September 20, 2018
Cyber Threats on Open APIs and Other PSD2 Hurdles
Posted September 15, 2017
Legal wrangling and a little something called Brexit are throwing speed bumps into the race to implement PSD2. But new questions around cyber threats against APIs have some wondering if things could soon take a turn for the worst.
In hopes of softening its upcoming exit from the European Union, the UK is aiming to convert applicable EU laws into domestic policy, so long as they’re in force by “Exit Day,” March 29, 2019.
That’s good news for the revised payment services directive, given the European Banking Authority’s (EBA’s) January 13 deadline for PSD2 to become law within each member nation.
Yet, as industry observers point out, PSD2’s Regulatory Technical Standards (RTS) for Strong Customer Authentication don’t go into effect until 18 months after they’re documented in the EU’s Official Journal, currently expected sometime this fall. If the 18-month deadline falls past Exit Day, however, the RTS will not be converted to UK policy.
As things stand now, that may be the least of the EBA’s worries.
As readers will recall, the RTS was released back in February. But it must be ratified by the European Commission (EC) before it can go into effect. There’s just one (major) problem. The EC inserted an amendment that has resulted in seven months of negotiations. At issue: the RTS’ ban on so-called “screen-scraping.”
New Angst Over APIs
PSD2, of course, is the sweeping new set of open banking requirements aimed at dramatically enhancing transparency, innovation and competition throughout the EU’s financial services industry.
Among other things, banks must now open their payment account data to third parties through open APIs, and securely authenticate all account access and payment authorizations. While that may mean banks face the risk of losing their direct relationship with the customer, it will also mean new opportunities to innovate for established institutions and emerging fintechs alike.
New services may soon enable you, for example, to access all your financial accounts from a single portal, or offer you the best auto loan based on your current financial picture.
However, in exchange for open bank data, the RTS calls for an end to screen-scraping, which some fintechs have used to copy customer data from websites in order to directly target their offerings directly. This practice is susceptible to man-in-the-middle attacks and other forms of fraud. It’s also unnecessary, the EBA argues, given the shift to open APIs.
The EC, however, disagrees. As some industry observers have pointed out, the banks’ APIs will only work if they “unfailingly supply all the data fintechs need.” What’s more, observers say, there’s also the risk that APIs could stop working due to software bugs, or get temporarily suspended due to security threats. On that last score at least, they may make an important point.
‘Open’ to Attack?
For those out of the know, open APIs are publicly available “application programming interfaces” that provide access to applications and govern how they communicate with one another.
Think HR or social platforms that enable you to post job listings or status updates across any number of third-party apps. With PSD2, open APIs will be used to share banking data, and to initiate and authenticate digital payments.
In other words, this is kind of a big deal. And in recent weeks, the security of such APIs has come into question.
Case in point: News that an API used by the FCC’s web page for posting comments on net neutrality contained a flaw that could be used to bypass admins and post just about anything—including malware. (It is, alas, just the latest security drama associated with that webpage.)
Meanwhile, nearly 6 million Instagram accounts have been compromised by hackers exploiting a bug in the social platform’s open API. In that instance, the cyberthieves used screen-scraping to collect contact information, which they are now selling online. And reports on a possible data breach at one of the world’s largest open API-based digital payments systems—India’s Aadhar network—have been especially unsettling.
Factor in the scale and significance of PSD2, and it’s easy to see why there are fresh concerns about open APIs that give third-party apps access to banking data could expose institutions to unprecedented fraud, data breaches and other cyber threats.
Indeed, there’s little doubt API-driven integrations will make enticing targets for fraudsters looking to perform high-velocity credentials testing in hopes of selling verified credentials on the dark web.
Such attacks could also wreak havoc on banks by crashing servers and causing considerable friction for legitimate customers. Most important of all, they could put sensitive customer data (and financial assets) at profound risk.
To protect themselves and their customers, a growing number of financial institutions are gravitating to technologies that can help them secure these integrations so they can survive, and indeed thrive, in the age of PSD2.
The ThreatMetrix solution for Open Banking, for instance, enables organizations to create APIs for third-party providers while maintaining their own existing authentication and customer validation processes. This allows established institutions to support innovation through internal initiatives and external partnerships while extending control over the customer experience and maximizing lifetime value. The solution is also underpinned by global shared intelligence from the world’s largest digital identity network.
According to the RTS, users’ previous spending patterns, transaction histories, locations and times of transactions must be used to identify anomalies in payment requests that may signal fraud.
Digital identity intelligence goes far beyond these attributes by leveraging anonymized, crowd-sourced transaction data from tens of thousands of websites around the globe to give businesses the ability to analyze the risk associated with each transaction in real time.
Not only does this enable institutions to strike the perfect balance between security and convenience across all customer touchpoints and payment mechanisms, but they can also extend those capabilities to new APIs and consumer consent flows.
Red Light, Green Light
Even with these kinds of cybersecurity technologies available, it’s anyone’s guess where the race to PSD2 implementation will take us next.
In the UK, we anticipate government officials will indeed take steps to fold mandates from a final, ratified RTS into adoption of the directive, helping land the “Soft Brexit” that High Street institutions are banking on—no matter the timeline.
As for the imbroglio between the EC and EBA and its impact on final mandates, that’s a tougher call. At this point, enough yellow lights are flashing to suggest RTS deadlines could very well get pushed back—even deep into 2019.
Still, proceeding with caution doesn’t necessarily mean applying the brakes just yet.
To paraphrase a passenger-side mirror near you, even with possible delays, PSD2 is closer than it may appear.
To learn more, register now for our upcoming webinar, ‘The Long-Term Impact of PSD2 & How to Select a Strategic Partner’ on Thursday, September 21 at 12 noon Pacific Time.