Following the template described in defining the risk context, this post will now break down the elements that build the bigger picture.

User activity and actions

NOTE - there are other actions done prior to this, like using a computer and a browser. they are not in scope for this use case and the present use case will focus only Web Shopping specific actions

1. Choose a P2P Lending Platform

There are many P2P Lending Platforms out there and investors will typically select them based on the advertised return on investment rate and financial risk specifics such as buyback-guarantee.

2. Create account

P2P Lending Platforms make it easy for the user to create an account with any kind of email address. A verification of identity might be included as part of account creation but not in all situations.

3. Deposit funds

The user will be presented with multiple methods of depositing funds, usually via bank transfer or 3rd party apps.

3. Invest / set auto-invest

P2P Lending platform will present the user with a dashboard where funds can be invested as the user sees fit. This usually involves choosing between various risk ratings and various offerings. If it's lending platform, this will involve choosing between various loan originators or countries.

Some platforms offer the possibility of auto-investing, where risk and investment profile is created and funds are automatically invested based on the criteria defined.

4. Withdraw funds

The user has the possibility to withdraw funds from the account at any moment, given that they are not currently invested. There can be restrictions as to which account can the funds be withdrawn to, usually in the same account that was used to deposit.

Assets identified

  • end user personal information - name, email, password, identity documents (passport, drivers license)
  • end user financial information - bank account, 3rd party payment platform reference like username, amount of funds invested, amount of funds available
  • loan documentation - legal contract, legal and financial analysis


Note - the below enumerated adversaries are considered the most relevant for this use case. There can be other adversaries as well, but they might be restricted only to specific scenarios.

  • script kiddiez - P2P lending platforms are usually built using a known web content management system under which some additional coding has been done. This makes them a regular target for simple scammers and other low prepared adversaries

  • organized crime groups - millions of Euros and Dollars are invested in these platforms, which can attract more sophisticated adversaries

  • money launderers - as mentioned in the adversary perspective, marketing and sales are dramatically boosted when using (potential) consumer data, making any kind of personal information valuable

Threats for the platform

1. Fraudulent accounts used to launder money

Banks have been used to launder money in various ways in the past. Being so easy to use, P2P Lending platforms provide a good ground for money laundering.

2. Loss of money via manipulated values in interest/principal

Values related to interest rates and amount of funds can be manipulated resulting in artificially inflated or deflated funds. This can generate an issue for both the investors and the platform, as the financials won't add up at the end of the day (or month) but may not be noticed until it's too late. Lack of visibility into the databases and their security isn't something that's out of the ordinary - it's quite common and worrisome.

3. Unavailable platform

The investment service is only available online and if the platform is rendered unavailable, the company cannot continue to deliver its service. This can happen either due to :

Investors cannot deposit or withdraw and the whole business is halted.

4. Regulatory fines

GDPR fines are not a myth anymore and they have been used on various companies in various industries. Investor personal data leak via their platform or via the 3rd parties used to process that data is very likely scenario for any online service.

Threats for the End User

1. Fraudulent platform

Even though they provide financial services, P2P Lending Platforms are not regulated as banks or other known financial institutions. This opens the possibility for fraudulent platforms to appear and simply absorb as much funds as they can, after which they are either closed by official investigation or simply dissappear with all funds. And yes, it did happen already and is most likely going to happen again.

2. Unavailable platform

Since the service is available online, it will be a target of cyber attacks. As a consequence, the platform can become unavailable and users are delayed from withdrawing money and investing

3. Identity theft

Attackers can also get access to your personal information and use it to either extract funds on your behalf or to steal your identity in relation to other services. This can happen either because :

  • the platform and its data processors have mishandled your information. The platform will tend to say that is not likely, but data breach statistics proves that wrong
  • you, as and end user, have mishandled your information allowing others to use it (e.g. your passport or identity card has been photographed). Cannot happen to you, right ? Going through some statistics on identify theft may change your mind.

4. Unauthorized change of deposit details

Attackers can manipulate information on the website which lists the bank account details to which investors deposit money. This can happen by :

Or attackers can compromise the company's communication platforms (email, chatbot, phone number redirect) and use them to mislead investors into depositing their funds into fraudulent accounts.

5. Loss of money via manipulated values in interest/principal

Attackers can manipulate information resulting in either funds being transferred from one account to another or artificially inflated funds which can then be withdrawn, thus affecting the investors balance.

6. Unauthorized withdrawal of funds

An attacker can gain access to your account and request to withdraw the funds to one of the attackers accounts. The attacker could also gain access to the database holding this information and change the withdrawal account details in there. When you initiate a withdrawal, the funds end up in a different account than expected.

Since the risk context is now built, it is now time to move on to how we address the threats related to Investing in P2P Lending Platforms.