Mobile banking and online payments have revolutionised the finance sector, but strict industry regulations and security concerns have slowed any major changes. This is set to change in January 2018, when the revised Payments Services Directive (PSD2) comes into force. Rory Gray, PSD2 Initiative Director at Intercede, looks at why financial services providers must act now to overcome the security hurdles and benefit from the opportunities that this legislation will bring
The European Union’sPSD2 came into force in January 2016, but member states have until the start of 2018 to implement it into national law. The legislation is designed to open up the banking and finance sector to third parties and to regulate their involvement in the industry. It also will also make online payments more secure and make it easier for consumers to manage their finances through online services and applications.However, there is still a great deal of confusion and uncertainty around the legislation and what the proposed measures will actually entail. Many banks and their budding competitors are therefore scrambling,frantically trying to ensure they have the right security protocols in place to ensure the new regulation, in all its complexity, can be implemented without incident.
What is PSD2?
If PSD2 is designed to improve security and levels of trust in all transactions performed between consumer and a financial services provider, then how can such security risks arise?The legislation includes a key requirement that asks banks to grant third parties access to consumers’ financial data; something which is inherently risky.
On flip side though, forcing banks to relinquish control of customer information will widen access to the finance and banking industry, encouraging competition and simplifying the online payments process. Currently, when a consumer buys something online, the payment is directed via a bank or provider like Visa or PayPal, yet the new legislation will allow an online merchant to access the consumer’s account information and process the payment directly.
This freedom of access also means that consumers stand to gain from the introduction of new financial services which third parties – such as social media companies – will be able to offer. These could include a dashboard which collates all of the information from a consumer’s or business’ various accounts in one place, making the movement and management of money easier and more transparent.
Defining strong authentication
Whilst consumers may be looking forward to this change, many banks will likely have concerns over data protection and the safety of IT systems. As such, PSD2 also includes regulations to bolster security and mitigate the risk of cybercrime and fraud, including more widespread use of stronger authentication.
There is much confusion over the terms ‘strong authentication’ and ‘Multi-Factor Authentication’. Within the context of PSD2, this is universally referred to a Strong Customer Authentication (SCA). There is, however, widespread acceptance of the fact that using passwords can no longer be regarded as an appropriate method of protecting online services. It must also be appreciated that not all 2 Factor Authentication (2FA) is ‘strong’ and many existing 2FA solutions may need to be reengineered to comply with the new standards.
As an example, many will have the experience of using online banking models which require the use of a username and password and a further passcode provided through a third factor (electronic token device, text message with a code or other). Whilst functional and reasonably secure, these are not necessarily ‘strong’ authentication models.
Recent analysis has articulated how the above third factor (sometimes referred to as One Time Passwords or OTP) is subject to compromise and potential breach. The PSD2 Strong Customer Authentication technical specifications attempt to define what ‘strong’ means. However, experiences from other domains suggest that what some may regard strong, others may regards as having weakness. Indeed, there are benefits and drawbacks to each of these forms of authentication. A password or PIN alone is never a robust method of online protection. Consumers routinely re-use passwords or use combinations which are too easily deciphered by hackers and software. These can also be misappropriated by phishing scams, or recorded by spyware installed through a virus attack on an IT system.
PSD2 is designed to make sure that any account access or payment is only processed following the authentication of the legitimacy of an account holder,based on the use of two or more elements. These are categorised as ‘knowledge’ (something only the user knows), ‘possession’ (something only the user possesses) and ‘inherence’ (something the user is),each of which must be independent of another.
The ‘knowledge’ part of this MFAwill likely be a password or PIN, the ‘possession’ element will be a physical object like a smartphone or a token which produces a OTP (one-time password) and ‘inherence’ could be a biometric reading such as an iris or fingerprint scan. Clearly there is still ground yet to cover in respect to what the legislation will accept as strong authentication, however the methods deployed and which are mature in the most secure industries and businesses (aerospace and defence for example) can provide clear guidance.
Authentication versus authorisation
PSD2 regulation covers a number of existing areas where tighter security is needed. It also defines new interactions where both strong authentication and authorisation are needed. The terms ‘authentication’ and ‘authorisation’ have very well-defined meanings in the established, more mature cybersecurity realms. Unfortunately, the draft PSD2 specifications confuse the two terms, using them interchangeably in some circumstances where they are most definitely distinct.
Put simply, authentication answers the question ‘Who are you?’ Authorisation, on the other hand, provides the response to ‘What are you allowed to do?’ The most natural sequence for access control is firstly to decide who is trying to get access, then once you have satisfied yourself as to the person (or system’s) identity, you can grant them specific functional permissions. Furthermore, it would be relevant to ensure that any uncertainty over identity means that certain authorisations may be withheld, pending a higher level of assurance being achieved.
In the context of access control, the initial ‘Who are you’ step is authentication. The second ‘what are you allowed to do’ is the authorisation. Although these are discrete steps, it is clear that the security of step two is wholly reliant upon the quality of the authentication performed at step one. Simply put, the degree of certainty we have regarding authentication will guide the permissions that have been granted.
