Information Security at Curve - Ask Me Anything!

Information Security at Curve - Ask Me Anything!

Hi - My name is Oussama. I’m the Head of Information Security here at Curve.

We’re excited about all the new under the hood security features we’ve been adding to our systems, and all the work the security and privacy team here is doing to make curve products the most cybersecure in the world of finance.

Would welcome your questions, thoughts and comments around anything related to those topics in this thread :slight_smile:


1 Like

Hi @Curve_Oussama

I have been posted before some features that will increase security so you can see the post here:


Hi! Welcome to the community! I have a few questions and would be very glad if you answered at least some of them.

Why does it take so long to implement basic security features such as 3D Secure in Curve? It wouldn’t seem to be such a hard thing to do, especially that Curve is an app-based product, so the authorisation could then go through the app, no sending texts, logging in on-line or any other weird solutions. I ask that especially that it’s been a topic at this forum for quite some time already. Take a look: 3DS or some alternative

Fintech and finance in general are very regulated fields - does it make it harder to improve security and make some instant improvements? Or maybe it’s completely different and regulations inspire you and the rest of the Curve team to make it a more secure product? And also: how does cooperation with other parties affect your work? I mean Mastercard, Wirecard etc.

You have also mentioned

What are they? I think we’d all love some technical information. Is it related to machine learning, for instance? As far as I know, his seems to be a current trend in the industry.


Sorry for the nudge, @Curve_Oussama, but I’m sure we’d be more than happy to actually hear some of your answers :smiley:

1 Like

Thanks @Pawel, @vebaev for your great questions :slight_smile:
I would like to give you thorough answers and will post during the weekend :+1:


Thanks for your patience guys, been quite hectic the last couple weeks, but here we are! @vebaev - great idea, yes! Giving a more granular control on those is definitely a great security enhancing app feature. Will work on it.

We are working on implementing the 3DS protocol, @pawel. Everyone will be able to open the app to authorise new transactions at some point in the future (a great implementation of other industry and security standards as well… :wink:)

On your regulatory comment, @pawel, IMO - despite the “heavy” regulations, Fintech is still less regulated than “old” finance, capital markets and other sub-industries from a cyber perspective (e.g. crypto, and ICOs…). But if you look at the FCA EMI requirements and similar, a good cyber maturity and a resilient IT infrastructure are both a must for any licensed Fintech entity.

Also, and in the case of Fintech, regulations are more of a sandboxed framework to work within and benchmark products and maturities against (in addition to protecting customers, creating trust, etc… i/e. think GDPR…) rather than a fining machine as they tend to be perceived for/by big established players. Regulators are also facing new challenges of their own when it comes to innovation, and the duality innovator/regulator couldn’t get more polarised, even if efforts are spent towards alignment.

Can’t say much about those enhancements, I’m afraid, but happy to take suggestions from you guys :blush: and yes, data is definitely playing a huge role in cyber security and fraud monitoring these days :wink:

Looking forward to reading you guys!


Hi Oussama,
please read my following message:


1 Like

Spot on! Just replayed it and it’s working! Thanks for reporting - A fix should be included in our next app release :wink:

PS. As a way of responsibly disclosing security bugs and vulnerabilities, you guys can send your detailed security reports to We also have a bug bounty program in place, and security researchers who’re members of this community are very welcome to join our program! :smiley:

Why not pay the OP a bit of money or send him a bit of Curve clothing for the disclosure? After all he did uncover a security bug after all.

1 Like

What are those features and what are you doing exactly? Sorry to say, but from an end-user’s perspective, Curve seems to be one of the least secure products on the market. I’ll elaborate:

  1. 3DS authentication is done automatically pretty much every time, despite using different computers from different IPs, and different merchants. This doesn’t inspire great confidence in the system’s ability to prevent fraud. I read somewhere that the user is only prompted for transactions over 500 GBP, is that true? If so, why? Why is there not a user-configurable setting for this threshold?

  2. No ability to block geographic regions and 3DS-less online transactions. This is a pretty basic security feature most cards from traditional banks, let alone fintechs, have. Why not Curve?

  3. No ability to configure location based security, disable contactless, disable magstripe, disable magstripe-mode contactless, disable ATM, etc.


@Curve_Oussama, giving no response doesn’t look good for the security work at Curve at all. It’s a shame for an otherwise great service.

1 Like

Thank you to everyone who posted questions. Oussama is now working at a new company :slight_smile: