Open Banking was brought in by the Competition and Markets Authority in order to address how banks dealt with consumer financial information. It was born alongside a new regulation – the second ‘Payment Services Directive’ (PSD2) – which came into force on the 13th of January, 2018. This new regulation will see the banks’ previous monopoly on their customer’s account information and payment services being challenged; 3rd party organisations are now competing with banks for access to customer data.
Probably the main concern surrounding banking was how very closed their environments were. Now that legislation is forcing them to open them, or at the very least expose an API, they have had to make huge changes to their architecture because of this completely different approach. Whilst traditionally ‘disconnected’ from the internet, they were able to do pretty much anything, they could skip all of the traditional security measures that you take when you’re on public networks or in the cloud. Now with an open environment, the banks, at the very least, need to protect the API with stringent security measures. And customers will also want to know that their data is kept securely as the banks open up their infrastructure to the public.
PSD2 enables the banks’ customers, whether they are consumers or businesses, to use third-party providers to manage their finances. For example, using Facebook or Google to pay bills, making peer-to-peer transfers and analysing spending, all whilst still having their money safely deposited in their current bank account. Banks, however, are now obliged to grant these providers access to their customers’ accounts through open interfaces. This in turn will allow third-parties to build financial services on top of banks’ data and infrastructure. The European Commission’s aim with this directive is to improve innovation, reinforce consumer protection, and to improve the security of internet payments and account access within the EU and EEA.
Open Banking has shifted the competitive landscape decisively. However, consumers will need to rely on institutions other than banks to safeguard their sensitive financial data. They now need to trust all these new third-party providers and feel confident about the way that they go about collecting and managing the information that they need. Such a massive change in the landscape will require companies to investigate and implement new security measures.
Security challenges – what to look out for?
So what security challenges does PSD2 throw up? Traditionally, IT departments and security teams have exerted their time and effort on reinforcing perimeter security, i.e. protecting everything that runs inside the firewall. However, banks have been victims of Man-in-the-Browser (MitB) attacks, a client-side threat that is able to modify transactions while they’re happening in the browser and steal credentials without the end-user’s knowledge. Under Open Banking, data will increasingly be passing through a client (a customer) to an open interface, becoming extremely vulnerable to attacks as there is no way to control the customer’s device, whether that be a mobile phone or a web browser. By facilitating access to customer data, third-party providers also become targets for so-called client-side attacks.
Such attacks can manifest themselves in different ways. In some instances, the attacker secretly relays and maybe alters the communication between two parties who believe that they are directly communicating with each other. Every time someone checks their bank balance by connecting from their device to a bank’s application, they can be vulnerable to this form of attack and this type of fraud is becoming more commonplace. UK users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank, Santander and many other financial organizations have previously been targeted by cyberthieves using banking trojans. Malicious emails were sent over a number of days, from spam servers worldwide, inviting users to download an archive containing a malicious .exe file posing as personal financial information.
And even the most cautious customers can be infected via a browser extension. Installing a browser extension means giving it full access to read and modify all website content. This means that hackers can then use a malicious browser extension to steal its users credit card data or credentials that are entered into any website – either desktop or mobile.
An open banking security mindset
The provisions within PSD2 state that payment service providers (PSPs) shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services that they provide. In order to comply with the European Banking Authority’s tough new standards, banks and third-party providers need to adopt an “outside of the firewall” mindset and approach to security. In order to protect client-to-server communications, organizations need to incorporate appropriate levels of shielding to the applications and interfaces that run outside the firewall, namely the browser and users’ devices. The security measures outlined in PSD2 Regulatory Technical Standards (RTS) also state that organizations must put in place monitoring systems – which means extending such solutions to the client-side.
In their effort to meet client-side PSD2 compliance before the Q3 2019 deadline, financial organizations could investigate solutions such as real-time webpage monitoring solutions. These client-side security systems are able to detect signs of malware infection, data capture and manipulation by unauthorized parties and enable organizations to react in real-time to halt the potential fraud. More than a matter of compliance, preventing this type of fraud is essential for financial organizations to prevent reputational and brand damage.
Now that open banking is a reality, consumers need to be able to trust those charged with looking after their assets and feel confident in the online transactional processes.
Yair Green, CTO at GlobalDots