For example, during a financial transaction, establishing authentication is a primary and critical requirement. Thereafter, the certainty with which the authentication has been established may influence the actions which the authenticated entity may take. We may see circumstances where any doubt in authentication may limit or void the transactions which may be authorised. It is important to recognise and maintain this distinction so that an authorised instruction is not confused with an assertion of identity.
The best path to security success?
To ensure PSD2 is a success, strong customer authentication and authorisation methods must be adopted; methods which are quick and easy for organisations to implement, without being cost prohibitive. They must also be convenient for the consumer; who wants to carry around multiple tokens and devices to provide MFA for each provider they have an account with?
Contrary to widely-held belief, the most secure and flexible MFA solutions are often those which are the most convenient for the consumer. These include the use of a trusted execution environment (TEE) in leading Android smartphones, and trusted platform modules in desktop PCs and laptops, to authenticate users for secure access to sensitive information. These tools offer the highest level of convenience for the end user and deliver the maximum level of security for all parties involved.
Preparing for PSD2 will mean making operational and technological changes. Instead of completely overhauling legacy systems – a complex, timely and expensive action – financial service providers should look to solutions from established cybersecurity firms which can be easily integrated into existing hardware and software.Consumers have a lot to gain from the legislation coming forth, but by securing their customer’s data and maintaining their reputation, incumbent service providers will also reap the benefits.
Australia says no further Facebook, Google amendments as final vote nears
By Colin Packham
CANBERRA (Reuters) – Australia will not alter legislation that would make Facebook and Alphabet Inc’s Google pay news outlets for content, a senior lawmaker said on Monday, as Canberra neared a final vote on whether to pass the bill into law.
Australia and the tech giants have been in a stand-off over the legislation widely seen as setting a global precedent.
Other countries including Canada and Britain have already expressed interest in taking some sort of similar action.
Facebook has protested the laws. Last week it blocked all news content and several state government and emergency department accounts, in a jolt to the global news industry, which has already seen its business model upended by the titans of the technological revolution.
Talks between Australia and Facebook over the weekend yielded no breakthrough.
As Australia’s senate began debating the legislation, the country’s most senior lawmaker in the upper house said there would be no further amendments.
“The bill as it stands … meets the right balance,” Simon Birmingham, Australia’s Minister for Finance, told Australian Broadcasting Corp Radio.
The bill in its present form ensures “Australian-generated news content by Australian-generated news organisations can and should be paid for and done so in a fair and legitimate way”.
The laws would give the government the right to appoint an arbitrator to set content licencing fees if private negotiations fail.
While both Google and Facebook have campaigned against the laws, Google last week inked deals with top Australian outlets, including a global deal with Rupert Murdoch’s News Corp.
“There’s no reason Facebook can’t do and achieve what Google already has,” Birmingham added.
A Facebook representative declined to comment on Monday on the legislation, which passed the lower house last week and has majority support in the Senate.
A final vote after the so-called third reading of the bill is expected on Tuesday.
Lobby group DIGI, which represents Facebook, Google and other online platforms like Twitter Inc, meanwhile said on Monday that its members had agreed to adopt an industry-wide code of practice to reduce the spread of misinformation online.
Under the voluntary code, they commit to identifying and stopping unidentified accounts, or “bots”, disseminating content; informing users of the origins of content; and publishing an annual transparency report, among other measures.
(Reporting by Byron Kaye and Colin Packham; Editing by Sam Holmes and Hugh Lawson)
GSK and Sanofi start with new COVID-19 vaccine study after setback
By Pushkala Aripaka and Matthias Blamont
(Reuters) – GlaxoSmithKline and Sanofi on Monday said they had started a new clinical trial of their protein-based COVID-19 vaccine candidate, reviving their efforts against the pandemic after a setback in December delayed the shot’s launch.
The British and French drugmakers aim to reach final testing in the second quarter, and if the results are conclusive, hope to see the vaccine approved by the fourth quarter after having initially targeted the first half of this year.
In December, the two groups stunned investors when they said their vaccine would be delayed towards the end of 2021 after clinical trials showed an insufficient immune response in older people.
Disappointing results were probably caused by an inadequate concentration of the antigen used in the vaccine, Sanofi and GSK said, adding that Sanofi has also started work against new coronavirus variants to help plan their next steps.
Global coronavirus infections have exceeded 110 million as highly transmissible variants of the virus are prompting vaccine developers and governments to tweak their testing and immunisation strategies.
GSK and Sanofi’s vaccine candidate uses the same recombinant protein-based technology as one of Sanofi’s seasonal influenza vaccines. It will be coupled with an adjuvant, a substance that acts as a booster to the shot, made by GSK.
“Over the past few weeks, our teams have worked to refine the antigen formulation of our recombinant-protein vaccine,” Thomas Triomphe, executive vice president and head of Sanofi Pasteur, said in a statement.
The new mid-stage trial will evaluate the safety, tolerability and immune response of the vaccine in 720 healthy adults across the United States, Honduras and Panama and test two injections given 21 days apart.
Sanofi and GSK have secured deals to supply their vaccine to the European Union, Britain, Canada and the United States. It also plans to provide shots to the World Health Organization’s COVAX programme.
