In the heavily regulated world of global finance, you’d expect that international money transfer would be a complex and expensive proposition. And traditionally it has been. But in 2011, TransferWise created a platform that leveled the playing field and provided a money transfer service that was up to 8x cheaper than the banks. TransferWise is now responsible for sending the equivalent of over £1.5 billion every month in over 750 currency groups for over 2 million customers.
“Maintaining trust and security is paramount to having a functional business for us,” explained Edward Dowling, product manager in the Security Team at TransferWise. “We can be the most convenient, the fastest, and the cheapest way to send money abroad, but if we don't have strong security underpinning all of that, it doesn't matter,” he said. “If customers don’t trust us, they won’t use us.”
Building that trust is a daily occurrence at TransferWise, which, as an international service, frequently fends off attempted attacks. “You spend the entire lifespan of a company building up a foundation of trust, but it’s very easy to lose,” said Dowling. “Even the smallest leak of user data can quickly erode trust, destroy the brand, and ruin everything you've built as a company.”
The security landscape has changed quite a lot since TransferWise was founded. Initially, customers wishing to set up a transfer and lock in a favorable exchange rate would go through their bank’s security practices in order to send TransferWise the money. “There wasn't a need for upfront account security in those days,” explained Dowling, “because getting access to a TransferWise account wouldn't give you access to customer funds.”
However, in 2017 TransferWise introduced the Borderless Account, which lets business customers hold currency with TransferWise provides local account details in four different currencies, and lets you hold and convert 28 currencies. And this year the company will rollout a low-fee debit card to consumers. In essence, TransferWise has created a multi-country bank account. “Giving individual and business customers the ability to actually store funds with us, completely changes the security landscape for us,” says Dowling. “It’s forced us to reconsider the importance of account security.”
There’s also the fact that serious cybersecurity security threats are getting more common and increasingly focused on financial services. One of the toughest attacks to protect against is ‘credential stuffing,’ which runs botnet brute-force scripts of email address and password combinations in an attempt to find one that works. “With botnet requests coming from thousands of IP addresses from all over the internet, it’s very hard to predict and find a pattern that matches,” explained Dowling. “That's why TransferWise looked to Twilio's Authy for a more robust two-factor authentication solution than the current SMS protection we were using.”
The thing about security is you don't know what you have prevented. You know the effect of an attack, but you don't necessarily know what never happened because of the protections you put in place.
Dowling added that TransferWise initially investigated TOTP, time-based one-time password tokens but reconsidered. “Our customer base tends to skew older than typical users of tech apps,” he explained. “So reducing the friction becomes a very big concern for us. If users aren’t familiar with 2FA, trying to understand what it is and how to set it up properly can be frustrating for them.”
Other decision criteria that TransferWise had to consider involved SCA (Strong Customer Authentication) regulations which, as part of PSD2, mandate the concept of dynamic linking. Dynamic linking requires that a code for any transaction, whether it’s a login or a financial transaction, has to be unique for that transaction. It can't be used for any other transaction at all. “TOTP tokens wouldn’t work for us,” added Dowling, “because the same 2FA token is valid for 30 seconds to a minute and can be used to let you log in, and then authorize a transaction or two, all with the same numerical code. It isn't specific to a transaction.”
Through the process of elimination, Dowling’s team found themselves focusing on push authentication products only, and looked for the best way to incorporate that security directly into the existing TransferWise app. “We landed on Twilio's Authy SDK,” said Dowling, “which gives TransferWise customers total transparency in knowing where a login request is coming from and when it was initiated. Plus, we thought that being able to add strong security directly into our own app would make using 2FA an easy choice for our customers.”
At TransferWise, two-factor authentication is required only for customers who have the company hold money on their behalf, for example, anyone with the Borderless account. Over the course of the next year, the company will be deprecating SMS as the primary authentication method and moving solely to Twilio’s push authentication solution. Dowling clarified: “All TransferWise customers can set up 2FA, but we mandate it for Borderless accounts.”
