Open Banking and Europe’s second payments directive (PSD2) are undermining the safety and security of the banking industry, according to Tom Kellermann, chief cybersecurity officer at Carbon Black.

“The unintended consequences and externalities involved with the Open Banking initiative will be pronounced because the regulators and policymakers do not appreciate the organization and sophistication of modern cybercriminals,” says Kellermann. “I truly think the European model for Open Banking is going to undermine the safety and soundness of the industry as a whole.

"The Commission's premise for doing this was to increase liquidity and increase access to financial services. They're making an assumption that cyber criminals are less sophisticated than bank security folks. Everyone acknowledges that there's no such thing as 100% security. Everyone acknowledges that things have gotten tremendously worse.”

The content of PSD2 and its regulatory technical standards (RTS) have been available since the Commission published the proposals in July 2013. The European Banking Authority (EBA) has a Q&A tool to provide guidance on PSD2 and its different delegated acts. The EBA also issues clarifications on PSD2-related issues raised by the industry in an ad-hoc working group.

“Banks are facing a rush to capitalise on the modern retail customer and they’re opening a Pandora’s Box and not paying enough respect to organizations which are specialised in attacking them. It’s ironic that criminals actually have more robust research and development on the vulnerabilities of mobile apps than the financial institutions themselves.”

A report by security firm Arxan with Aite Group examined 30 financial services applications developed by major financial services firms in the UK, Europe, and USA. According to the research, nearly all of the apps were easily reverse engineered.

97% of apps tested lacked binary code protection, making it possible for their source code to be decompiled and tampered with. 90% of apps shared services with other applications, meaning data from the banking app could be accessed by malicious third-party apps.

80% of the apps tested displayed weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed. Only one of the firms analyzed implemented application programming interface (API) security, none of the organizations implemented any control mechanisms to detect whether the app was being reverse engineered.

“It wasn't a surprise to see that application shielding wasn't being implemented. I just didn’t know how poor the cybersecurity hygiene was of the developers who were writing this code,” says Alissa Knight, senior analyst at Aite Group and author of the report.

“The thing that was most shocking for me was the prevalence of private keys. A lot of the time what we're finding now is with the API back ends that these mobile apps use to communicate with these financial institutions, the API token is all that’s needed [to gain access].”

Finger pointing

Knight spoke with some of the financial institutions affected by the study and discovered that the blame was being passed around developers and departments. “In larger firms there are more hands in the pot, and there may be teams thinking: ‘This isn’t my problem, I expect the back end to handle this’. At the smaller companies it may be just one individual developer, whereas at the larger companies and the larger financial institutions, there would be teams of developers, and one individual considers it to be another individuals problem.”

For Kellermann, smaller teams at banks take pride in the application they’re developing. “The largest banks outsource their mobile app development, and these third parties haven’t done a sufficient job of vulnerability testing these apps. I think smaller banks and teams put greater value in their brands and pay close attention to their mobile app because it’s a technological touchstone for them.”

He believes that banks need to be facing up to their security expectations, not brush things under the carpet. “Banks will hire the very best PR firms to manage crisis communications and wipe away any issues that might undermine trust and confidence. There is no reporting mechanism. Who discovers the vulnerability? Is it a threat researcher or a criminal? A criminal won’t let the world know they have found a new way to steal money. The researcher will do a one off report and then the bank will off them a job or a bug bounty [compensation for finding issues] and often make them sign a non-disclosure to get it.”

When it comes to programming the application, the very least a bank can do is shield its code from unwanted eyes, says Knight. “One of the things that they definitely need to begin doing is, if they are going to be hard coding keys and tokens – which of course is an incredibly bad idea – they need to implement application shielding to really obfuscate and encrypt the code. That would have made it a lot harder for someone like me to comb the source code.

“These firms also need to do application penetration testing before they release it to marketplaces. They need to have not just the developer who wrote the code but a security engineer on staff, or at least a third party which can perform the test.”

Kellermann agrees: “They should be doing regularly, reputational queries on the security of apps, they should be testing the apps for the top 20 vulnerabilities and remediating them prior to going live in production. They should be deploying, or at least offer to the consumer who's willing to pay for it, a mobile device management capability that would limit the functionality of the device when doing sensitive things.

“Now that money is digital, and now that money on mobile is fundamental, these banks need to take mobile security seriously in so much that this should be a safety and soundness issue. In fact, this should be mandated from the regulators from the Bank of England and others. They need to mandate more stringent testing, vulnerability assessment and remediation before these applications are live.”