Trend Micro highlights security risks of new open banking regulation

Trend Micro (TYO: 4704; TSE: 4704), a global leader in cyber security solutions, today released research demonstrating that major new European banking rules could greatly increase the cyber attack surface for financial services firms and their customers.

The new research details the impact of the EU’s Revised Payment Services Directive (PSD2), which is designed to give users greater control over their financial data and the option of sharing it with a new breed of innovative financial technology (fintech) firms. The same ideas are spreading globally under the term “open banking.”

 “The financial sector has always been a highly attractive target for cyber criminals, and PSD2 and open banking are set to offer hackers even more opportunities to steal sensitive personal and financial information,” said Ed Cabrera, chief cyber security officer for Trend Micro. “Our concern is that the industry may not be fully prepared to deal with this greatly expanded attack surface. That’s why we wanted to understand the risks before they occur, so we can help fintechs and traditional lenders protect their assets first.”

The report highlights several possible attack scenarios under the new regulatory regime:

• Attacks on APIs: Public APIs are at the heart of open banking, allowing approved third parties to access users’ banking data to provide innovative new financial services. Implementation flaws in these APIs will allow attackers to exploit back-end servers to steal data.
• Attacks on fintech companies: Users will be forced into a new trust relationship with providers that may have fewer resources than their banks and no track record on data protection. In a quick survey of open banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professional. This makes them ideal targets for attackers and raises concerns over security gaps in their mobile apps, APIs, data sharing techniques and security modules that could be incorrectly implemented.
• Attacks on the apps or mobile platforms: Most open banking services will be deployed as mobile apps, making these a prime target for attackers. Finding the username, password, or encryption keys within the app would allow a criminal to retrieve banking data and pose as the user. Even if the apps don’t have permission to make payments, they could contain transaction data, allowing an attacker to build a highly accurate profile of their victims.
• Attacks against the user: Because new open banking apps will become the primary means for users to access financial data and services, phishing attacks could reap major rewards for attackers.

“Digital disruption has had far sweeping effects on the local banking industry, something we can see evidenced in the offerings of new digital banks that keep popping up, particularly in South Africa. These banks are starting to challenge the status quo, which has led to the need for regulations, particularly as the phenomenon of open banking grows,” states Indi Siriniwasa, vice-president sub-Saharan Africa at Trend Micro.

“While the mechanics of open banking have been adopted throughout the EU and in some instances, locally too, it has not yet been regulated within the SA financial structures as it has in the EU. As banks increasingly use an open banking approach as a means to create a more accessible and secure cohesion between fintech firms, they are definitely widening the potential attack service, making it even more critical for developers to bring security closer to the app,” adds Siriniwasa.

To prepare for the changing landscape, Trend Micro details how financial institutions can improve their cyber resilience. These include ensuring sensitive information is never contained in URL paths, prioritising secure protocols, and eliminating risky practices.

Meanwhile, open banking app developers and owners must adopt a secure-by-design approach, including regular software audits.

To find out more about the cyber risks associated with new open banking rules, read our report, Ready or Not for PSD2: The Risks of Open Banking, here.