Meeting the security challenges of open banking

Feature

Open banking can best be thought of as a series of reforms that have been changing the way banks handle the financial information of consumers.

Read a case study about how Nationwide Building Society approached the move to a more competitive, more customer-oriented, and more secure financial data environment here.

At the heart of the open banking initiative is a complementary regulation known as the Payment Services Directive 2 (PSD2) that has been up and running since January 2018. Together, they are breaking the long-standing monopoly that banks have traditionally held when it comes to customer account information, and giving back the power to access that data to the customer. Be that by way of making payments with sites like Facebook, using a third-party app to analyse account activity or even using one single bank app to access your accounts at rival banks. It will also make it easier for consumers to compare financial services providers, products and rates.

This move away from the closed environment that has been the way of doing things pretty much forever, brings an unprecedented level of openness. Open banking presents great opportunities for both banks and their customers, but it also presents new dangers and challenges as embracing digital initiatives and new technologies also increases the threat landscape.

Research conducted by Forrester at the end of last year found that concern among consumers over their data being breached (82%) was holding back the sharing of consumer financial data through the open banking scheme. Businesses were also concerned, but to a lesser degree (68%). It's pretty obvious that for the average person on the street, the notion of sharing such sensitive and confidential data with a third-party is a worrying prospect.

But what are the realities when it comes to the threat landscape that open banking paints? To be honest, the threats themselves are not new but rather they are different to the ones that must be considered in a closed environment. Everything from the spoofing of customer consent through the use of social engineering tricks such as a threat actor posing as a third-party, through to actual breaches of legitimate third-party providers by hackers will now be front and centre. Man-in-the-Middle (MitM) type attacks may become more commonplace as threat actors look to exploit the customer by way of malware to the user device that can intercept communications, such as checking a balance within an app, and lead to credential compromise attacks as the user thinks they are 'talking' to the third-party or the bank itself but are actually talking to the threat actor in the middle. The days of financial institutions just concerning themselves with defending the perimeter have been over for quite a while, but in the new world of open banking the traditional security walls will certainly come tumbling down.

Open banking is based on the use of Application Programming Interfaces (APIs) that enable third-parties to build applications and services, in this case around financial services. APIs allow one piece of software to speak to another and attacks on these building blocks are almost certainly going to be amongst the biggest of the security challenges facing banks as we move forward. This emerging attack vector is already being exploited by cybercriminals and, as banks start exposing their customer data APIs to third-party applications, that vector will become even more lucrative and appealing. All of which means that it becomes ever more vital that banks architect their application stacks with the open banking threatscape in mind.

This means not only incorporating advanced API-management tools but ensuring they sit upon a solid foundational security layer. As you might have guessed, this requires advanced encryption methodologies to be in place so that data cannot be exploitable if intercepted. One way of doing this is by using hardware security modules (HSMs) as a root of trust and to provide the required standards-compliant digital signing. An HSM generates and protects the keys needed to encrypt and decrypt the data and provides a root of trust for secure digital signatures. Such secure encryption deployments will be vital if that consumer concern around open banking mentioned earlier is to be reversed.

It's essential that those banks leading the transformational charge into a more open world of financial data do so with security at the heart of everything. You can read a case study about how Nationwide Building Society approached the move to a more competitive, more customer-oriented, and more secure financial data environment here.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop