Facebook-owned WhatsApp, a cross-platform mobile messaging apps, announced their new default security encryption settings for their end-users. What does this really mean for their one billion plus user base? Well easy, WhatsApp’s application of "end-to-end”
encryption to messages and calls ensures that only the end-user and the recipient can read what is sent. This new move guarantees the maximum privacy of end-users’ personal communication.
“WhatsApp has always prioritised making user data and communication as secure as possible…people’s private communication is one of the core beliefs we have at WhatsApp.” Said Jan Koum and Brian Acton, co-founders at WhatsApp.
With increase leakage and hacking of sensitive data, the company realised the need to implement security features that enable protection and safety for their end-users’ personal conversations. This topic is not a relatively new for WhatsApp, the company
had made the first step toward this feature in 2014. The end-to-end encryption was made available to standard messages sent on Android smartphones and now the technology applies to all of their users on iOS and other operating systems. The new security feature
includes all types of messages, like group chat, videos, or photos. The value WhatsApp places on security can be demonstrated in just how far the encryption is applied, the handful of visible signs; an alert confirming that messages and calls are now end-to-end
encrypted, and the end-user can manually verify by scanning a unique QR code or comparing a 60-digit string of numbers that is generated for each chat.
Personal financial data: privacy and security
If leading technology companies like WhatsApp are highly concerned with end-user data privacy and security, how do we expect Financial Institutions to protect our personal data?
More and more third-parties are accessing end-users' financial and accounts information to run their financial apps, one of the most common use-cases is account aggregation and personal financial management tools. Recognising the trend toward personal financial
information driven innovation models, the recent European PSD2 directive has introduced new X2A provisions that will require open API driven access to account data. However, giving access to personal financial data to service providers could weaken end-users’
personal data privacy and security.
This can be avoided by using account aggregation providers offering a privacy by design solution. The privacy by design architecture keeps the user’s privacy and security in mind; by enabling user to store their personal on their device of choice. By storing
personal data on the user’s device, only the user has access to their personal data, not even the third-party service provider can access it. The personal data is secured with an encryption key which is stored separately to, but unique to the end-users device.
All of this happens automatically; control and ownership of end-users' data remain in their hands. That is why the user's personal data should not be saved on third-party servers, but directly on the user's device, third-parties cannot access the users' personal
data unless the customer choose to share it via explicit privacy controls.
PSD2 also establishes a stricter rule concerning user authentication. It requires to apply "strong customer authentication" in cases where an organisation or consumer tries to access their accounts online. It is clear this requirement will require a number
of service providers to revise the authentication mechanisms currently used in their solution.
Only service providers offering multi-factor authentication capabilities will be compliant to the PSD2 directive.