By Brian Spector, CEO at MIRACL
The European payments market is on the cusp of a radical change. Due to come into effect in January 2018, the revised Payment Services Directive, PSD2, is a centralised attempt by the European Parliament to, among other things, make online payments safer for businesses and individuals, by clearly specifying liability and authentication rules. But rather than being just a swathe of red tape, the directive is a much-needed attempt to prevent our entire banking system from being exploited by hackers. In this article we’ll outline some of the key features of the Directive, and explain why it will benefit both the financial services industry and its customers.
As the payments market has become more open, with a plethora of third parties now sitting between banks and their customers, it has become essential to accurately verify the identities of people accessing the data and systems involved. The PSD2 regulations specify that each payment provider is required to have strong authentication processes in place, whether they are the main service providers or one of the new third party organisations. PSD2 also states that for authentication to be seen as ‘strong’, it must not be replicable. This will prevent fraudsters from simply copying authentication data to get a successful payment. This is positive news for everyone involved in the payments process, and for the first time sets common standards on how banks can verify their customers’ identities.
So why is this needed? Cybercrime is already a huge problem for the banking sector, with several high-profile attacks reaping significant rewards for hackers. For example, in 2010, attackers stole £44 million in an international operation involving the Zeus Trojan, a computer virus that captured passwords and account details. But as hacking tools become more advanced, these threats will evolve into a new generation of attacks that may worsen the already questionable security currently being used. While banks have long prioritised being as user-friendly as possible, the security risks have escalated.
Many banks store user credentials, such as username and password, in whole form and in one central place, leaving them vulnerable to being compromised at source or stolen in transit while being sent over the Internet. Besides the well-known hacking tools, such as malware and Trojans, there is an increasing trend for attackers to use browser rootkit attacks to enable fraudulent transactions. These are malicious programs that run at the administrative level, usually operating as an extension to a web browser. They are fully automated and capable of performing fraudulent transactions and covering their traces at the same time. In an online banking transaction, all the information displayed on a customer’s PC, including: account numbers, name, balance and transaction details can be leaked by a browser toolkit and sent to an attacker, who can use this information to physically target users, through identity theft techniques.
While many banks also offer additional security features such as two-factor authentication, or authentication via SMS text message,this kind of security no longer provides much of an obstacle to attackers. Two-factor authentication doesn’t protect against browser rootkit attacks, and in addition, hackers can easily hijack phone numbers or intercept text messages, so this kind of authentication is becoming increasingly redundant. This reality led the US government agency responsible for establishing digital security guidelines, the National Institute of Standards and Technology, (NIST), to announce that it would no longer be recommending the practice of SMS-based authentication.
As a result of these factors, the PSD2 guidelines require each payment initiation service provider to have strong customer authentication processes in place, by establishing: something a user knows (such as a PIN number or username), something they have (such as a token); and something they are (such as biometric authentication). This is good news for all concerned because it will reform the payments industry and encourage new technologies and innovations that will help to keep users more secure, while keeping the end-user experience simple and straightforward.
In the last few weeks, Mastercard and Lloyds have announced that they are testing a range of new authentication methods, such as ‘selfie pay’ facial identification, and it’s exciting to see what other types of authentication will soon become more mainstream.The truth is, real digital security requires the complete elimination of centralised security systems. For example, MIRACL’s zero-factor authentication allows customers to authenticate using a secure app on their mobile device, like an ATM machine, rather than a username and password, and never sends authentication credentials across the web for storage in the cloud.
By regulating new Payment Institutions, the Directive will also accelerate competition across the industry, helping to drive innovation and develop new methods which will make the entire payments industry a safer place for all concerned.