Story image

Stronger security needed before open banking arrives - Okta

15 Jan 2019

Article by Okta APAC GM Graham Sowden

Historically, banks are known to be conservative and not expected to expose their customer data.

This is driven by the fear of exposure to various security risks.

Now, with the new changes in regulation, Australian banks will need to abide by PSD2, GDPR and open up their customer data via APIs for transaction accounts, savings accounts and credit card data by 2019.

This will require banks to step up their risk management in order to be able to handle customer data in a secure way.

The threat landscape

In this new era, the threat landscape is complex, with attacks ranging from DDoS to sophisticated targeted attacks, like SQL, command injections and a variety of ever-evolving bots which are continuously morphing and changing their attack signatures.

According to the 2018 Verizon Data Breach Report, “81% of all hacking-related breaches leveraged either stolen and/or weak passwords”.

As per an F5 Security report, “The highest percentage (70%) of the breach reports for Q1 2018 were web injections that stole customer payment card information”.

It is also expected that by 2022, API attacks are going to be a major attack vector.

The majority of banks in Australia have not exposed their APIs.

This picture will change in 2019.

Online banking applications are one of the most lucrative targets for cybercriminals, and credential stuffing attacks are causing havoc across the industry.

In fact, across APAC as a whole, cross-matching techniques and credential-stuffing bots are costing businesses up to $28.5 million per year, according to Akamai’s latest figures.

Once banks expose their customer data APIs in Australia, it is very likely that credential abuse attacks will increase significantly.

As early as July 2019, Australian banks will need to have a system in place that both benefits customers and protects their personal data.

This will mean a rethink of their API and security perimeters. Banks will need to build security into every device layer and trust no one; which is the concept of zero trust.

The idea of zero trust

As Australian banks move to the cloud, it is critical to move past the traditional on-premises, perimeter-based approach, to a modern, identity-centric approach.

Forrester’s Zero Trust Model and Google’s BeyondCorp are two approaches to security that assume that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check.

Both approaches also highlight the idea that the perimeter is no more secure than the outside, and thus a security solution should assume that all access is untrusted, until the end user is able to prove otherwise.

From initial information gathering and account opening through to day-to-day banking, identity drives every stage of the banking customer lifecycle.

Whether in a physical or digital channel, the identification, authentication and authorisation of a customer’s identity underpin every instance of interaction with the bank.

With the introduction of open APIs and the expanding threat landscape, the importance for strong customer authentication (SCA) is ever increasing.

The threat from within

Identity theft and fraud are most commonly associated with external threats, such as the credential-stuffing hackers already mentioned.

But too often internal threats are neglected.

Banks and tech must realise the cybersecurity risk associated with employees.

Both human error and malicious intent could lead to damaging data loss/theft, whether through phishing scams, malicious actors, or even just excessive access privileges.

The answer lies in changing the way companies regulate identity and access management (IAM) so employees only have access to systems, apps and platforms they need, and that access is granted in a secure manner.

A vital starting point is moving away from relying on passwords alone and the use of risk-based multi-factor authentication (MFA) on all of the infrastructure.

Adopt stronger authentication policies that ensure employees have access to only the information they need to do their work.

Security breeds success

With the changes in regulation that are coming next year with the open banking rollout, API security has become a critical consideration for banks.

As the volume of hacking-related breaches to involve compromised credentials increases, MFA is certainly is a critical piece of the security puzzle.

To improve their overall security posture, banks should use threat intel to properly monitor services, set up proper API Access Management for their APIs and update authentication policies as needed to mitigate the latest threats.

Banks should enforce best practices while setting policies and allow their end users to choose only the most secure MFA factors.

Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
HCL and IBM collaborate to encourage global hybrid cloud uptake
HCL announced a collaboration with IBM designed to help advance the hybrid cloud journeys of organisations worldwide. 
50 million tonnes of e-waste: IT faces sustainability challenges
“Through This is IT, we want to help people better understand the problem of today’s linear “take, make, dispose” thinking around IT products and its effects like e-waste, pollution and climate change."
Oracle Cloud whips up a breeze for Sydney yacht races
If data can help a boat go faster, racing teams and fans alike at this year’s SailGP in Sydney will get a front-row seat.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
Gartner debunks common AI misconceptions
“With AI technology making its way into the organisation, it is crucial that business and IT leaders fully understand how AI can create value for their business and where its limitations lie."
How Red Hat aims to accelerate business value with container technologies
Red Hat announced that leading global companies are creating, extending and deploying integration services across hybrid and multicloud environments using agile integration architectures based on Red Hat technologies.
IT employers having to up salaries and bonuses to attract talent
As the modern economy relies increasingly on data, it’s certainly a good time to be working in IT.