PSD2 is a regulation that reflects our modern habits.
We’re living in a world where people are used to transferring and trading with a few simple swipes of a smartphone screen. The demand for more innovative financial products and services seems almost endless. And this demand calls for a more open banking system.
That’s what PSD2 provides. The idea behind the regulation is that it encourages more competition in the marketplace. In theory, this translates to lower prices and better quality products for customers.
But it also makes the banking sector a more connected landscape. Customer data will be shared between banks, payment service providers (PSPs), and other third party providers (TPPs).
The vehicle for this sharing is an API (application programming interface). It’s APIs that allow banks to connect their payment and data services to third parties.
This represents a challenge, though. Not least because it means more attack vectors for hackers to target.
And this in an industry that already receives around 300 times the annual attacks other sectors suffer.
As Pedro Nicolai da Costa wrote in Forbes earlier this year, a well-timed cyber attack can spread quickly throughout the financial system. Part of this is because attacks against APIs are getting more sophisticated. For example, bad actors now study payment system patterns so they can time their attack to cause the most damage.
This is the context of PSD2’s arrival. Banks and PSPs used to only have to worry about defending their own house. But now they have cause to worry about attacks across their whole neighborhood.
One section of the PSD2 regulation sums up the expectations of banks neatly:
“PSPs should ensure that they continuously monitor threats and vulnerabilities and regularly review the risk scenarios impacting their business functions, critical processes and information assets.”
In other words, they need a modern threat intelligence and risk analysis system. A way for them to identify, detect, and respond to threats in the growing, evolving ecosystem.
A smart defense is needed to counter increasingly subtle attacks. That's why threat intelligence is set to become vital to stop the spread of cyber attacks.
Surveying the threat landscape in the finance industry
PSD2 has changed the threat landscape for banks and other institutions.
Links via APIs to third parties have opened up new attack vectors that they didn’t have to worry about before. But however an attack happens, the damaging effects of a security breach remain the same.
The modern consumer expects to be able to enjoy all the speed and convenience that comes with a more open banking system. But they also expect banks to keep their personal data safe. The leaking of valuable data can destroy reputations and break the trust banks have worked so hard to build up.
A threat intelligence and risk analysis system helps banks to keep their reputation intact. To begin with, it can identify the threats that need to be defended.
Banks need to consider the wider ecosystem when scanning for threats. An example of a modern attack is that committed by a group called APT10, which targeted Managed IT Service Providers (MSPs). This gave the group potential access to vast quantities of intellectual property and sensitive data. Not only from the MSPs themselves, but from their global clients too.
An attack like this one should have banks and PSPs asking themselves some tough questions that can help them to better understand the threats:
What kind of sensitive customer data (such as bank account information) could an API access?
And what level of access will that API give to a third party?
When preparing to counter threats, it’s useful to reference the most common risks to the sensitive logic and user data that can be found inside APIs. But it’s equally important to recognize that the marketplace is shifting and evolving all the time.
Threats can change. Particularly as new players emerge in the industry, offering customers innovative ways to move their money around.
As we’ve said before on this site, bad actors don’t stand still. They’re constantly on the lookout for a gap to squeeze through. Somewhere that has been left unprotected.
That’s why banks need to take a proactive approach to security.
Let’s go back to the Forbes article about hackers tracking payment system patterns to choose the most opportune moment to attack. Well, banks and PSPs can do some tracking of their own. Using a threat intelligence and risk management system, they can study typical API usage. And they can spot when usage is unusually high, which can be a sign of malicious activity.
It can also help them to understand the geography of attacks. Where are they coming from? And what can be learned from the category of the attack?
Information about concrete security incidents even enable banks to link them to individual customers. Then they can make risk-assessments for that customer’s transactions.
Setting up an appropriate security framework for the post-PSD2 world will also involve finding the right balance between speed and security - another of our favorite topics here at Licel. The trend is for customers to embrace innovative products and services that provide convenience. But launching a product quickly shouldn’t come at the expense of security.
So, it’s important to test a product’s security before launch, as well as the threats it’s likely to face once it’s live. And a threat intelligence system can help with that, too.
Modern API protection
In the next few years, forward-thinking banks will come to use threat intelligence systems in tandem with traditional API protection. Security such as hardening capabilities, runtime protection, integrity checks and code obfuscation will continue to be crucial in blocking bad actors. But this protection on its own is a bit of a black box. You can’t see how these defensive measures are keeping APIs safe. You can’t see where attacks are coming from. And you can’t see whether some types of attacks are more common than others.
A threat intelligence system gives you a 360 degree view of the landscape that APIs are operating in.
Take the following example. Imagine an end user has downloaded a trojan app onto her phone. This could represent a real threat to a banking app. But with a robust threat intelligence system operating, a banking app would carry out environment checks when it starts up and would send information to the fraud monitoring system.
It’s this proactive approach that can stop the spread of cyber attacks. A threat intelligence system defends the industry as a whole rather than one single bank or FinTech company. By reporting attacks to a regulatory body, banks help others like them to learn from attacks and be better prepared to face them.
They protect their house, and they protect the wider neighborhood, too.
PSD2 has fast tracked the need for banks to build a modern security framework. And a threat intelligence system should play a key role in that. It’s a multi-layered approach to security. But it’s also an important statement of intent to hackers that the industry as a whole is prepared to defend against any attack.
At Licel, our threat intelligence and risk analysis system comes in three parts. Firstly, there’s our integrity control, which makes the app inoperable if it’s been modified. Then there are our environment checks, which probe the environment your app is being used in to make sure it’s safe. And finally, there’s Alice, which gives you valuable insights about the threat landscape as a whole.