In the new world of open banking, the traditional security walls will come down. Will threats – to data integrity and consumer trust – inevitably go up?
Open banking regulations launched in the UK in January 2018. But the underlying technology infrastructure, tasked with delivering the biggest shift ever from traditional bank/customer transactional relationships, is still in development. One of its most
crucial design considerations and operational necessities is the need to address cyber security. Nothing short of a fully standardised, collaborative and industry-wide approach will strengthen security and assure the level of consumer trust that is crucial
to the success of the UK’s open banking initiative and Europe’s wider PSD2 (Payment Services Directive 2).
Connectivity is now compulsory.
For most of their history, banks have completely controlled the sensitive customer information entrusted to them. Access to account-related resources has been restricted to strictly approved internal roles and entities that use corporate security measures,
such as firewalls.
With the introduction of open banking, banks must now make their customers’ personal or business current-account information accessible to external entities. This means opening up communication portals or ports giving access to customer account details to
third-party providers (TPPs) such as account aggregators, challenger banks, start-ups, fintech, to name a few. These TPPs sit outside the perimeter. Banks will be interacting with them without clear understanding of their system’s security posture, and the
previously clear-cut boundary between the bank and the TPP will blur.
In some ways, the banks’ sensitive data perimeters can now be considered to extend outside their corporate premises. As a result, banks may be exposed to new threats emanating from beyond their traditional areas of control. Clearly, this is a major concern
at a time when cybercrime is relentlessly rising. In this ever-more-connected environment, bad actors have many attack vectors to exploit system, protocol or network vulnerabilities. Protection must therefore be seamless and cover the 4 major egress routes
– removable media, internet, email and fixed network connections.
Customer data will travel a complex supply chain. Its security is paramount.
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage) or in-use. More significantly, the third party providers that run their own security controls are now responsible for
securely protecting any shared personal/account related data they process. If not properly secured, this could lead to potential fraudulent financial activity, reputational damage for the entities involved and, even, to the jeopardy of the entire open banking
initiative. Even worse, for banks, it could severely undermine the trust-based relationships they have maintained with their customers for hundreds of years.
This makes it of paramount importance to ensure secure communication channels are in place. These will help guarantee customer data confidentiality and ensure that any data intercepted by malicious parties does not yield exploitable information. Secure encryption
methods should be used in pursuit of this objective, and we expect specific guidelines to be released in the final regulatory technical standards for PSD2, later in 2018.
Meanwhile, the UK has adopted a common authentication protocol: OAuth 2.0. This is industry-recognised and widely used to provide a secure method for verifying digital identities. Further, it provides a formal structure for obtaining, and securely transferring,
consumer consent between entities. OAuth 2.0 uses the concept of tokens, that can be passed between parties during a transaction for authentication purposes. These tokens must be kept secure, because they principally act as entry-keys to the authentication
sequence for an open banking transaction.
Their functionality makes tokens useful. But their ‘pass key’ nature also makes them a particularly attractive target for cyber criminals. If a token does not have a built-in expiry, or it is not uniquely specific to a particular transaction, it could become
compromised. Attackers might be able to replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details. But there are a few effective countermeasures available. Undesirable scenarios can be
prevented by use of transaction specific tokens, short expiry periods and mutual authentication process. Mutual authentication requires both entities involved in a secure information exchange to authenticate one another.
The longer the chain, the greater the need for uniformly strong links.
It is axiomatic that security is only as strong as its weakest link, and this applies particularly to open banking. With so many interconnected entities, it is vital to develop and maintain a comprehensive framework, with the following clear delivery capabilities:
- Secure sharing of sensitive financial and consumer data
- Effective handling of consumer consent
- Guaranteed data compliance.
These capabilities will only be engineered through committed and collaborative effort, right across the financial and banking industries. What direction should this effort take?
Industrial bodies - including account information service provider (AISPs), government institutes, security firms and the regulator - must work in conjunction, to evaluate, assess and register trusted TPPs and the criterion for such trusted status. They
must also develop a reporting and TPP blacklisting capability, to protect the open banking initiative against malicious intent.
The AISPs and payment initiation service providers (PISPs) must implement strong customer authentication (SCA) using multi-factor authentication, as a technical minimum, to identify customers, devices and validate their personalised security credentials.
Reciprocally, the TPPs must make sure that adequate security controls are in place, to protect confidentiality and integrity of customer’s personalised security credentials.
Cyber security and a well-defined cyber risk management framework are operational necessities in the open API banking world. Just as communication channels must be secured, the network platform and the selected protocols must be made more robust and be subject
to regular security testing. The testing objective should be to identify vulnerabilities and mitigating actions; both in the system as a whole, and in individual entities connected to the wider community.
To help create and sustain the optimum open banking environment, what are the practical measures to be adopted now? They must include the following:
- Adoption of and compliance with a strong information security management framework such as ISO27001, ISO27032:2012 accreditation and NIST cyber security framework
- Enforcement of compliance with industrial standards - across the industry (e.g. Payment Card Industry Data Security Standard (PCI-DSS) in the payment card industry)
- Adoption of an industry wide proactive defence approach, based on evaluation of all participating organisations’ security postures and available threat intelligence
- Implementation of a proactive cyber threat detection capability that actively hunts for potential vulnerabilities or emerging attacks and considers people, process and technology holistically.
The measures listed above will be crucial. Additional, and highly beneficial, drivers of open banking cyber resilience will be:
- A competent cyber workforce, deployed via a functional hub, such as a security operations centre (SOC) or a security intelligence centre (SIC)
- Collaborative threat intelligence and current attack information sharing
- Robust security-incident response plans.
Move to open banking, but not away from traditional trust.
The aspirations of open banking remain valid. Stimulating market competitiveness is good for consumers and it is also an opportunity for banks to attract new customers, up- and cross-sell and offer competitive financial products. A ‘beyond banking’ environment
that sustains traditional banking standards of security will foster new choices, while assuring trust. Yes, there are obstacles. That is why the operational cyber security factors identified above must be put firmly in place and effectively aligned. This will
ensure a high probability that the open banking initiative will indeed be a success.