Cybersecurity Issues For Open Banking

Uploaded on 2018-06-29 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Financial

In the new world of open banking, the traditional security walls will come down. Will threats, to data integrity and consumer trust, inevitably go up? 

Open banking regulations launched in the UK in January 2018. But the underlying technology infrastructure, tasked with delivering the biggest shift ever from traditional bank/customer transactional relationships, is still in development. One of its most crucial design considerations and operational necessities is the need to address cyber security. 

Nothing short of a fully standardised, collaborative and industry-wide approach will strengthen security and assure the level of consumer trust that is crucial to the success of the UK’s open banking initiative and Europe’s wider Payment Services Directive 2 (PSD2). 

Connectivity is now Compulsory. 
For most of their history, banks have completely controlled the sensitive customer information entrusted to them. Access to account-related resources has been restricted to strictly approved internal roles and entities that use corporate security measures, such as firewalls. 

With the introduction of open banking, banks must now make their customers’ personal or business current-account information accessible to external entities. 

This means opening up communication portals or ports giving access to customer account details to third-party providers (TPPs) such as account aggregators, challenger banks, start-ups, fintech, to name a few.  These TPPs sit outside the perimeter. Banks will be interacting with them without clear understanding of their system’s security posture, and the previously clear-cut boundary between the bank and the TPP will blur. 
In some ways, the banks’ sensitive data perimeters can now be considered to extend outside their corporate premises. As a result, banks may be exposed to new threats emanating from beyond their traditional areas of control. 

Clearly, this is a major concern at a time when cyber-crime is relentlessly rising.  In this ever-more-connected environment, bad actors have many attack vectors to exploit system, protocol or network vulnerabilities. Protection must therefore be seamless and cover the 4 major egress routes, removable media, Internet, email and fixed network connections. 

Customer data will travel a complex supply chain. Its security is paramount. 
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage) or in-use. More significantly, the third party providers that run their own security controls are now responsible for securely protecting any shared personal/account related data they process. If not properly secured, this could lead to potential fraudulent financial activity, reputational damage for the entities involved and, even, to the jeopardy of the entire open banking initiative. 

Even worse, for banks, it could severely undermine the trust-based relationships they have maintained with their customers for hundreds of years.   

This makes it of paramount importance to ensure secure communication channels are in place. These will help guarantee customer data confidentiality and ensure that any data intercepted by malicious parties does not yield exploitable information. 
Secure encryption methods should be used in pursuit of this objective, and we expect specific guidelines to be released in the final regulatory technical standards for PSD2, later in 2018. 

Meanwhile, the UK has adopted a common authentication protocol: OAuth 2.0. This is industry-recognised and widely used to provide a secure method for verifying digital identities. Further, it provides a formal structure for obtaining, and securely transferring, consumer consent between entities. 

OAuth 2.0 uses the concept of tokens, that can be passed between parties during a transaction for authentication purposes. These tokens must be kept secure, because they principally act as entry-keys to the authentication sequence for an open banking transaction. 

Their functionality makes tokens useful. But their ‘pass key’ nature also makes them a particularly attractive target for cyber criminals. If a token does not have a built-in expiry, or it is not uniquely specific to a particular transaction, it could become compromised. 

Attackers might be able to replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details. But there are a few effective countermeasures available. 
Undesirable scenarios can be prevented by use of transaction specific tokens, short expiry periods and mutual authentication process. Mutual authentication requires both entities involved in a secure information exchange to authenticate one another. 

The longer the chain, the greater the need for uniformly strong links. 
It is axiomatic that security is only as strong as its weakest link, and this applies particularly to open banking. With so many interconnected entities, it is vital to develop and maintain a comprehensive framework, with the following clear delivery capabilities: 

  •  Secure sharing of sensitive financial and consumer data
  •  Effective handling of consumer consent
  •  Guaranteed data compliance. 

These capabilities will only be engineered through committed and collaborative effort, right across the financial and banking industries. What direction should this effort take? 

