The staff at Britain’s Tesco Bank began work one day in November 2016 to find the institution drained of £2.5m in funds. Hackers had siphoned the money from 9,000 customer accounts. The criminals had used brute force to break down the bank’s cyber defenses. Weaknesses in the bank’s mobile applications had left the bank’s customers vulnerable to fraud and theft.
In this case and many others involving unauthorized fund transfers, cyber security at the application level would have proven to be far more effective in protecting customers than relying on app store assurances, malware scanners or even on measures taken by the financial institutions themselves, only on the server side.
PSD2 Levels the Playing Field
Less than a year after the Tesco Bank hack, European financial institutions will have to meet the cyber security requirements implied by the Payment Services Directive version 2 (PSD2). The regulatory framework of PSD2 will harmonize electronic banking transfers and online payments throughout the EU (European Union). Regulators intend the directive to make online fund transfers more secure. The regulations should also improve consumer protection and encourage innovation. They are also meant to promote competition on a level online playing field for all payment service providers.
Consumer advocates also expect to see the cost of online fund transfers reduced as third-party services enter a space previously dominated by the big banks.
PSD2 Presents Security Vulnerabilities
However, the “open platform” nature of the new online financial ecosystem will present a plethora of new opportunities for cyber criminals. For a start, authentication of third-party fund transfer services will become a challenge as cyber gangs set themselves up to vendors and consumers as bonafide custodians of funds.
In addition, the Application Program Interfaces (APIs) that will be the “glue” between the software applications on the new “open” financial platform PSD2 offers present soft targets that criminals can exploit. In particular, API identity, security, and integration with programs will offer challenges to IT security professionals and consumers alike. Securing funds transfers at the application level, however, is the one line of defense that has the highest probability of defending against unauthorised online funds transfers.
Enable Integrity at the Application Level within PSD2
Promon SHIELD™ offers an approach to cyber security on mobile and desktop devices called Runtime Application Self-Protection (RASP). RASP affords security functionality at the level of the software applications that people use on their devices.
Promon SHIELD™ features that will provide sound security come the advent of PSD2 include:
- Jailbreak/Root Detection – knowing when malware is attempting a low-level takeover of a device;
- Repackaging Detection – stopping bad actors from changing the nature of software;
- Library Injection Detection – precluding invasion of software from within the software itself;
- Execution Flow Control – detecting changes in the normal flow of an application;
- Process Integrity Checking – stopping hijacking of advanced application processes and functions.
Promon SHIELD™ provides protections that will become invaluable to software vendors and the IT departments of financial institutions as PSD2 rolls out. Though penalties for financial institutions that do not adequately protect online consumer funds transfers have yet to be announced, financial software makers would do well to be proactive in implementing application-level security.
Not only do cyber thieves threaten consumer security and trust, but they also endanger the credibility of European banking in the 21st century.