The new payment services directive opens up bank data to third-party service providers. What does it mean for security?
"Cybersecurity is a sector-neutral challenge. The focus of cybercriminals is on the ease by which they can generate revenue via manipulation of processes or the resale of valuable information assets," says Mike Daughton, partner risk consulting at KPMG Ireland.
The threat they pose is increased both by the sophistication of modern cybercriminal groups and their use of start-up and online-only financial companies to redistribute and funnel their revenue gains.
“Organisations that do not meet the standards of Strong Customer Authentication (SCA) in the incoming Payment Services Directive (PSD2), or who have weak anti-money-laundering controls, create vulnerability in the overall chain,” he says.
Traditional attacks such as email phishing have already given way to new methods such as “formjacking”, attacks that allow a cybercriminal to intercept your banking information direct from the input on an e-commerce site.
According to the Symantec's Internet Security Threat Report 2019, formjackers compromised 4,818 unique websites every month in 2018. Over the course of the year, Symantec blocked more than 3.7 million formjacking attempts. This equates to almost 74 per cent of compromise attacks.
“Financial services companies are enforcing more biometric authentication to meet the needs of SCA and to remove the formjacking threat, as username and password access becomes consigned to history,” says Daughton.
However, “the rise of artificial intelligence as an enabler for security has the flipside of providing the criminal with equivalency in the battle to secure assets – an example of this is the use of ‘deep fake’ software to replicate the patterns required by voice biometrics.”
Connectivity and transfers of customer data have increased as part of the open banking revolution and this is an area also targeted by criminals as they look for the “weakest in the herd” to attack.
“There is a significant role to be played by the competent national authorities, such as the National Cyber Security Centre and regulators to ensure that security by design, and indeed privacy by design, is considered across industry and that the lessons are shared to increase the overall baseline level of security and awareness,” says Daughton.
But regulators walk a fine line between enabling innovation while at the same time protecting consumers, says Kevin Curran, professor of Cybersecurity at Ulster University.
Equally, while customers expect banks to have strong security safeguards they may turn to new payments innovations because they seem more convenient.
“But security comes at a cost. The more secure it is, the more inconvenient it is,” says Curran.
Vulnerabilities
Even biometrics measures have vulnerabilities. In their early days a simple high resolution photograph could trick facial recognition software. Since then the technology has improved but so too have the hackers. Moving to 3D images and “putting a bit of heat behind them” could also work.
Finger prints aren’t inviolate, being left all over surfaces such as photocopiers, where they can be lifted with latex. Even a high resolution image of your iris, the current gold standard, can fool some machines. It’s why combining biometrics with passwords sent to your phone works best.
In some ways our security concerns are misplaced. We trust our smartphone brand but know nothing of the 70 suppliers of its components. “You have to start trust somewhere, unless you are going to get sand from the beach, build a €10 billion facility and make your own chip,” he says.
The wisdom of crowds should help. Companies need to survive and thrive, and to do so it’s “in their interest to build a fan base”, he says.
We might also learn from the wisdom of academics. Curran makes all his online banking “view only”. “If I want to make a transaction, I have to pick up the phone.” It means that, should his phone fall into the wrong hands, it can’t at least be used to make payments.
Almost all banks offer it as a service, “they just don’t tell you about it because it costs them more in call centre staff,” he says.