Cybersecurity Issues For Open Banking

Uploaded on 2018-06-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

In the new world of open banking, the traditional security walls will come down. Will threats, to data integrity and consumer trust, inevitably go up? 

Open banking regulations launched in the UK in January 2018. But the underlying technology infrastructure, tasked with delivering the biggest shift ever from traditional bank/customer transactional relationships, is still in development. One of its most crucial design considerations and operational necessities is the need to address cyber security. 

Nothing short of a fully standardised, collaborative and industry-wide approach will strengthen security and assure the level of consumer trust that is crucial to the success of the UK’s open banking initiative and Europe’s wider Payment Services Directive 2 (PSD2). 

Connectivity is now Compulsory. 
For most of their history, banks have completely controlled the sensitive customer information entrusted to them. Access to account-related resources has been restricted to strictly approved internal roles and entities that use corporate security measures, such as firewalls. 

With the introduction of open banking, banks must now make their customers’ personal or business current-account information accessible to external entities. 

This means opening up communication portals or ports giving access to customer account details to third-party providers (TPPs) such as account aggregators, challenger banks, start-ups, fintech, to name a few.  These TPPs sit outside the perimeter. Banks will be interacting with them without clear understanding of their system’s security posture, and the previously clear-cut boundary between the bank and the TPP will blur. 
In some ways, the banks’ sensitive data perimeters can now be considered to extend outside their corporate premises. As a result, banks may be exposed to new threats emanating from beyond their traditional areas of control. 

Clearly, this is a major concern at a time when cyber-crime is relentlessly rising.  In this ever-more-connected environment, bad actors have many attack vectors to exploit system, protocol or network vulnerabilities. Protection must therefore be seamless and cover the 4 major egress routes, removable media, Internet, email and fixed network connections. 

Customer data will travel a complex supply chain. Its security is paramount. 
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage) or in-use. More significantly, the third party providers that run their own security controls are now responsible for securely protecting any shared personal/account related data they process. If not properly secured, this could lead to potential fraudulent financial activity, reputational damage for the entities involved and, even, to the jeopardy of the entire open banking initiative. 

Even worse, for banks, it could severely undermine the trust-based relationships they have maintained with their customers for hundreds of years.   

This makes it of paramount importance to ensure secure communication channels are in place. These will help guarantee customer data confidentiality and ensure that any data intercepted by malicious parties does not yield exploitable information. 
Secure encryption methods should be used in pursuit of this objective, and we expect specific guidelines to be released in the final regulatory technical standards for PSD2, later in 2018. 

Meanwhile, the UK has adopted a common authentication protocol: OAuth 2.0. This is industry-recognised and widely used to provide a secure method for verifying digital identities. Further, it provides a formal structure for obtaining, and securely transferring, consumer consent between entities. 

OAuth 2.0 uses the concept of tokens, that can be passed between parties during a transaction for authentication purposes. These tokens must be kept secure, because they principally act as entry-keys to the authentication sequence for an open banking transaction. 

Their functionality makes tokens useful. But their ‘pass key’ nature also makes them a particularly attractive target for cyber criminals. If a token does not have a built-in expiry, or it is not uniquely specific to a particular transaction, it could become compromised. 

Attackers might be able to replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details. But there are a few effective countermeasures available. 
Undesirable scenarios can be prevented by use of transaction specific tokens, short expiry periods and mutual authentication process. Mutual authentication requires both entities involved in a secure information exchange to authenticate one another. 

The longer the chain, the greater the need for uniformly strong links. 
It is axiomatic that security is only as strong as its weakest link, and this applies particularly to open banking. With so many interconnected entities, it is vital to develop and maintain a comprehensive framework, with the following clear delivery capabilities: 

  •  Secure sharing of sensitive financial and consumer data
  •  Effective handling of consumer consent
  •  Guaranteed data compliance. 

These capabilities will only be engineered through committed and collaborative effort, right across the financial and banking industries. What direction should this effort take? 

Industrial bodies - including account information service provider (AISPs), government institutes, security firms and the regulator - must work in conjunction, to evaluate, assess and register trusted TPPs and the criterion for such trusted status. They must also develop a reporting and TPP blacklisting capability, to protect the open banking initiative against malicious intent. 

