Cybersecurity Issues For Open Banking

Uploaded on 2018-06-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

In the new world of open banking, the traditional security walls will come down. Will threats, to data integrity and consumer trust, inevitably go up? 

Open banking regulations launched in the UK in January 2018. But the underlying technology infrastructure, tasked with delivering the biggest shift ever from traditional bank/customer transactional relationships, is still in development. One of its most crucial design considerations and operational necessities is the need to address cyber security. 

Nothing short of a fully standardised, collaborative and industry-wide approach will strengthen security and assure the level of consumer trust that is crucial to the success of the UK’s open banking initiative and Europe’s wider Payment Services Directive 2 (PSD2). 

Connectivity is now Compulsory. 
For most of their history, banks have completely controlled the sensitive customer information entrusted to them. Access to account-related resources has been restricted to strictly approved internal roles and entities that use corporate security measures, such as firewalls. 

With the introduction of open banking, banks must now make their customers’ personal or business current-account information accessible to external entities. 

This means opening up communication portals or ports giving access to customer account details to third-party providers (TPPs) such as account aggregators, challenger banks, start-ups, fintech, to name a few.  These TPPs sit outside the perimeter. Banks will be interacting with them without clear understanding of their system’s security posture, and the previously clear-cut boundary between the bank and the TPP will blur. 
In some ways, the banks’ sensitive data perimeters can now be considered to extend outside their corporate premises. As a result, banks may be exposed to new threats emanating from beyond their traditional areas of control. 

Clearly, this is a major concern at a time when cyber-crime is relentlessly rising.  In this ever-more-connected environment, bad actors have many attack vectors to exploit system, protocol or network vulnerabilities. Protection must therefore be seamless and cover the 4 major egress routes, removable media, Internet, email and fixed network connections. 

Customer data will travel a complex supply chain. Its security is paramount. 
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage) or in-use. More significantly, the third party providers that run their own security controls are now responsible for securely protecting any shared personal/account related data they process. If not properly secured, this could lead to potential fraudulent financial activity, reputational damage for the entities involved and, even, to the jeopardy of the entire open banking initiative. 

Even worse, for banks, it could severely undermine the trust-based relationships they have maintained with their customers for hundreds of years.   

This makes it of paramount importance to ensure secure communication channels are in place. These will help guarantee customer data confidentiality and ensure that any data intercepted by malicious parties does not yield exploitable information. 
Secure encryption methods should be used in pursuit of this objective, and we expect specific guidelines to be released in the final regulatory technical standards for PSD2, later in 2018. 

Meanwhile, the UK has adopted a common authentication protocol: OAuth 2.0. This is industry-recognised and widely used to provide a secure method for verifying digital identities. Further, it provides a formal structure for obtaining, and securely transferring, consumer consent between entities. 

OAuth 2.0 uses the concept of tokens, that can be passed between parties during a transaction for authentication purposes. These tokens must be kept secure, because they principally act as entry-keys to the authentication sequence for an open banking transaction. 

Their functionality makes tokens useful. But their ‘pass key’ nature also makes them a particularly attractive target for cyber criminals. If a token does not have a built-in expiry, or it is not uniquely specific to a particular transaction, it could become compromised. 

Attackers might be able to replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details. But there are a few effective countermeasures available. 
Undesirable scenarios can be prevented by use of transaction specific tokens, short expiry periods and mutual authentication process. Mutual authentication requires both entities involved in a secure information exchange to authenticate one another. 

The longer the chain, the greater the need for uniformly strong links. 
It is axiomatic that security is only as strong as its weakest link, and this applies particularly to open banking. With so many interconnected entities, it is vital to develop and maintain a comprehensive framework, with the following clear delivery capabilities: 

  •  Secure sharing of sensitive financial and consumer data
  •  Effective handling of consumer consent
  •  Guaranteed data compliance. 

These capabilities will only be engineered through committed and collaborative effort, right across the financial and banking industries. What direction should this effort take? 

Industrial bodies - including account information service provider (AISPs), government institutes, security firms and the regulator - must work in conjunction, to evaluate, assess and register trusted TPPs and the criterion for such trusted status. They must also develop a reporting and TPP blacklisting capability, to protect the open banking initiative against malicious intent. 

