Cybersecurity Issues For Open Banking

Uploaded on 2018-06-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

In the new world of open banking, the traditional security walls will come down. Will threats, to data integrity and consumer trust, inevitably go up? 

Open banking regulations launched in the UK in January 2018. But the underlying technology infrastructure, tasked with delivering the biggest shift ever from traditional bank/customer transactional relationships, is still in development. One of its most crucial design considerations and operational necessities is the need to address cyber security. 

Nothing short of a fully standardised, collaborative and industry-wide approach will strengthen security and assure the level of consumer trust that is crucial to the success of the UK’s open banking initiative and Europe’s wider Payment Services Directive 2 (PSD2). 

Connectivity is now Compulsory. 
For most of their history, banks have completely controlled the sensitive customer information entrusted to them. Access to account-related resources has been restricted to strictly approved internal roles and entities that use corporate security measures, such as firewalls. 

With the introduction of open banking, banks must now make their customers’ personal or business current-account information accessible to external entities. 

This means opening up communication portals or ports giving access to customer account details to third-party providers (TPPs) such as account aggregators, challenger banks, start-ups, fintech, to name a few.  These TPPs sit outside the perimeter. Banks will be interacting with them without clear understanding of their system’s security posture, and the previously clear-cut boundary between the bank and the TPP will blur. 
In some ways, the banks’ sensitive data perimeters can now be considered to extend outside their corporate premises. As a result, banks may be exposed to new threats emanating from beyond their traditional areas of control. 

Clearly, this is a major concern at a time when cyber-crime is relentlessly rising.  In this ever-more-connected environment, bad actors have many attack vectors to exploit system, protocol or network vulnerabilities. Protection must therefore be seamless and cover the 4 major egress routes, removable media, Internet, email and fixed network connections. 

Customer data will travel a complex supply chain. Its security is paramount. 
One of the principal concerns around sharing customer data with TPPs is that it can become compromised during transit, at-rest (storage) or in-use. More significantly, the third party providers that run their own security controls are now responsible for securely protecting any shared personal/account related data they process. If not properly secured, this could lead to potential fraudulent financial activity, reputational damage for the entities involved and, even, to the jeopardy of the entire open banking initiative. 

Even worse, for banks, it could severely undermine the trust-based relationships they have maintained with their customers for hundreds of years.   

This makes it of paramount importance to ensure secure communication channels are in place. These will help guarantee customer data confidentiality and ensure that any data intercepted by malicious parties does not yield exploitable information. 
Secure encryption methods should be used in pursuit of this objective, and we expect specific guidelines to be released in the final regulatory technical standards for PSD2, later in 2018. 

Meanwhile, the UK has adopted a common authentication protocol: OAuth 2.0. This is industry-recognised and widely used to provide a secure method for verifying digital identities. Further, it provides a formal structure for obtaining, and securely transferring, consumer consent between entities. 

OAuth 2.0 uses the concept of tokens, that can be passed between parties during a transaction for authentication purposes. These tokens must be kept secure, because they principally act as entry-keys to the authentication sequence for an open banking transaction. 

Their functionality makes tokens useful. But their ‘pass key’ nature also makes them a particularly attractive target for cyber criminals. If a token does not have a built-in expiry, or it is not uniquely specific to a particular transaction, it could become compromised. 

Attackers might be able to replay the same token, in more than one transaction and in different time periods, to gain unauthorised access to account details. But there are a few effective countermeasures available. 
Undesirable scenarios can be prevented by use of transaction specific tokens, short expiry periods and mutual authentication process. Mutual authentication requires both entities involved in a secure information exchange to authenticate one another. 

The longer the chain, the greater the need for uniformly strong links. 
It is axiomatic that security is only as strong as its weakest link, and this applies particularly to open banking. With so many interconnected entities, it is vital to develop and maintain a comprehensive framework, with the following clear delivery capabilities: 

  •  Secure sharing of sensitive financial and consumer data
  •  Effective handling of consumer consent
  •  Guaranteed data compliance. 

These capabilities will only be engineered through committed and collaborative effort, right across the financial and banking industries. What direction should this effort take? 

