Trend Micro highlights security risks of new Open Banking regulations

Photo by Jefferson Santos on Unsplash
Photo by Jefferson Santos

Trend Micro, an international cybersecurity company, released research demonstrating that major new European banking rules could greatly increase the cyberattack surface for financial services firms and their customers.

The new research details the impact of the EU’s Revised Payment Services Directive (PSD2), which is designed to give users greater control over their financial data and the option of sharing it with newer Financial Technology (FinTech) firms. The same ideas are spreading globally under the term “Open Banking.”

“The financial sector has always been a highly attractive target for cybercriminals, and PSD2 and Open Banking are set to offer hackers even more opportunities to steal sensitive personal and financial information,” said Ed Cabrera, chief cybersecurity officer for Trend Micro.

“The industry may not be fully prepared to deal with this greatly expanded attack surface,” he added.

The report highlights several possible attack scenarios under the new regulatory regime:

Attacks on APIs 

Public APIs are at the heart of Open Banking, allowing approved third parties to access users’ banking data to provide innovative new financial services. Implementation flaws in these APIs will allow attackers to exploit back-end servers to steal data.

Attacks on FinTech companies

As new companies may lack the resources, track record and dedicated security personnel, they are often ideal targets for attackers exploiting security gaps in their mobile apps, APIs, data sharing techniques and security modules that could be incorrectly implemented.

Attacks on the apps or mobile platforms

Most Open Banking services will be deployed as mobile apps, making these a prime target for attackers. Finding the username, password, or encryption keys within the app would allow a criminal to retrieve banking data and pose as the user. Even if the apps don’t have permission to make payments, they could contain transaction data, allowing an attacker to build a highly accurate profile of their victims.

Attacks against the user

Because new Open Banking apps will become the primary means for users to access financial data and services, phishing attacks could become more lucrative for attackers.

To prepare for the changing landscape, Trend Micro’s report details how financial institutions can improve their cyber resilience. These include ensuring sensitive information is never contained in URL paths, prioritizing secure protocols, and eliminating risky practices.

Meanwhile, Open Banking app developers and owners must adopt a secure-by-design approach, including regular software audits.