Striking the balance between ease-of-use and best-in-class security: Cristofor, Product Security Engineer

Cristofor is one of N26's many employees whose day-to-day job centers around keeping customers and their accounts safe and secure. We spoke to him about his job as a product security engineer, why security is such an exciting topic for him and how you can best protect yourself online.

Cristofor, you’re a Product Security Engineer. What does that entail?

My job has multiple facets, which is what makes it so interesting. I oversee a wide variety of new features and products that get released to N26 customers through their online banking app. The team that I’m part of makes sure that these new products and features are secure at the time of release and stay secure going forward – meaning that the possibility of exploitation or vulnerabilities inside the product is as low as possible. Security is obviously a very important topic for all kinds of services but for a bank, it’s absolutely crucial as our customers trust us with their savings and their personal information.

How does one make sure that the N26 app is secure at all times for millions of customers? 

Ensuring that our product is secure is a shared responsibility between several teams. The team I’m part of is focused on the technical side and collaborates closely with N26’s product development teams. We identify and analyze potential threats that may be associated with a new feature and test its security before it gets rolled out to N26 customers. We also monitor all features that are already available to N26 customers for their security. This way we can ensure that if there was ever a potential attack, we would notice it immediately and could stop the attack in real time.

While technical product security is essential, it is also important to understand that it is one of several components that keep N26 products and our customers safe. We also have teams such as Trust & Safety who provide intelligence on potential security threats, work to stop active fraud schemes and educate consumers.

What would you say is the difference that N26 can make for customers with regard to security? 

What N26 brings to customers as a digital bank is the ease of use. We try to simplify all of the processes traditional banks have, like for paperwork or for opening and managing your bank account. In banking product development, that means that we’re always at the border of pushing the possibilities of technology while respecting what current regulation allows. Bringing in entirely new ideas and innovation that hasn’t necessarily been used before in the banking sector, or at the scale of our business, ultimately pushes the boundaries of what banking can do for customers – all at the highest level of security, which in turn pushes the boundaries of what security has to cover.

What are some of the trends you are noticing in product security or security overall? 

Independently of the industry and business, security is always a constant game of cat and mouse where one side works on keeping its systems secure and the other side, malicious actors try to find ways to attack. Product security is basically at the front line of this fight. But because it’s a cat and mouse game, the front line always shifts: When the business, for example, patches against a potential exploit that nobody else thinks of, the front line moves further away from it. But whenever the malicious actors get a step ahead, find a vulnerability and manage to exploit it, the front line moves back again until the business patches the vulnerability.

A general trend that I would say is somewhat stable within product security across industries is malicious attackers going for the weakest link in the chain. Oftentimes, that is not the technical side of the product. For example, one of the weakest links may be the space that allows malicious actors to perform phishing attacks. 

At N26, we believe that it’s our responsibility to design our products so that potential weak links beyond product security are minimized. We want our products to be easy to use and not require expert knowledge or a lot of input from the customers in order for them to stay safe. This is a challenge where teams like Trust & Safety make a significant contribution by identifying the best ways to improve product design, inform and educate customers and enable them to bank safely. 

As a product security specialist, what would you recommend that customers should know about online security? 

This is a tricky question to answer from a product security point of view. As mentioned before, we design the product to be as intuitive and as simple to use as possible. Most of the product security happens behind the screen. But there are definitely a few things that customers should keep in mind in order for them to browse and bank safely:

• Whenever possible, add a layer of security to your accounts by using 2-factor-authentication. Most consumers will know this concept from their bank cards, where a PIN code – a second factor in addition to their physical card – is required in order to withdraw money. Similarly, many apps allow you to add biometric information like your fingerprint or face as a second factor and protect your account even better. The N26 app uses 2-factor-authentication by default.
• Don’t share your passwords or 2-factor-authentication codes with anyone, and don’t share your card details on channels like email or messaging apps – more generally, take good care of your personal data. We tend to think about our physical possessions as something we need to protect but we’re less vigilant about our digital possessions. There’s a psychological disconnect that seems to be very human but we need to overcome it and understand that things we can’t touch, like our online data and belongings, require the same level of security and care as our physical possessions.
• If you’re worried that you’ve fallen victim to fraud or that someone has gained access to your account, always change your credentials and get in touch with customer service. This applies to all applications or services. Also, if you get a notification that someone has tried to use your bank card, block it. Don’t dismiss an uneasy feeling you may have.