To make it simple to upgrade to stronger push authentication security, TransferWise delivers a prompt after users complete a successful login via SMS authentication. And even though it’s working — to date, about 93% upgrade to push — Dowling admitted that about 10% of customers who have enabled push authentication revert to SMS. “That typically occurs when someone purchases a new phone or loses a device,” he said. “We'd love to get that metric down to about 5% by improving communication about device recovery and making self-service recovery easier for customers.”
“The worst thing that could happen to us from an account security standpoint is account takeovers, when someone gains unauthorized access to someone else's money. So that's where we want to put the most protection,” Downing said. With two-factor authentication, TransferWise figures the likelihood of account taken over is reduced to near zero.
“Right now, between 20% to 30% of all of our logins use 2FA. We consider that to be a huge success in helping customers to not even be at risk of a particular attack,” he added. “But we’re constantly trying to improve on that by looking at how we can better educate users about the security options they have.”
To that end, users who haven't opted into 2FA are given another nudge whenever they log back into their TransferWise app, typically about once every month or so. “We want to get a little more aggressive in encouraging users to upgrade,” said Dowling. “We're working on new approaches in customer onboarding to close the gap and get more users authenticated.
Using the Twilio Authy SDK, TransferWise went from initial implementation to launch in just under three months. “Our needs included integrated Authy into our mobile application as well as into the back-end of the TransferWise website,” said Dowling. “After some initial exploratory work by our developers, Twilio took the entire team through a three-day, onsite workshop to guide us through implementation, show us best practices and common pitfalls.”
Early builds were sent to Twilio for feedback. Particularly important was ironing out the ideal user experience during device recovery. “The technical part was very, very simple,” Dowling said. “The biggest hurdle to get over was around internal processes like training customer service and coordinating the release across iOS, Android, and web. If we had any issues, Twilio was always available by email or phone with suggestions to get us there.”
Push authentication lets our customers protect their accounts with much more granularity and much higher levels of security. It let’s us maintain their trust and increase their feeling of safety when using TransferWise.
Dowling cites three areas that point to positive results coming from the implementation of Authy Push Authentication.
1. Return-On-Investment: “Thankfully, we've never had money lost to an account takeover. But when you consider that whenever we do see a large-scale credential stuffing attempt, it typically involves two engineers working full-time for two days to properly analyze it and to develop mitigations against it. Add another two days of operational work to educate customers, confirm with them that no data has been lost, and assure them their account is safe. So really it's the equivalent of about six days worth of human effort to deal with each attempt. That’s a lot of time and money saved by having 2FA.”
2. Customer Service: “By moving away from SMS, we've seen a huge reduction in customer service contacts about deliverability problems. One of our biggest issues was that many of our international customers were not able to access their accounts when traveling because we were 100% relying on SMS. That’s no longer an issue for them.”
3. User Delight: “Customers love the convenience, the transparency and contextual information we deliver. We’re able to tell users that a login request came from a particular country, on a particular web browser, or from a specific device. They can understand what's happening a lot more now and they appreciate that.”
While TransferWise already use Twilio’s Programmable SMS and Programmable Voice, they are also looking to potentially integrating Twilio Studio to automate certain customer support flows. In addition, the company is in the process of evaluating the Twilio Verify API for phone verification. And of course, there is the expansion of their use of the Authy API.
“Our goal is to have the majority of TransferWise customers using push authentication,” said Dowling. “We want to onboard people as quickly as possible so that we are ready for SCA in 2019.”
Another next step for Dowling and his team is to extend 2FA beyond login and apply it to specific actions like authorizing transfers and protecting the viewing or editing of personal profile details. “These are the sort of sensitive actions we want to be protecting with Authy two-factor authentication,” said Dowling. “It's this tiered level of security where a customer's data and privacy always comes first.”