How TransferWise Uses Twilio 2FA to Move Money Securely

Every month, TransferWise moves over £1.2 billion around the world for hundreds of thousands of people. Learn how they keep all that money safe and secure.

Learn More

How TransferWise Uses Twilio 2FA to Move Money Securely

TransferWise is an international peer-to-peer money transfer platform that’s able to move money around the world faster, more conveniently, and sometimes up to eight times cheaper than banks. Every month, the company moves over £1.2 billion in customers funds between more than 50 countries. But with this much money comes great responsibility.

Regardless of how fast, convenient, and affordable their service is, as soon as TransferWise loses customer trust through a data breach, it’s game over for the company. To ensure that doesn’t happen, TransferWise’s Edward Dowling, Product Manager, and Artyom Fedenka, Security Engineer, explain how the company planned, executed and deployed an integrated user authentication experience built on Twilio.

In this talk at SIGNAL London 2017, you’ll hear about TransferWise’s rapid growth—with doubled transfer volume in the last two years. You’ll also hear about the shifting security landscape for not only TransferWise, but many financial tech companies who are under pressure to meet new regulatory requirements like PSD2 that mandate strong customer authentication to authorize account access.

Until about 12 months ago, user authentication was not a critical part of the TransferWise security model. Originally, customers would visit the TransferWise website to move money from one country to another between bank accounts. No account information was stored on the system. Now, however, as the business model has shifted, people can send money using saved credit and debit cards. The company has also rolled out a “borderless bank account” where customers can store money, similar to PayPal and a traditional bank account. These new services are popular with users...as well as botnets.

Now that TransferWise accounts have become more valuable, they are more frequently a target of malicious actors. It’s not uncommon for the company to see 40,000 botnets of different and unique IP address is trying to run credential stuffing or hit particular endpoints. To face this attack of the killer botnets, TransferWise had to carefully consider how to build a secure and convenient user authentication system on top of a large, fast-moving code base. Suddenly their security model needed to change dramatically. Authentication and protecting endpoints became a top priority.

But TransferWise isn't a security company; they are a money transfer company and a financial institution. And they didn't want to build the security solution themselves. Watch the video to how they built their security solution using Twilio 2FA, which now enables them to move billions securely and conveniently. You’ll also see a demo of what the customer experience of using Twilio 2FA looks like with TransferWise.

No time to watch right now? You can glean the basics from these five key takeaways.

Key Takeaways

  • For TransferWise, the fundamental goal of authentication is to prevent account takeovers. With over 50% of their transfers taking place over mobile apps, they needed to find a vendor for authentication that was technically competent and provides wide platform support.
  • TransferWise started with SMS for authentication, but found it was problematic for their customers. SMS didn’t provide a borderless authentication option since SMS numbers are inherently geographically-restricted to a particular country. SMS also isn't always secure or convenient.
  • TOTP tokens are difficult to use in a changing regulatory environment. TransferWise’s user base is older and resistant to download another app in order to use time-based tokens.
  • When choosing an authentication solution, it’s important to provide a seamless customer experience. Your customers want to stay in the same ecosystem as your product.
  • Login and authentication is the one thing every person who visits TransferWise will use. If that’s the case with your product as well, be sure to treat authentication as critical and valuable.