In every industry, there is rising pressure to increase revenue and reduce operating costs and losses. In the financial services industry, digital transformation is being driven by the rise of Open Banking and the benefits that aggregators provide to consumers. While these innovations have improved the customer experience, they also create a larger attack surface that can be targeted by fraudsters. To combat this, the European Banking Authority (EBA) has issued the Payments Services Directive 2 (PSD2) to protect consumers through strong customer authentication (SCA) across banks, aggregators, and other financial services providers. Specifically, article 4, Paragraph 30 of the directive references need for “strong customer authentication” which it defines as follows:
Authentication based on the use of two or more elements categorized as knowledge (something only the user knows e.g. passwords, PINS, passphrases, memorized swiping paths, responses to challenges), possession (something only the user possesses e.g. hardware or software token generator, SMS text, OTP ) and inherence (something the user is e.g. biometrics, vein recognitions, voice recognition, keystroke analysis, heartrate) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.
As cybercriminals adapt and attempt to stay ahead of regulations, it is important that consumers are kept secure without creating friction in their access to and use of applications and APIs.
What is clear from PSD2 is that the EBA requires strong customer authentication. In addition, aggregators and third-party payments providers (TPP) must be allowed access to customers’ accounts. The EBA outlines what needs to be done to achieve compliance—authentication based on the use of two or more elements categorized as knowledge, possession, and inherence. While PSD2 does not explicitly refer to multifactor authentication or 2FA, those practices have become synonymous with the two most prevalent authentication methods used by businesses: one-time passwords (OTP) and short message service (SMS). It is imperative that payment services providers ensure the confidentiality and integrity of the personalized security credentials and authentication codes used by payment service users during all phases of the authentication. However, SMS messages delivered in clear text have inherent known vulnerabilities (e.g. mobile malware that are designed to steal text messages from users’ devices). Additionally, sophisticated phishing kits such as Kr3pto give experienced threat actors the ability to intercept one-time passwords in real time. Based on this evidence, businesses relying on just OTP and SMS are effectively introducing a security risk and potentially exposing their customers’ accounts. Distributed Cloud Services augment the SCA requirement with real-time application protection leveraging AI, machine learning, and other technologies.
The F5 Distributed Cloud platform offers rigorous cross-functional analysis in security, fraud, and identity functions. The use of all three secured authentication elements—knowledge, possession, inheritance—allows higher fidelity and more flexibility. The European Banking Authority acknowledges the “inherence element” as the most exciting and progressive arena for authentication. Distributed Cloud Services help financial services organizations meet PSD2 requirements by providing comprehensive web, mobile, and API protection that is effortless to operate. The Distributed Cloud Platform automatically mitigates evolving attacks by observing and learning from every interaction. Let’s look at an example scenario below:
F5's deep customer authentication in practice (3 element verification)
Distributed Cloud Services compliment OTP and SMS 2FA with behavioral, cross-functional analysis in real time that collectively authenticates users in compliance with all three PSD2’s strong customer authentication elements, achieving compliance, improving security, and removing user friction.
PSD2 encourages innovation and open banking by requiring financial institutions to grant access customer data to third-party providers (TPPs). TPP applications connect to financial institutions via APIs to aggregate data and deliver single-pane visibility. For example, they might consolidate a customer’s bank balance, transactions, and profiles across accounts. App and API security is critical to mitigate risk to users’ information and prevent fraud while meeting customer expectations. Below are a few examples of the threats risks aggregators introduce:
Aggregator impersonation attacks
Aggregators that have a working relationship with their sources are often allowed access into the institution’s services. Attackers take advantage of this relationship by validating accounts using credential stuffing against the aggregator instead of directly against the institution.
Financial aggregators store customer banking credentials (usernames and passwords) and up to 90 days of account data, making them a tempting target for attackers. Attackers can leverage user-enabled fintech applications to steal back account balances as well as access other online payment systems.
Unpredictable spikes in traffic load
Aggregators make up a significant portion of financial institution account queries and poll the financial institution for updated consumer account up to tens of thousands of times a day. Multiply that by thousands of customers, and FIs are left adding capacity just to deal with aggregator traffic.
Consumers willingly provide their credentials to fintech aggregators who, in turn, use automation tools to crawl and scrape the consumers’ data from financial institutions’ applications. While the aggregation of this data may provide some immediate perceived benefits to consumers, the way some aggregators are accessing this data may violate data compliance regulations and may ultimately expose consumers’ data to fraud.
F5 provides visibility and control to help FIs manage aggregators and defend against attacks. Customers enjoy full access to their data when and where they want it, through the apps they choose, while also being protecting against credential stuffing and account takeover (ATO) risks.
Distributed Cloud Bot Defense sees every single login attempt and labels traffic as human, automated, or aggregator. F5 blocks attacks at the financial institution’s web and mobile properties and can also detect when attackers are credential stuffing through an aggregator for account validation.
Distributed Cloud Aggregator Management encourages aggregators to move away from storing user financial credentials and switch to APIs supported by the financial institutions they source from. F5 works with the financial institution and the aggregator to make this transition.
Least Privilege access
When APIs are used, Distributed Cloud Services can enforce only the privileges required by aggregators, reducing the threat surface. For example, transactions can be enforced to read-only access, or summary information only.
Distributed Cloud Services help both the financial institution and the aggregator with anomaly detection. F5 fingerprints every attacker framework, including headless browsers and manual attack fraud, and can block or alert both the aggregator and the financial institution.
Tackling advanced cybersecurity threats with F5
F5 Distributed Cloud Services provide best-in-class application security and fraud prevention solutions on one integrated platform. F5 leverages AI-powered precision to accurately detect attack traffic in real-time as well as detect and eliminate fraud.