Mobile banking and online payments have revolutionised the finance sector, but strict industry regulations and security concerns have slowed any major changes. This is set to change in January 2018, when the revised Payments Services Directive (PSD2) comes into force. Rory Gray, PSD2 Initiative Director at Intercede, looks at why financial services providers must act now to overcome the security hurdles and benefit from the opportunities that this legislation will bring
The European Union’sPSD2 came into force in January 2016, but member states have until the start of 2018 to implement it into national law. The legislation is designed to open up the banking and finance sector to third parties and to regulate their involvement in the industry. It also will also make online payments more secure and make it easier for consumers to manage their finances through online services and applications.However, there is still a great deal of confusion and uncertainty around the legislation and what the proposed measures will actually entail. Many banks and their budding competitors are therefore scrambling,frantically trying to ensure they have the right security protocols in place to ensure the new regulation, in all its complexity, can be implemented without incident.
What is PSD2?
If PSD2 is designed to improve security and levels of trust in all transactions performed between consumer and a financial services provider, then how can such security risks arise?The legislation includes a key requirement that asks banks to grant third parties access to consumers’ financial data; something which is inherently risky.
On flip side though, forcing banks to relinquish control of customer information will widen access to the finance and banking industry, encouraging competition and simplifying the online payments process. Currently, when a consumer buys something online, the payment is directed via a bank or provider like Visa or PayPal, yet the new legislation will allow an online merchant to access the consumer’s account information and process the payment directly.
This freedom of access also means that consumers stand to gain from the introduction of new financial services which third parties – such as social media companies – will be able to offer. These could include a dashboard which collates all of the information from a consumer’s or business’ various accounts in one place, making the movement and management of money easier and more transparent.
Defining strong authentication
Whilst consumers may be looking forward to this change, many banks will likely have concerns over data protection and the safety of IT systems. As such, PSD2 also includes regulations to bolster security and mitigate the risk of cybercrime and fraud, including more widespread use of stronger authentication.
There is much confusion over the terms ‘strong authentication’ and ‘Multi-Factor Authentication’. Within the context of PSD2, this is universally referred to a Strong Customer Authentication (SCA). There is, however, widespread acceptance of the fact that using passwords can no longer be regarded as an appropriate method of protecting online services. It must also be appreciated that not all 2 Factor Authentication (2FA) is ‘strong’ and many existing 2FA solutions may need to be reengineered to comply with the new standards.
As an example, many will have the experience of using online banking models which require the use of a username and password and a further passcode provided through a third factor (electronic token device, text message with a code or other). Whilst functional and reasonably secure, these are not necessarily ‘strong’ authentication models.
Recent analysis has articulated how the above third factor (sometimes referred to as One Time Passwords or OTP) is subject to compromise and potential breach. The PSD2 Strong Customer Authentication technical specifications attempt to define what ‘strong’ means. However, experiences from other domains suggest that what some may regard strong, others may regards as having weakness. Indeed, there are benefits and drawbacks to each of these forms of authentication. A password or PIN alone is never a robust method of online protection. Consumers routinely re-use passwords or use combinations which are too easily deciphered by hackers and software. These can also be misappropriated by phishing scams, or recorded by spyware installed through a virus attack on an IT system.
PSD2 is designed to make sure that any account access or payment is only processed following the authentication of the legitimacy of an account holder,based on the use of two or more elements. These are categorised as ‘knowledge’ (something only the user knows), ‘possession’ (something only the user possesses) and ‘inherence’ (something the user is),each of which must be independent of another.
The ‘knowledge’ part of this MFAwill likely be a password or PIN, the ‘possession’ element will be a physical object like a smartphone or a token which produces a OTP (one-time password) and ‘inherence’ could be a biometric reading such as an iris or fingerprint scan. Clearly there is still ground yet to cover in respect to what the legislation will accept as strong authentication, however the methods deployed and which are mature in the most secure industries and businesses (aerospace and defence for example) can provide clear guidance.
Authentication versus authorisation
PSD2 regulation covers a number of existing areas where tighter security is needed. It also defines new interactions where both strong authentication and authorisation are needed. The terms ‘authentication’ and ‘authorisation’ have very well-defined meanings in the established, more mature cybersecurity realms. Unfortunately, the draft PSD2 specifications confuse the two terms, using them interchangeably in some circumstances where they are most definitely distinct.
Put simply, authentication answers the question ‘Who are you?’ Authorisation, on the other hand, provides the response to ‘What are you allowed to do?’ The most natural sequence for access control is firstly to decide who is trying to get access, then once you have satisfied yourself as to the person (or system’s) identity, you can grant them specific functional permissions. Furthermore, it would be relevant to ensure that any uncertainty over identity means that certain authorisations may be withheld, pending a higher level of assurance being achieved.
In the context of access control, the initial ‘Who are you’ step is authentication. The second ‘what are you allowed to do’ is the authorisation. Although these are discrete steps, it is clear that the security of step two is wholly reliant upon the quality of the authentication performed at step one. Simply put, the degree of certainty we have regarding authentication will guide the permissions that have been granted.
For example, during a financial transaction, establishing authentication is a primary and critical requirement. Thereafter, the certainty with which the authentication has been established may influence the actions which the authenticated entity may take. We may see circumstances where any doubt in authentication may limit or void the transactions which may be authorised. It is important to recognise and maintain this distinction so that an authorised instruction is not confused with an assertion of identity.
The best path to security success?
To ensure PSD2 is a success, strong customer authentication and authorisation methods must be adopted; methods which are quick and easy for organisations to implement, without being cost prohibitive. They must also be convenient for the consumer; who wants to carry around multiple tokens and devices to provide MFA for each provider they have an account with?
Contrary to widely-held belief, the most secure and flexible MFA solutions are often those which are the most convenient for the consumer. These include the use of a trusted execution environment (TEE) in leading Android smartphones, and trusted platform modules in desktop PCs and laptops, to authenticate users for secure access to sensitive information. These tools offer the highest level of convenience for the end user and deliver the maximum level of security for all parties involved.
Preparing for PSD2 will mean making operational and technological changes. Instead of completely overhauling legacy systems – a complex, timely and expensive action – financial service providers should look to solutions from established cybersecurity firms which can be easily integrated into existing hardware and software.Consumers have a lot to gain from the legislation coming forth, but by securing their customer’s data and maintaining their reputation, incumbent service providers will also reap the benefits.