Industrial bodies - including account information service provider (AISPs), government institutes, security firms and the regulator - must work in conjunction, to evaluate, assess and register trusted TPPs and the criterion for such trusted status. They must also develop a reporting and TPP blacklisting capability, to protect the open banking initiative against malicious intent. 

The AISPs and payment initiation service providers (PISPs) must implement strong customer authentication (SCA) using multi-factor authentication, as a technical minimum, to identify customers, devices and validate their personalised security credentials. Reciprocally, the TPPs must make sure that adequate security controls are in place, to protect confidentiality and integrity of customer’s personalised security credentials. 

Cyber security and a well-defined cyber risk management framework are operational necessities in the open API banking world. Just as communication channels must be secured, the network platform and the selected protocols must be made more robust and be subject to regular security testing. The testing objective should be to identify vulnerabilities and mitigating actions; both in the system as a whole, and in individual entities connected to the wider community.  

To help create and sustain the optimum open banking environment, what are the practical measures to be adopted now? 

They must include the following: 

  • Adoption of and compliance with a strong information security management framework such as ISO27001, ISO27032:2012 accreditation and NIST cyber security framework
  • Enforcement of compliance with industrial standards - across the industry (e.g. Payment Card Industry Data Security Standard (PCI-DSS) in the payment card industry)
  •  Adoption of an industry wide proactive defence approach, based on evaluation of all participating organisations’ security postures and available threat intelligence
  • Implementation of a proactive cyber threat detection capability that actively hunts for potential vulnerabilities or emerging attacks and considers people, process and technology holistically. 
  • The measures listed above will be crucial. Additional, and highly beneficial, drivers of open banking cyber resilience will be: 
  • A competent cyber workforce, deployed via a functional hub, such as a security operations centre (SOC) or a security intelligence centre (SIC)
  • Collaborative threat intelligence and current attack information sharing
  •  Robust security-incident response plans. 

Move to open banking, but not away from traditional trust. 
The aspirations of open banking remain valid. Stimulating market competitiveness is good for consumers and it is also an opportunity for banks to attract new customers, up- and cross-sell and offer competitive financial products. 

A ‘beyond banking’ environment that sustains traditional banking standards of security will foster new choices, while assuring trust. Yes, there are obstacles. That is why the operational cyber security factors identified above must be put firmly in place and effectively aligned.

This will ensure a high probability that the open banking initiative will indeed be a success.4

Finextra:

You Might Also Read: 

Bank of England CIO Sets A Cybersecurity Challenge:

Your Next Bank Card is a Finger-Scanner:
 

 

« Effective Data Security Is A Team Effort
Cyber Attackers Tunnel Into Financial Services Firms »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

K&D Insurance Brokers

K&D Insurance Brokers

K&D provide insurance for all sectors of industry and commerce including cyber risk cover.

Deutsche Cyber-Sicherheitsorganisation (DCSO)

Deutsche Cyber-Sicherheitsorganisation (DCSO)

DCSO is an IT security specialist with a focus in three areas - technology management, managed security services, security consulting and auditing.

Source Defense

Source Defense

Source Defense provides websites with the first ever prevention technology for attacks of third-party origin.

Infosec (T) Ltd

Infosec (T) Ltd

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

Montimage

Montimage

Montimage develops tools for testing and monitoring networks, applications and services; in particular, for the verification of functional, performance (QoS/QoE) and security aspects.

Fortanix

Fortanix

Fortanix Runtime Encryption keeps keys, data, and applications completely protected from external and internal threats.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Protek International

Protek International

Protek International delivers world-class Digital Forensics, eDiscovery, Cyber Security, and related Advisory services.

Everbridge

Everbridge

Everbridge provides enterprise software applications that automate and accelerate organizations’ operational response to critical events in order to keep people safe and businesses running.

BT Security

BT Security

BT provides telecommunications and network infrastructure services to keep businesses around the world connected and secure.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Exium

Exium

At Exium we’ve integrated networking and security in a cloud-delivered Zero Trust platform powered by 5G and open source.

Protos Labs

Protos Labs

Protos Labs enables insurers & enterprises to make better cyber risk decisions through holistic, real-time risk management tools.