Open Banking is a series of reforms, brought in by the Competition and Markets Authority, which address how banks deal with consumer financial information. It emerged alongside a new regulation - the second Payment Services Directive' (PSD2) - which became effective on the 13th of January, 2018.
As PSD2 becomes implemented, we will see the banks’ previous monopoly on their customer’s account information and payment services being challenged; a different set of businesses can now compete with the banks for access to customer data.
PSD2 enables the banks’ customers, whether they are consumers or businesses, to use third-party providers to manage their finances. For example, using Facebook or Google to pay bills, making peer-to-peer transfers and analyzing spending, all whilst still having their money safely deposited in their current bank account.
Banks, however, are now obliged to grant these providers access to their customers’ accounts through open interfaces. This in turn will allow third-parties to build financial services on top of banks’ data and infrastructure. The European Commission’s aim with this directive is to improve innovation, reinforce consumer protection, and to improve the security of internet payments and account access within the EU and EEA.
Open Banking has shifted the competitive landscape decisively. However, consumers will need to rely on institutions other than banks to safeguard their sensitive financial data. They now need to trust all these new third-party providers and feel confident about the way that they go about collecting and managing the information that they need.
It’s clear that this paradigm change will require companies to put new security measures into place.
Security Threats
This begs the question: what security challenges does PSD2 present? In recent years, security teams have exerted their time and effort on reinforcing perimeter security, i.e. protecting everything that runs inside the firewall. However, banks have been victims of Man-in-the-Browser (MitB) attacks, a client-side threat that is able to modify transactions while they’re happening in the browser and steal credentials without the end-user's knowledge.
With Open Banking, data will increasingly be passing through a client (a customer) to an open interface, becoming extremely vulnerable to attacks as there is no way to control the customer’s device, whether that be a mobile phone or a web browser. By facilitating access to customer data, third-party providers also become targets for client-side attacks.
Such attacks can manifest themselves in different ways. In some instances, the attacker secretly relays and maybe alters the communication between two parties who believe that they are directly communicating with each other. Every time someone checks their bank balance by connecting from their device to a bank’s application, they can be vulnerable to this form of attack and this type of fraud is becoming more commonplace.
UK users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank, Santander and many other financial organizations have previously been targeted by cyber-criminals using banking trojans.
Malicious emails were sent over a number of days, from spam servers worldwide, inviting users to download an archive containing a malicious .exe file posing as personal financial information.
Even the most cautious customers can be infected via a browser extension. Installing a browser extension means giving it full access to read and modify all website content. This means that hackers can then use a malicious browser extension to steal its users credit card data or credentials that are entered into any website - either desktop and mobile.
How To Approach PSD2
PSD2 provides that payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide.
To comply with the European Banking Authority’s tough new standards, banks and third-party providers need to adopt an “outside the firewall” mindset and approach to security.
In order to protect client-to-server communications, organizations need to incorporate appropriate levels of shielding to the applications and interfaces that run outside the firewall, namely the browser and users’ devices. The security measures outlined in PSD2 Regulatory Technical Standards also state that organizations must put in place monitoring systems - which means extending such solutions to the client-side.
In their effort to meet client-side PSD2 compliance before the Q3 2019 deadline, financial organizations must investigate real-time webpage monitoring solutions. These client-side security systems are able to detect signs of malware infection, data capture and manipulation by unauthorized parties and enable organizations to react in real-time to halt the potential fraud.
More than a matter of compliance, preventing this type of fraud is essential for financial organizations to prevent reputational and brand damage. Consumers need to be able to trust those charged with looking after their financial assets and feel confident in the current and future online transactional processes, now that open banking is a reality.