Just How Risky is Crowdfunding?

Posted by UpGuard

Crowdfunding and Cybersecurity

There are really only a few ways to get funding: an individual such as a venture capitalist or billionaire, a partnership or strategic investment by a corporation or state agency and getting a large number of people to give you a very small amount of money. Crowdfunding websites claim to offer a platform for the latter, giving inventors, artists and small businesses a method by which to propel themselves on the merits (or popularity) of their ideas, without needing inside connections or extensive business acumen as the other methods usually require. But because all of the transactions involved in crowdfunding take place on the internet, cybersecurity should be a number one concern for both users and operators of these websites. We used our external risk grader to analyze 7 crowdfunding industry leaders and see how they compare to each other and other industries.

crowdfunding_cstar.pngThe results were welcomingly uniform, with every one of the 7 sites having a score above 750, indicating a strong external security presence, with best practices and defenses correctly implemented. Kickstarter and Patreon had the highest scores, while Paypal's Paypal.me site had the lowest score, still a good 766. Paypal's main site has an even better score, at 856, and we'll talk about why in the site breakdown below.

Immediate impressions to take away from this are that businesses in the crowdfunding sphere, processing millions of financial transactions a day, know that without security, the whole enterprise comes crashing down, often literally. People supporting projects on crowdfunding websites can also be assured that although nothing online or off is ever without risk, these sites are eliminating what they can to protect customer privacy. Other industries do not have an average score of 821. Not even close.

Free eBooks on DevOps and Security

Site Breakdown

Kickstarter - kickstarter.com - 887 out of 950
Kickstarter.com External CSTAR score as of 7/6/16: 887

Kickstarter began in 2009 and has processed nearly $2 billion in transactions. Over 10 million people have used Kickstarter, so it's encouraging that it's at the top of the crowdfunding pack when it comes to security. 887 is a fantastic score that reflects a serious approach to cybersecurity and customer/company data protection. So how could it improve? Kickstarter doesn't use a mechanism called DNSSEC, which helps prevent spoofing, redirection and man-in-the-middle type attacks based on intercepting a DNS request and sending a malicious IP address in return. Additionally, Kickstarter could enable HttpOnlyCookies, which help prevent client side script attacks. Each little piece of security helps narrow the gap for risk and the more you close it, the more difficult it gets. Overall, however, Kickstarter has a great external security setup.

The closest brush Kickstarter had with data breaches happened in February of 2014, when it declared that two accounts had been compromised by a flaw in their password encryption, which they immediately fixed. To put that in perspective, some healthcare industry breaches compromise millions of records.

IndieGogo - indiegogo.com - 867 out of 950
IndieGogo.com External CSTAR Score as of 7/6/16: 867

IndieGogo started in 2008 and like Kickstarter, operates mostly on a gift based contribution model. It clocks in with a respectable 867, just barely below Kickstarter. However, why it's below Kickstarter is interesting: the Business section of the score took a hit from IndieGogo's CEO approval rating. Slava Rubin only has a 68% rating, which means an increased likelihood of internal breach by disgruntled employees or just plain negligence when it comes to operating procedures. Utilizing GlassDoor data, UpGuard is able to incorporate all of the facets contributing to a company's external security profile, not just technical ones like encryption and open ports. The CEO embodies the direction in which the company moves, and a low approval rating often reflects an internal lack of faith in the product and/or business, which can be just as dangerous for cybersecurity as, if not more so than, an open database port.

GoFundMe - gofundme.com - 783 out of 950
GoFundMe.com External CSTAR Rating as of 7/6/16: 783

GoFundMe started in 2010, and unlike the previous two crowdfunding sites, operates on more of a donation type model, where contributors often expect little or nothing in return, creating a place for people to give and receive help with everything from bills to businesses. GoFundMe is our first site with a score under 850. Like Kickstarter and IndieGogo, GoFundMe does not utilize DNSSEC. But they also fail to harden their cookies using HttpOnly and the Secure flag. These are relatively simple and totally free configuration changes that would help to prevent client side impersonation and should be used on all websites. Nonetheless, GoFundMe still falls within the good range of scores with its 783, a score companies from many other industries would love to have.

Paypal - paypal.me - 766 out of 950
Paypal.me External CSTAR Rating as of 7/6/16: 766

If you're surprised that PayPal scored the lowest out of the group, keep in mind that what we graded here was the ancillary site paypal.me, PayPal's answer to crowdfunding. PayPal's homepage has a score of 856 as of the time of writing this, and their only deductions come from the aforementioned HttpOnly and Secure cookie configuration options-- they actually have DNSSEC up and running. 

What makes paypal.me lower than paypal.com is the lack of SPF protection for the email domain. SPF helps prevent spoofed email by providing a list of allowed source IPs. Chances are either PayPal does not use email on the .me domain, or they just haven't configured the SPF record to allow it. Either way, security is still top notch for PayPal, and this dent in their score reflects the complexity of modern, multi-domain IT environments. 

 

Snapcash - snapchat.com - 784 out of 950
Snapchat.com External CSTAR rating as of 7/6/16: 784

Social media company Snapchat started in 2011 and made it big with their (semi-) ephemeral communication service. In 2014, Snapchat paired with Square to offer Snapcash, a crowdfunding type service with Snapchat's user base and Square's payment system. Snapchat itself scored a 784, while Square scored a 783. The additional missing piece in Snapchat's configuration is called Http Strict Transport Authority, which forces users onto encrypted connections. Lack of this configuration can lead to man-in-the-middle attacks during handoff. 

screen.jpg

An interesting side note is that as of today, July 6th, 2016, Square's domain is less than a month from expiring. Need help keeping track of those pesky SSL certificates? Try UpGuard.

Venmo - venmo.com - 796 out of 950
Venmo.com External CSTAR rating as of 7/6/16: 796

Venmo was founded in 2009 as a crowdfunding solution, but is now part of PayPal. That said, Venmo still operates out of its own domain, which means a separate external security profile from PayPal's main site. But at 796 venmo.com still rates well, though not quite as high as PayPal's mothership. Venmo.com is missing two new configurations: first, it doesn't obscure its headers, so information about the server type and version can be discovered, which narrows down attack avenues. Secondly, Venmo lacks an email security mechanism called DMARC which, like SPF and DKIM, help prevent email impersonation from a domain. Hiding the headers is simple and free and has been a common security practice for some time. DMARC is more complicated, but still a crucial piece of email protection.

Patreon - patreon.com - 867 out of 950
Patreon.com External CSTAR rating as of 7/6/16: 867

Closing on a high note, Patreon, the content-based crowdfunding site created in 2013, has our second highest score at 867. Patreon is mostly used by artists, musicians and other content-producing individuals, as it is designed for an ongoing series of productions, rather than one single project, like Kickstarter. As far as security goes, it lacks DNSSEC and Secure flagged cookies, two of the usual suspects.

Crowdfunding is an interesting way for people to amass enough money to try a project, but also controversial, with questions of what should or shouldn't be allowed, scammers, projects that never get completed, or do and don't live up to promises. There's no room for cybersecurity to be more ammo against the idea, so having hardened configurations at least reduces the risk of a data breach or other reputation harming incident from infringing further on the business. More importantly, it allows people to feel confident in the underlying service that allows them to contribute, in a way previously impossible, to different voices and perspectives in an establishment-dominated landscape. Putting money into a project requires a certain leap of faith; cybersecurity shouldn't. UpGuard makes security transparent for both businesses and customers. Give our webscan a try on your favorite sites to see how they measure up. 

How safe is your website?

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: security, CSTAR, cybersecurity, crowdfunding

UpGuard Customers