Industrial bodies - including account information service provider (AISPs), government institutes, security firms and the regulator - must work in conjunction, to evaluate, assess and register trusted TPPs and the criterion for such trusted status. They must also develop a reporting and TPP blacklisting capability, to protect the open banking initiative against malicious intent. 

The AISPs and payment initiation service providers (PISPs) must implement strong customer authentication (SCA) using multi-factor authentication, as a technical minimum, to identify customers, devices and validate their personalised security credentials. Reciprocally, the TPPs must make sure that adequate security controls are in place, to protect confidentiality and integrity of customer’s personalised security credentials. 

Cyber security and a well-defined cyber risk management framework are operational necessities in the open API banking world. Just as communication channels must be secured, the network platform and the selected protocols must be made more robust and be subject to regular security testing. The testing objective should be to identify vulnerabilities and mitigating actions; both in the system as a whole, and in individual entities connected to the wider community.  

To help create and sustain the optimum open banking environment, what are the practical measures to be adopted now? 

They must include the following: 

  • Adoption of and compliance with a strong information security management framework such as ISO27001, ISO27032:2012 accreditation and NIST cyber security framework
  • Enforcement of compliance with industrial standards - across the industry (e.g. Payment Card Industry Data Security Standard (PCI-DSS) in the payment card industry)
  •  Adoption of an industry wide proactive defence approach, based on evaluation of all participating organisations’ security postures and available threat intelligence
  • Implementation of a proactive cyber threat detection capability that actively hunts for potential vulnerabilities or emerging attacks and considers people, process and technology holistically. 
  • The measures listed above will be crucial. Additional, and highly beneficial, drivers of open banking cyber resilience will be: 
  • A competent cyber workforce, deployed via a functional hub, such as a security operations centre (SOC) or a security intelligence centre (SIC)
  • Collaborative threat intelligence and current attack information sharing
  •  Robust security-incident response plans. 

Move to open banking, but not away from traditional trust. 
The aspirations of open banking remain valid. Stimulating market competitiveness is good for consumers and it is also an opportunity for banks to attract new customers, up- and cross-sell and offer competitive financial products. 

A ‘beyond banking’ environment that sustains traditional banking standards of security will foster new choices, while assuring trust. Yes, there are obstacles. That is why the operational cyber security factors identified above must be put firmly in place and effectively aligned.

This will ensure a high probability that the open banking initiative will indeed be a success.4

Finextra:

You Might Also Read: 

Bank of England CIO Sets A Cybersecurity Challenge:

Your Next Bank Card is a Finger-Scanner:
 

 

« Effective Data Security Is A Team Effort
Cyber Attackers Tunnel Into Financial Services Firms »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

ContentKeeper

ContentKeeper

ContentKeeper provides Web Threat Protection solutions to secure today’s Web 2.0 and mobile centric business environments.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

Centurion Information Security

Centurion Information Security

Centurion Information Security is a consulting firm based in Singapore that specialises in penetration testing and security assessment services.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Securitybulls

Securitybulls

Securitybulls is an information security firm offering an encyclopedic penetration testing & IT security assessment service for your organization.

Applied Science and Technology Research Institute Company Limited (ASTRI)

Applied Science and Technology Research Institute Company Limited (ASTRI)

ASTRI's mission is to enhance Hong Kong’s competitiveness in technology-based industries through applied research in areas including Security & Data Sciences which encompasses cybersecurity.

SmartContractAudits.com

SmartContractAudits.com

SmartContractAudits.com is the leading platform for finding companies providing smart contract auditing services.

Rezilion

Rezilion

Rezilion is a stealth mode cyber-security start-up developing a cutting edge technology that makes cloud environments self-protecting and resilient to cyber-attacks.

MISP Project

MISP Project

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

Orca Security

Orca Security

Orca Security delivers full stack visibility including prioritized alerts to vulnerabilities, compromises, misconfigurations, and more across your entire inventory on all your cloud accounts.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Precursor Security

Precursor Security

Precursor Security are information security specialist, delivering all aspects of Security testing, Cyber Risk Management, and Continuous Security Testing.

Progress Partners

Progress Partners

Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Our sectors include cybersecurity.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

Toro Solutions

Toro Solutions

Toro provide managed security & consultancy to keep governments, businesses & society resilient in the space where cyber, physical & people security converge.