Article by Okta APAC GM Graham Sowden
Historically, banks are known to be conservative and not expected to expose their customer data.
This is driven by the fear of exposure to various security risks.
Now, with the new changes in regulation, Australian banks will need to abide by PSD2, GDPR and open up their customer data via APIs for transaction accounts, savings accounts and credit card data by 2019.
This will require banks to step up their risk management in order to be able to handle customer data in a secure way.
In this new era, the threat landscape is complex, with attacks ranging from DDoS to sophisticated targeted attacks, like SQL, command injections and a variety of ever-evolving bots which are continuously morphing and changing their attack signatures.
According to the 2018 Verizon Data Breach Report, “81% of all hacking-related breaches leveraged either stolen and/or weak passwords”.
As per an F5 Security report, “The highest percentage (70%) of the breach reports for Q1 2018 were web injections that stole customer payment card information”.
It is also expected that by 2022, API attacks are going to be a major attack vector.
The majority of banks in Australia have not exposed their APIs.
This picture will change in 2019.
Online banking applications are one of the most lucrative targets for cybercriminals, and credential stuffing attacks are causing havoc across the industry.
In fact, across APAC as a whole, cross-matching techniques and credential-stuffing bots are costing businesses up to $28.5 million per year, according to Akamai’s latest figures.
Once banks expose their customer data APIs in Australia, it is very likely that credential abuse attacks will increase significantly.
As early as July 2019, Australian banks will need to have a system in place that both benefits customers and protects their personal data.
This will mean a rethink of their API and security perimeters. Banks will need to build security into every device layer and trust no one; which is the concept of zero trust.
As Australian banks move to the cloud, it is critical to move past the traditional on-premises, perimeter-based approach, to a modern, identity-centric approach.
Forrester’s Zero Trust Model and Google’s BeyondCorp are two approaches to security that assume that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check.
Both approaches also highlight the idea that the perimeter is no more secure than the outside, and thus a security solution should assume that all access is untrusted, until the end user is able to prove otherwise.
From initial information gathering and account opening through to day-to-day banking, identity drives every stage of the banking customer lifecycle.
Whether in a physical or digital channel, the identification, authentication and authorisation of a customer’s identity underpin every instance of interaction with the bank.
With the introduction of open APIs and the expanding threat landscape, the importance for strong customer authentication (SCA) is ever increasing.
Identity theft and fraud are most commonly associated with external threats, such as the credential-stuffing hackers already mentioned.
But too often internal threats are neglected.
Banks and tech must realise the cybersecurity risk associated with employees.
Both human error and malicious intent could lead to damaging data loss/theft, whether through phishing scams, malicious actors, or even just excessive access privileges.
The answer lies in changing the way companies regulate identity and access management (IAM) so employees only have access to systems, apps and platforms they need, and that access is granted in a secure manner.
A vital starting point is moving away from relying on passwords alone and the use of risk-based multi-factor authentication (MFA) on all of the infrastructure.
Adopt stronger authentication policies that ensure employees have access to only the information they need to do their work.
With the changes in regulation that are coming next year with the open banking rollout, API security has become a critical consideration for banks.
As the volume of hacking-related breaches to involve compromised credentials increases, MFA is certainly is a critical piece of the security puzzle.
To improve their overall security posture, banks should use threat intel to properly monitor services, set up proper API Access Management for their APIs and update authentication policies as needed to mitigate the latest threats.
Banks should enforce best practices while setting policies and allow their end users to choose only the most secure MFA factors.