MadaBank implements multiple layers of security to protect user data and prevent unauthorized access. This document outlines our security measures and compliance with banking industry standards.
JWT-Based Authentication:
- RS256 algorithm for token signing
- 1-hour token expiration
- Secure token storage requirements for clients
- Token refresh mechanism
Password Security:
- bcrypt hashing with cost factor 12
- Minimum 8 characters required
- Password strength validation
- Password reset with email verification
Data at Rest:
- Database encryption: AES-256
- Card numbers: AES-256-GCM with unique IV per record
- CVV: Encrypted separately from card numbers
- Sensitive fields: Application-level encryption
- Key rotation: Every 90 days
Data in Transit:
- TLS 1.3 enforced
- HSTS headers enabled
- Certificate pinning recommended for mobile apps
Key Management:
- AWS Secrets Manager for production
- Environment variables for development
- Separate keys per environment
- No keys in source code
Endpoint-Specific Limits:
| Endpoint | Limit | Window |
|---|---|---|
| Auth (login/register) | 5 requests | 1 minute |
| Transactions | 10 requests | 1 minute |
| General API | 100 requests | 1 minute |
Rate Limit Headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1234567890
Retry-After: 60
IP-Based Rate Limiting:
- Tracks requests per IP address
- Automatic blocking after threshold exceeded
- Redis-backed for distributed systems
User-Based Rate Limiting:
- Tracks requests per authenticated user
- Prevents account abuse
- Independent from IP limits
Application Layer:
- Rate limiting per IP
- Rate limiting per user
- Suspicious pattern detection
- Automatic IP blocking
Infrastructure Layer (AWS):
- CloudFront CDN
- AWS Shield Standard
- WAF rules:
- Rate limiting: 2000 req/5min per IP
- SQL injection prevention
- XSS prevention
- Geo-blocking (optional)
Attack Detection:
- Real-time traffic monitoring
- Automatic alerting for anomalies
- IP blocking for > 1000 req/min
- Global emergency mode for coordinated attacks
ACID Compliance:
- Database transactions for all financial operations
- Row-level locking prevents race conditions
- Rollback on any failure
- Audit trail for all transactions
Idempotency:
- Unique idempotency keys required
- Duplicate prevention
- Safe retry mechanism
- 24-hour key expiration
Authorization:
- Account ownership verification
- Multi-step validation
- Balance checks before execution
What We Log:
- All authentication attempts
- All transactions (success and failure)
- Account modifications
- Card operations
- Security events (blocks, suspicious activity)
Log Format:
{
"event_id": "uuid",
"timestamp": "ISO8601",
"user_id": "uuid",
"action": "TRANSFER_INITIATED",
"resource": "account:12345",
"ip_address": "192.168.1.1",
"user_agent": "iOS/17.2",
"status": "success",
"metadata": {}
}Log Retention:
- Development: 7 days
- Production: 7 years (compliance requirement)
Storage:
- Card numbers: Encrypted with AES-256-GCM
- CVV: Encrypted separately
- Never stored in logs
- Never transmitted in API responses (except on explicit request with password)
Access Control:
- Password verification required for full card details
- Rate limited to prevent brute force
- Masked display by default (only last 4 digits)
Card Number Validation:
- Luhn algorithm validation
- Format validation
- Expiry date validation
VPC Configuration:
- Private subnets for application and database
- Public subnets only for load balancer
- NAT gateways for outbound traffic
- VPC Flow Logs enabled
Security Groups:
- Least privilege principle
- ALB: Only 80/443 from internet
- ECS: Only 8080 from ALB
- RDS: Only 5432 from ECS
- Redis: Only 6379 from ECS
✅ Access Control (A.9):
- Strong authentication
- Role-based access control
- Session management
✅ Cryptography (A.10):
- Encryption at rest and in transit
- Key management
- Secure protocols
✅ Physical Security (A.11):
- AWS data center security
- No physical access required
✅ Operations Security (A.12):
- Audit logging
- Monitoring and alerting
- Backup and recovery
✅ Communications Security (A.13):
- Network segmentation
- Secure data transfer
✅ Incident Management (A.16):
- Automated detection
- Alerting mechanisms
- Audit trails
✅ Configuration Management:
- Infrastructure as Code (Terraform)
- Version control (Git)
- Change management (PR reviews)
✅ Quality Assurance:
- Automated testing (CI/CD)
- Code review process
- Security scanning
✅ Process Definition:
- Documented procedures
- Standard deployment process
- Monitoring and metrics
Authentication:
# Include JWT token in all requests
curl -H "Authorization: Bearer <token>" \
https://api.madabank.com/api/v1/accountsRate Limiting:
- Monitor rate limit headers
- Implement exponential backoff
- Cache responses when appropriate
Error Handling:
- Never log sensitive data
- Handle errors gracefully
- Don't expose internal details to users
Token Storage:
- iOS: Store in Keychain
- Android: Store in KeyStore
- Never in UserDefaults/SharedPreferences
Certificate Pinning:
// iOS Example
let session = URLSession(
configuration: .default,
delegate: PinningDelegate(),
delegateQueue: nil
)Biometric Authentication:
- Implement Face ID/Touch ID
- Require for card details access
- Require for large transactions
-
Immediate Actions:
- Block affected accounts
- Revoke compromised tokens
- Enable emergency rate limiting
-
Investigation:
- Review audit logs
- Analyze attack patterns
- Identify affected users
-
Remediation:
- Force password resets
- Update security rules
- Patch vulnerabilities
-
Communication:
- Notify affected users
- Report to authorities if required
- Document lessons learned
- Security Issues: security@madabank.com
- Bug Bounty: bugbounty@madabank.com
- General Questions: support@madabank.com
We welcome responsible security researchers:
- Email security@madabank.com
- Include detailed description
- Provide steps to reproduce
- Allow 90 days for fix before public disclosure
Bug Bounty Program: Coming soon
Last Updated: January 2026
Version: 1.0