Story image

Stronger security needed before open banking arrives - Okta

15 Jan 2019

Article by Okta APAC GM Graham Sowden

Historically, banks are known to be conservative and not expected to expose their customer data.

This is driven by the fear of exposure to various security risks.

Now, with the new changes in regulation, Australian banks will need to abide by PSD2, GDPR and open up their customer data via APIs for transaction accounts, savings accounts and credit card data by 2019.

This will require banks to step up their risk management in order to be able to handle customer data in a secure way.

The threat landscape

In this new era, the threat landscape is complex, with attacks ranging from DDoS to sophisticated targeted attacks, like SQL, command injections and a variety of ever-evolving bots which are continuously morphing and changing their attack signatures.

According to the 2018 Verizon Data Breach Report, “81% of all hacking-related breaches leveraged either stolen and/or weak passwords”.

As per an F5 Security report, “The highest percentage (70%) of the breach reports for Q1 2018 were web injections that stole customer payment card information”.

It is also expected that by 2022, API attacks are going to be a major attack vector.

The majority of banks in Australia have not exposed their APIs.

This picture will change in 2019.

Online banking applications are one of the most lucrative targets for cybercriminals, and credential stuffing attacks are causing havoc across the industry.

In fact, across APAC as a whole, cross-matching techniques and credential-stuffing bots are costing businesses up to $28.5 million per year, according to Akamai’s latest figures.

Once banks expose their customer data APIs in Australia, it is very likely that credential abuse attacks will increase significantly.

As early as July 2019, Australian banks will need to have a system in place that both benefits customers and protects their personal data.

This will mean a rethink of their API and security perimeters. Banks will need to build security into every device layer and trust no one; which is the concept of zero trust.

The idea of zero trust

As Australian banks move to the cloud, it is critical to move past the traditional on-premises, perimeter-based approach, to a modern, identity-centric approach.

Forrester’s Zero Trust Model and Google’s BeyondCorp are two approaches to security that assume that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check.

Both approaches also highlight the idea that the perimeter is no more secure than the outside, and thus a security solution should assume that all access is untrusted, until the end user is able to prove otherwise.

From initial information gathering and account opening through to day-to-day banking, identity drives every stage of the banking customer lifecycle.

Whether in a physical or digital channel, the identification, authentication and authorisation of a customer’s identity underpin every instance of interaction with the bank.

With the introduction of open APIs and the expanding threat landscape, the importance for strong customer authentication (SCA) is ever increasing.

The threat from within

Identity theft and fraud are most commonly associated with external threats, such as the credential-stuffing hackers already mentioned.

But too often internal threats are neglected.

Banks and tech must realise the cybersecurity risk associated with employees.

Both human error and malicious intent could lead to damaging data loss/theft, whether through phishing scams, malicious actors, or even just excessive access privileges.

The answer lies in changing the way companies regulate identity and access management (IAM) so employees only have access to systems, apps and platforms they need, and that access is granted in a secure manner.

A vital starting point is moving away from relying on passwords alone and the use of risk-based multi-factor authentication (MFA) on all of the infrastructure.

Adopt stronger authentication policies that ensure employees have access to only the information they need to do their work.

Security breeds success

With the changes in regulation that are coming next year with the open banking rollout, API security has become a critical consideration for banks.

As the volume of hacking-related breaches to involve compromised credentials increases, MFA is certainly is a critical piece of the security puzzle.

To improve their overall security posture, banks should use threat intel to properly monitor services, set up proper API Access Management for their APIs and update authentication policies as needed to mitigate the latest threats.

Banks should enforce best practices while setting policies and allow their end users to choose only the most secure MFA factors.

Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
D-Link A/NZ launches new home wireless surveillance kit
The Omna Wire-Free Full HD cameras and accompanying Wi-Fi Hub offer a number of new features, including Alexa/Assistant support.
CSOs - are you prepared for cloud cryptojacking?
A recent report found that almost half of the organisations surveyed have malware in one of their cloud applications.
Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.