallet and getting your card out, the app’s bones need reassembly.
At Foonkie Monkey, we have developed over 200 apps, including several FinTech and banking apps that always perform at high-levels of operability and efficiency while running on safe and secure protocols. We work with cutting-edge technologies that help us deliver a reliable, innovative, and secure FinTech app. All our safety approaches have ensured wholesome banking apps’ successful delivery to companies like BSJI inc, Bancolombia, Davivienda, and the Interamerican Development Bank.
Feel free to contact us if you want us to develop your FinTech app!