Open APIs under PSD2: what security challenges will banks meet

Once PSD2 is implemented into national law by member states, European banks will be required to open up and provide third party providers (TPPs) access to customer accounts. What does this mean for online security?

Under PSD2, consumers will be able to visit third-party sites and allow them to view and act on their bank accounts. In addition, under the new regulation, TPPs can be authorised by a customer to retrieve their financial data from the issuing bank. This means banks will have to provide TPPs with access to their back-end systems to retrieve the data. Most likely, this access will be facilitated by open APIs. Interesting new business models are emerging from this environment, but from a security perspective, the complexity of keeping customer data secure will increase significantly. One of the drivers here is that clients will be communicating to many more instances than just their traditional bank, multiplying the attacking surface for hackers.

Opening up APIs introduces a whole host of new vulnerabilities which can be exploited by hackers; therefore, it is vitally important that security providers are watching the developments of the PSD2 standards closely until implementation in January 2018.

What are the implications of an open API to data privacy and who is the main responsible party in providing security in data sharing?

The payments and banking industry is in the middle of digital disruption. On every front, traditional financial service providers are facing startling new realities. At the same time, cybercrime has evolved from single hackers with a laptop and fake IP address, to resilient, highly skilled organisations executing global cyberattacks. It is all a lot to think about, let alone navigate successfully.

As a result, banks and payment service providers must realise that current industry standards for network security, cryptography and secure development practices are not enough. They are responsible for keeping data safe from increasingly sophisticated and organised cybercriminals. This requires “future-proof” security that allows financial organisations to harden existing services and rapidly develop new ones that can withstand today’s dynamic threats.

What kind of security measures are currently taken by banks and API gateway providers?

Banks today use a range of network security products to protect their data and API’s. These are often in the form of API gateways that add authentication, authorization and monitoring to the API. However, these measures are often not enough as the web application or mobile application connecting to the API can be a source of leakage of sensitive (banking) information.

In practice, this means that the bank’s back-end systems will be accessed from a non-controlled environment via the internet whenever the customer clicks a button onscreen. Such internet-driven interactions make customer data a much softer target for cybercrime. According to the Verizon 2016 Data Breach Investigation Report, about 40% of all data breaches occur via web applications. This clearly indicates that current security practices are not enough, especially given the digital disruption that the payments and banking industry is facing.

What should banks and TPPs take into consideration when rethinking their approach to security?

Banks and TPPs need to implement state-of-the-art API protection, which goes beyond the standard industry protocols as HTTPS. In addition, it is important to protect against attacks that occur between the internet client and the server (often referred to as Man-in-the-Middle attacks).

In addition, banks and TPPs have traditionally focused on perimeter security, which keeps JavaScript (JS) and APIs safe inside the firewall. However, MitM attacks exploit JS and APIs that execute outside the firewall, in the payment form itself. The best way to protect against MitM is to harden the JS that runs in the payment form. By doing so, banks & TPPs protect not only the code, but also the API that carries data from the interface to the server.

What other security challenges do you foresee for banks with cybercriminals getting more and more sophisticated?

With PSD2 being implemented in the European financial services industry, JavaScript and APIs that execute outside the firewall (open APIs) will become the norm, providing access to extremely sensitive data to any number of third parties. Currently, most financial services providers do not pay much attention to breaches that occur outside the firewall. They are often seen as too small to raise alarm or indistinguishable from “user error,” such as a teller counting out one too many GBP 10s in a retail branch.

However, lots of little “user errors” – USD 10 in New York, EUR 10 in Amsterdam, GBP 10 in London – across hundreds of days and dozens of cities, can add up to a significant amount of revenue for a thief, without the bank even noticing it was stolen.

There are many ways in which USD 10, EUR 10, or GBP 10 could end up in the wrong account. One way is a TLS/SSL MitM (Man-in-the-Middle) attack. MitM is a type of cyberattack in which a malicious actor inserts himself into an interaction between two parties, impersonates both parties and gains access to information the two parties were trying to send each other. Given that each theft is tiny, it is very hard to tell it has even occurred. Not a lot of analysis has been done regarding the frequency or impact of these types of attacks, never mind how to protect against them. This lack of understanding will leave the industry open to increasing cases of cyber fraud.

One thing is certain however, deploying technologies that harden applications beyond the firewall will become increasingly important for providers who hope to stay secure as PSD2 comes into effect.

Cloakware for Payments & Banking by Irdeto is the winner of the Florin Award in the “Omni-channel Payments Security“ category, at the European Payments Summit, a Transactives conference on the continuous personal professional development in payments. Cloakware for Payments & Banking by Irdeto enables banks and payment service providers (PSPs) to innovate quickly with the knowledge of built-in Cloakware security.

About David Jones

David joined Irdeto in 2008. Since that time his responsibilities have included global partnership strategy, commercial management and technical partner support services. Building on his extensive international experience, in 2014 David moved to the Business Development team to drive Irdeto’s entry into new markets/segments. David now leads Irdeto’s Payments and Banking segment, introducing Irdeto’s core technologies and solutions to the Financial Services industry through direct sales and channels.

About Irdeto

With nearly 50 years of security experience, Irdeto is a pioneer in digital platform and application security. Its technology protects over USD 750 million in payments and more than 5 billion devices and applications against cyberattacks for some of the world’s best known brands. Irdeto leverages this security expertise to enable banks and PSPs to deliver a convenient and safe digital shopping and banking experience for consumers.