The security challenges faced by open banking

Image credit: Shutterstock (Image credit: Image Credit: Shutterstock)

Open Banking ultimately refers to the underlying financial technology, born alongside a new regulation - the second ‘Payment Services Directive' (PSD2) - which came into force on January 13th of last year. This new regulation will see the banks’ previous monopoly on their customer’s account information and payment services being challenged; 3rd party organisations are now competing with banks for access to customer data. PSD2 is the successor to the first Payment Services Directive (PSD1) that came into force in 2009 and which facilitated the provision of uniform payment services across the EU. PSD2 sets out to (in addition) provide consumers with better security to take advantage of using third-party providers (TPP’s) and their services which ultimately integrate directly with an individual’s bank account.

Probably the main concern surrounding banking was how very closed their environments were. Now that legislation is forcing them to open them, or at the very least expose an API, they have had to make huge changes to their architecture because of this completely different approach. Whilst traditionally ‘disconnected’ from the internet, they were able to do pretty much anything, they could skip all of the traditional security measures that you take when you're on public networks or in the cloud. Now with an open environment, the banks, at the very least, need to protect the API with stringent security measures. And customers will also want to know that their data is kept securely as the banks open up their infrastructure to the public.

Reputation, compliance and relationships with key partners are key factors when doing business in this landscape. TPPs have to have professional indemnity insurance to cover liability in the case of a security breach or unauthorised transaction. Liability and security are major issues in earning the trust of consumers and their payment providers. One dodgy outfit and the whole sector could end up being tarred with the same brush.

 A cornerstone of PSD2 is the abolition of the monopoly that banks have over accessing their customers’ account data. This will allow consumers (or businesses) to unlock their data and obtain a wide range of value-added services. It will strengthen the position of financial start-ups, and should invite widespread development and innovation in key areas such as online and mobile payments and account information services. Consumers will need to be really careful when it comes to sharing data. They will only be protected by their bank (if something goes wrong) if they share their data with an authorised company, and these authorised third parties will be regulated by the Financial Conduct Authority (FCA) and will appear on the FCA's Register, and/or the Open Banking Directory.  

Image credit: Shutterstock

Image credit: Shutterstock (Image credit: Shutterstock)

Banks are now obliged to grant these TPPs access to their customers’ accounts through open interfaces. This in turn will allow TPPs to build financial services on top of banks’ data and infrastructure. Consumers will benefit from things such as easier online payments (without the need for a credit or debit card) and money management services that better help consumers keep on top of their finances.. Whilst the competitive landscape will undergo massive change, consumers face relying on new institutions, instead of the traditional banks to keep their sensitive financial data safe. This will require a different security mindset as companies investigate and implement new security measures. 

Banks have traditionally been victims of a style of attack that is able to alter transactions while they’re happening in the browser and steal user’s credentials without them knowing. With the introduction of open banking, data will become increasingly vulnerable to attack as it passes through an open interface; this could happen on any customer’s device, for example, a mobile phone. In the process of ‘opening up’ the access to customer data, TPPs suddenly become very attractive targets to attack by cybercriminals.

Digital coins

Image credit: Shutterstock (Image credit: Image Credit: Number1411 / Shutterstock)

Many high-profile companies, including banking institutions, have been attacked and users are rightly more concerned than ever with privacy. Even with the rising amount of attacks on mobile devices and applications, financial institutions and other organisations are still not taking proactive steps to protect the user’s apps on their devices. We hope to see open banking also provide the opportunity for developers and the like to work hard to provide robust protection against hacking and phishing attacks in the light of the new landscape. Application shielding will continue to play a major role in protecting mobile applications. It does this by detecting and mitigating any tampering with a mobile app to prevent any damage. Open banking could see a rise in overlay attacks, phishing attacks, and mobile app threats, perhaps even more dangerous versions. It is estimated that users are three times more likely to fall for phishing attacks via mobile devices than they are other channels! In order to meet PSD2 compliance, which is due before the end of the year, financial organisations need to investigate new solutions to block these threats. Remember, preventing this type of fraud is key for financial organisations if they want to avoid costly reputational and brand damage.

It is still early days for TPPs in the UK but the way is paved for significant change in the way we understand payment services. Many firms are currently exploring opportunities that are being presented and others will be looking to come up with the next big idea. However, now that open banking is a reality, consumers need to be able to trust those charged with looking after their assets and feel confident when carrying out banking transactions online. Don’t let it be an open goal for cybercriminals!

Yair Green, CTO at GlobalDots 

Yair Green

Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web Performance Evangelist.