NEW Refer a friend, both get $50 cash bonus when they fund their first loan
Apply now
MobiLoans Security

MobiLoansSecurity

The specific technical measures we use to protect your data, plus our bug bounty program for security researchers.

Last updated: April 15, 2026
Effective: Same date as updated.

1. Security overview

MobiLoans handles sensitive financial and personal information for over 5 million members. Protecting that information is a foundational responsibility, not an add-on feature. This page describes the specific technical and operational measures we use.

If you find a security vulnerability, please email [email protected]. We have a bug bounty program and pay up to $50,000 for critical findings.

2. Encryption

  • Data in transit: All connections to mobiloansapp.com use TLS 1.3 with strong cipher suites. HTTP requests are automatically redirected to HTTPS. HSTS is enforced with a 2-year max-age.
  • Data at rest: All databases and file storage use AES-256-GCM encryption. Encryption keys are managed in AWS KMS with regular rotation.
  • End-to-end: Sensitive fields (SSN, bank account numbers) are additionally encrypted at the application layer before reaching the database.
  • Backups: All backups are encrypted with separate keys, stored in geographically distinct regions, and tested quarterly.

3. Authentication and access

  • Password requirements: Minimum 10 characters, checked against the Pwned Passwords database (over 850M known compromised passwords).
  • Multi-factor authentication: SMS, authenticator app, or hardware key (WebAuthn) supported. We strongly recommend MFA for all accounts.
  • Biometric login: passkey support via your device's built-in biometrics (Face ID, Touch ID, Windows Hello, fingerprint sensors) — works across all modern browsers.
  • Session management: Sessions expire after 30 minutes of inactivity. Concurrent session limits enforced.
  • Account lockout: After 5 failed login attempts, accounts are temporarily locked and the owner is notified.

4. Compliance certifications

  • SOC 2 Type II: Annual audit by independent third-party (last completed: November 2025)
  • PCI-DSS: Level 1 compliance for handling card data
  • GLBA Safeguards Rule: Full compliance with FTC financial privacy requirements
  • NYDFS Cybersecurity Regulation: Compliant with New York 23 NYCRR 500
  • State data breach laws: Compliant with all 50 state notification requirements

5. Monitoring and detection

  • 24/7 SOC: Security Operations Center staffed around the clock
  • Anomaly detection: Machine learning models flag unusual account activity in real time
  • Fraud monitoring: Every loan application screened by 87 fraud signals before approval
  • Penetration testing: Quarterly by an independent third-party (NCC Group)
  • Vulnerability scanning: Automated daily scans of all production systems
  • Incident response: Documented runbooks tested every 60 days

6. Bug bounty program

We run a coordinated disclosure program. If you discover a security vulnerability:

  1. Email [email protected] with details. Please do NOT publicly disclose.
  2. We will acknowledge receipt within 24 hours.
  3. We aim to confirm or reject the vulnerability within 5 business days.
  4. If confirmed, we will patch and notify you when the fix is deployed.
  5. Rewards range from $250 (low severity) to $50,000 (critical, e.g., RCE on production).

Safe harbor: We will not pursue legal action against good-faith security researchers who follow our disclosure policy.

7. How you can stay safe

  • Enable MFA on your MobiLoans account
  • Never share your password — we will never ask for it
  • We never ask for SSN or bank credentials via email or text
  • If you receive a suspicious message claiming to be from MobiLoans, forward it to [email protected]
  • Always verify the URL is mobiloansapp.com before logging in
  • Use a unique password (a password manager helps)

8. Security contact