A new report has surfaced warning some of the benefits of open banking could come at a high cost for consumers and banks alike, as the threat of cyberattacks is said to increase as it becomes more prevalent.
The report comes courtesy of Trend Micro, who says that they have evidence to support the idea that as the European Union rolls out its new Open Banking legislation, individuals and banks are both at risk of being compromised online.
The EU’s Revised Payment Services Directive (PSD2) has been designed to make finance more transparent and convenient, giving the consumer more power over their data. This control, researchers have found, could come at a cost, as it opens up the potential of new vulnerabilities that can be exploited by cyber criminals, or an incentive to hack third parties that previously didn’t have your information stored on their systems.
“Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks,” says Sarah Coble.
Bharat Mistry works as the principal security strategist at Trend Micro, and told Infosecurity Magazine that “the worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes.”
Sarah Coble’s report also mentions that “in a quick survey of Open Banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.”
According to Mistry, the concept of open banking comes with added challenges, namely the problem of determining who is to blame - and how to blame them - when a cyber attack does, inevitably transpire.
“Another aspect of this evolving Open Banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs,” he said. “The fault can potential lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident.”
Bharat Mistry anticipates that regardless of the blame, current attitudes surrounding financial fraud mean that the bank will be left footing the bill, and subsequently maintaining state-of-the-art security protocols to keep third-parties out in the cold.
“Cyber insurance is proving to be popular with organisations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of,” he said.
Finder defines open banking as a form of financing that “gives you control of the data banks and financial institutions hold on you. Right now, it’s difficult for you to get a hold of your full financial data and for banks to send that data to each other and to other companies. This makes it tricky to find the best product or service for you, and also to switch to new products and services.”
“Open banking will allow you to ask that your data be sent to other banks, financial institutions and authorised organisations when you want to. You control who holds your data and how it is used… Australia’s big four banks were asked to make certain financial data available for beta testing when the open banking legislation passed through Parliament on 1 August 2019.
There are four types of bank data that will be available to Australians when the legislation is finalised, including:
Product data: rates, fees and bank features.
Customer data: Personal information about you- phone numbers, address, email address, age etc.
Account data: Account balances, direct debits, regular payments, debt.
Transaction data: How much you’ve saved, spent and where you spent it.