A report released today by Trend Micro has found that new European Open Banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.
The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out Open Banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost.
Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.
Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.
In a quick survey of Open Banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.
Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."
Open Banking comes with the additional challenge of how and to whom blame should be ascribed when cyber-crimes do inevitably occur.
Mistry said: "Another aspect of this evolving Open Banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"
Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity.
He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."