The AISPs and payment initiation service providers (PISPs) must implement strong customer authentication (SCA) using multi-factor authentication, as a technical minimum, to identify customers, devices and validate their personalised security credentials. Reciprocally, the TPPs must make sure that adequate security controls are in place, to protect confidentiality and integrity of customer’s personalised security credentials. 

Cyber security and a well-defined cyber risk management framework are operational necessities in the open API banking world. Just as communication channels must be secured, the network platform and the selected protocols must be made more robust and be subject to regular security testing. The testing objective should be to identify vulnerabilities and mitigating actions; both in the system as a whole, and in individual entities connected to the wider community.  

To help create and sustain the optimum open banking environment, what are the practical measures to be adopted now? 

They must include the following: 

  • Adoption of and compliance with a strong information security management framework such as ISO27001, ISO27032:2012 accreditation and NIST cyber security framework
  • Enforcement of compliance with industrial standards - across the industry (e.g. Payment Card Industry Data Security Standard (PCI-DSS) in the payment card industry)
  •  Adoption of an industry wide proactive defence approach, based on evaluation of all participating organisations’ security postures and available threat intelligence
  • Implementation of a proactive cyber threat detection capability that actively hunts for potential vulnerabilities or emerging attacks and considers people, process and technology holistically. 
  • The measures listed above will be crucial. Additional, and highly beneficial, drivers of open banking cyber resilience will be: 
  • A competent cyber workforce, deployed via a functional hub, such as a security operations centre (SOC) or a security intelligence centre (SIC)
  • Collaborative threat intelligence and current attack information sharing
  •  Robust security-incident response plans. 

Move to open banking, but not away from traditional trust. 
The aspirations of open banking remain valid. Stimulating market competitiveness is good for consumers and it is also an opportunity for banks to attract new customers, up- and cross-sell and offer competitive financial products. 

A ‘beyond banking’ environment that sustains traditional banking standards of security will foster new choices, while assuring trust. Yes, there are obstacles. That is why the operational cyber security factors identified above must be put firmly in place and effectively aligned.

This will ensure a high probability that the open banking initiative will indeed be a success.4

Finextra:

You Might Also Read: 

Bank of England CIO Sets A Cybersecurity Challenge:

Your Next Bank Card is a Finger-Scanner:
 

 

« Effective Data Security Is A Team Effort
Cyber Attackers Tunnel Into Financial Services Firms »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CodeOne

CodeOne

CodeOne provides solutions for website and web app security.

Ritz

Ritz

Ritz is the largest holistic pure-play cyber security solutions provider in Myanmar.

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions provides advanced, innovative data security solutions for enterprises, professionals and individuals.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

Seknox

Seknox

Seknox TRASA™ protects your business from insider threats.

INVISUS

INVISUS

INVISUS protects businesses against the latest cyber risks – including business and employee identity theft, data breaches, and cybersecurity compliance.

VCG Group

VCG Group

VCG provides everything you need for the design, implementation and management of data centres, cyber-secure enterprise networks, cloud and connectivity services.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

WiebeTech

WiebeTech

WiebeTech’s line of digital forensics tools provide innovative and rugged devices for efficient disk imaging and evidence capture.

Flare Systems

Flare Systems

Flare proactively detects and remediates exposure across the clear & dark web, providing organizations with the equivalent of an automated cyber reconnaissance team.

Nortal

Nortal

Nortal is a strategic digital transformation partner for leading companies and governments around the world.

FastPassCorp

FastPassCorp

In the world of IT, identity theft is a growing concern. FastPass offers an innovative solution as a cloud or on-premises offering.

Cytex

Cytex

Cytex is the All-in-One solution for SMB data protection & compliance needs.

Avatar Managed Services

Avatar Managed Services

Avatar offers proven, process driven IT support to companies who want to utilize their technology to their best advantage.

RAH Infotech

RAH Infotech

RAH Infotech is India’s leading value added distributor and solutions provider in the Network and Security domain. We are specialists in Enterprise and App Security and Application Delivery.

Equixly

Equixly

Equixly is revolutionizing application security by empowering developers and organizations to build more secure software, elevate their security posture, and stay ahead of emerging threats.