The AISPs and payment initiation service providers (PISPs) must implement strong customer authentication (SCA) using multi-factor authentication, as a technical minimum, to identify customers, devices and validate their personalised security credentials. Reciprocally, the TPPs must make sure that adequate security controls are in place, to protect confidentiality and integrity of customer’s personalised security credentials. 

Cyber security and a well-defined cyber risk management framework are operational necessities in the open API banking world. Just as communication channels must be secured, the network platform and the selected protocols must be made more robust and be subject to regular security testing. The testing objective should be to identify vulnerabilities and mitigating actions; both in the system as a whole, and in individual entities connected to the wider community.  

To help create and sustain the optimum open banking environment, what are the practical measures to be adopted now? 

They must include the following: 

  • Adoption of and compliance with a strong information security management framework such as ISO27001, ISO27032:2012 accreditation and NIST cyber security framework
  • Enforcement of compliance with industrial standards - across the industry (e.g. Payment Card Industry Data Security Standard (PCI-DSS) in the payment card industry)
  •  Adoption of an industry wide proactive defence approach, based on evaluation of all participating organisations’ security postures and available threat intelligence
  • Implementation of a proactive cyber threat detection capability that actively hunts for potential vulnerabilities or emerging attacks and considers people, process and technology holistically. 
  • The measures listed above will be crucial. Additional, and highly beneficial, drivers of open banking cyber resilience will be: 
  • A competent cyber workforce, deployed via a functional hub, such as a security operations centre (SOC) or a security intelligence centre (SIC)
  • Collaborative threat intelligence and current attack information sharing
  •  Robust security-incident response plans. 

Move to open banking, but not away from traditional trust. 
The aspirations of open banking remain valid. Stimulating market competitiveness is good for consumers and it is also an opportunity for banks to attract new customers, up- and cross-sell and offer competitive financial products. 

A ‘beyond banking’ environment that sustains traditional banking standards of security will foster new choices, while assuring trust. Yes, there are obstacles. That is why the operational cyber security factors identified above must be put firmly in place and effectively aligned.

This will ensure a high probability that the open banking initiative will indeed be a success.4

Finextra:

You Might Also Read: 

Bank of England CIO Sets A Cybersecurity Challenge:

Your Next Bank Card is a Finger-Scanner:
 

 

« Effective Data Security Is A Team Effort
Cyber Attackers Tunnel Into Financial Services Firms »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cloud53

Cloud53

Cloud53 specialise in improving operational IT through strategic use of Cloud technologies and services.

Cyber Security Network

Cyber Security Network

Cyber Security Network provide specialist cyber security recruitment services.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

PrimeKey

PrimeKey

PrimeKey provides organisations with the ability to implement security solutions such as e-ID, e-Passports, authentication, digital signatures, unified digital identities and validation.

Mitre ATT&CK

Mitre ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Excelsecu Data Technology

Excelsecu Data Technology

Excelsecu is a global solution provider of online identity authentication, widely applied in banks, government bodies and enterprises.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

Scythe

Scythe

SCYTHE is a next generation red team platform for continuous and realistic enterprise risk assessments.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

DataExpert Singapore

DataExpert Singapore

DataExpert Singapore provide solutions and services in the areas of Digital Forensics, Data Recovery, Data Duplication, Data Degaussing & Wiping, Data Destruction, and IT Disposal.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

Privacy Compliance Hub

Privacy Compliance Hub

Privacy Compliance Hub provide an easy to use platform with a comprehensive data protection compliance programme including training, information, templates and reporting.

Zilla Security

Zilla Security

Zilla combines identity governance with cloud security to deliver comprehensive access visibility, reviews, lifecycle management, and policy-based security remediation.

Training.com.au

Training.com.au

Training.com.au is a comparison website through which those looking to learn about different aspects of cyber security can compare learning courses from training providers from across Australia.

Eviden

Eviden

Eviden is an Atos business that brings together its digital, big data and security business lines. It will be a global leader in data-driven, trusted and sustainable digital transformation.

Defence Innovation Accelerator for the North Atlantic (DIANA)

Defence Innovation Accelerator for the North Atlantic (DIANA)

The NATO DIANA accelerator programme is designed to equip businesses with the skills and knowledge to navigate the world of deep tech, dual-use innovation.