Download Ready or Not for PSD2: The Risks of Open Banking
September 14 marked the implementation of the European Union’s (EU) Revised Payment Service Directive (PSD2) – otherwise known as Open Banking. PSD2 aims to give the public greater convenience and more control over their banking data. It also gives third-party financial technology (FinTech) companies handling established banks’ additional services the same access to customers’ banking information for data analysis and financial management recommendations, among other provisional services.
Figure 1. With PSD2, new FinTech companies will launch new apps to aggregate banking data from multiple accounts.
PSD2 replaces the 2007 mandate, the Payment Services Directive (PSD) approved in 2015, to highlight specific protection procedures, rights, and obligations of providers and users in an effort to motivate innovation and competition in the financial industry. While it is designed and primarily applicable to EU member states, the effects and implications of the directive go beyond the region. The directive is being hailed as a game changer in the financial industry as it removes the control of customers’ information from established banks, and gives users the right to share their banking data with financial service providers for finance management and other purposes.
To comply with the laws’ security stipulations, banks opened their application programming interfaces (APIs) to FinTech companies after ensuring that the prerequisite security infrastructure is established, and after getting the bank customers’ consent for data access. But a number of concerns regarding readiness have been raised.
This paper explores the current state and potential security risks of banking apps in the advent of PSD2, highlighting the technical infrastructure and the implications of the regulation. We highlight the following:
Customers who opt to use Open Banking apps to manage their banking data will now be in an entirely new trust relationship. Whereas customers placed their faith in decades-old institutions with a long history of security, they will now be transferring that same trust to lesser-known third-party providers that don’t have a long track record of combating fraud. Antifraud systems of banks will have less data input to train computer models and to spot fraud in real time as their customers’ financial data will get spread over multiple companies.
While customers are now more aware of phishing techniques that cybercriminals used in the past, malicious actors will get new opportunities to trick banking customers. Cybercriminals could pretend to be the FinTech companies working with banks, and new phishing schemes are expected to emerge.
Financial institutions have had a history of exposing personally identifiable information (PII) in the URLs of their existing APIs and legacy systems. Moreover, some FinTech companies have concerning issues with their use of weaker security measures and information-gathering methods like “screen scraping”. From a security standpoint, we expect a number of apps and feature flaws that attackers will likely observe and take advantage of as soon as apps go live.
Table 1. 10 of the 52 financial institutions Trend Micro researchers found exposing confidential data in the URL path
Attackers consider banking transaction data as high-value information. These types of information could allow an attacker to study behavioral patterns, routines, schedules, and financial status. This inevitably means that actors like shady advertisements companies and advanced nation-state actors will have a big interest in open banking data.