To appease critics after the delay, Sanofi said earlier this year it had agreed to fill and pack millions of doses of the Pfizer/BioNTech vaccine from July.
Sanofi is also working with Translate Bio on another COVID-19 vaccine candidate based on mRNA technology.
(Reporting by Pushkala Aripaka in Bengaluru and Matthias Blamont in Paris; editing by Jason Neely and Barbara Lewis)
Don’t ignore “lockdown fatigue”, UK watchdog tells finance bosses
By Huw Jones
LONDON (Reuters) – Staff at financial firms in Britain are suffering from “lockdown fatigue” and their bosses are not always making sure all employees can speak up freely about their problems, the Financial Conduct Authority said on Monday.
Many staff at financial companies have been working from home since Britain went into its first lockdown in March last year to fight the COVID-19 pandemic.
One year on, the challenges have evolved from adapting to working remotely to dealing with mental health issues, said David Blunt, the FCA’s head of conduct specialists.
“During this third lockdown, there has been a greater impact on mental well-being, with many people struggling with job security, caring responsibilities, home schooling, bereavements and lockdown fatigue.”
Bosses should continually revisit how they lead remote teams, he said.
“The impact of COVID-19 is creating a huge workload for those considered to be high performers, while the remote environment potentially makes it much more challenging for those who were previously considered low performers to change that perception,” Blunt told a City & Financial online event.
Companies should consider “psychological safety” or ensuring that all employees feel confident about speaking out and challenging opinions.
“We’ve heard varying reports of how successful this has been,” Blunt said.
Pressures in the financial sector were highlighted this month when accountants KPMG said its UK chairman Bill Michael had stepped aside during a probe into comments he made to staff.
The Financial Times said Michael, who later apologised for his comments, had told staff to “stop moaning” about the impact of the pandemic on their work lives.
Blunt was speaking as the FCA next month completes the full rollout of rules that force senior managers at financial firms to be personally accountable for their decisions to improve conduct standards.
There have only been a “modest” number of breaches reported to regulators so far as firms worry about being “tainted” but more cases will become public as sanctions are revealed, Blunt said.
“Regulators won’t be impressed by lowballing the figures.”
(Reporting by Huw Jones; Editing by Mark Heinrich)
Unexpected Growth Seen for Paint Additives Market by 2022 | Akzo Nobel NV, Arkema SA, Ashland Global Holdings, Inc
Future Market Insights (FMI) has offered a 5-year forecast for the global paint additives market in its new report titled...
Polymer Coated Fabrics Market Research Development, Top Companies, Trends And Growth 2017 To 2022 | BASF SE, Akzo Nobel NV, Saint-Gobain, PPG Industries, Inc
A new market study on polymer coated fabrics, published by Future Market Insights, reveals the changing demands for technical textiles...
Industrial Vacuum Cleaners Market Research Development, Top Companies, Trends And Growth 2018 To 2028 | Alfred Kärcher GmbH & Co. KG, American Vacuum Company, Nilfisk Group
This FMI study offers a ten-year analysis and forecast for the global Industrial Vacuum Cleaners market for the period between 2018 and...
Female Stress Urinary Incontinence Treatment Devices Market Will Exhibit a Steady 7% CAGR through 2029- Future Market Insights
The rising prevalence of urinary incontinence in pregnant women, stress urinary incontinence due to diabetes, gynaecology disorders, and urinary incontinence...
Venous Thromboembolism Treatment Market Study: Mechanical & Interventional Prophylaxis Systems Trend in North America
The global demand for venous thromboembolism treatment market is likely to grow steadily over the forthcoming years. As indicated by...
Aircraft Tire Market – By 2026 Top Winning Strategies, COVID-19 Impacting Factors, Business Strategies | Key Players – Bridgestone Corporation, Goodyear Tire & Rubber Company, Compagnie Générale des Établissements Michelin, Polymer Enterprises, Inc
Future Market Insights has adopted multi-disciplinary approach to shed light on the evolution of the Aircraft Tire Market during the historical period....
Vision Screeners Market CAGR Projected to Grow at 6% Through 2029
Global vision screener sales are likely to near US$ 500 Mn by the end of 2019. According to a new research intelligence study...
Home Sleep Screening Devices Market is Expected to Expand at an 8.4% CAGR Over 2018 to 2028 – Future Market Insights
According to the latest research by Future Market Insights (FMI), global sales of home sleep screening devices exceeded the revenues...
Fifth Wheel Coupling Market – Global Industry Analysis, Trends, Production, Revenue, Gross Margin Analysis and Forecast 2021-2028|Key Top Players- SAF Holland, JOST Werke AG, Guangdong Fuwa Engineering Group Co., Ltd., Sohshin Co. Ltd.
Future Market Insights has adopted multi-disciplinary approach to shed light on the evolution of the Fifth Wheel Coupling Market during the...
Automotive Sensors Market Report Analysis 2021 – 2028 | Global Industry Growth, COVID-19 Business Impact Analysis, Research Report, Trends with Top Key Players
Future Market Insights has adopted multi-disciplinary approach to shed light on the evolution of the Automotive Sensors Market during the historical period....