The Open Banking Standard Group seems to be making headway in bringing more transparency and openness to the sector
September 16, 2016: It has long been held that the workings of the financial sector are so opaque that the average person is more likely to get a divorce than to switch banking providers. In fact, research from the Independent Commission on Banking found that on average, people are stuck with their provider for a whopping 26 years. This timeframe isn’t borne out of loyalty, but rather because consumers find it so difficult to accurately compare products and services that all but the most determined customers will give in.
This may soon be a thing of the past however, as The Open Banking Standard Group, founded by request of HM Treasury in 2015, seems to be making serious headway in bringing more transparency and openness to the sector.
In August, the Competition and Markets Authority (CMA) announced new rules that would let customers access all of the financial details of different providers through mobile apps, including those of other providers. The new laws, which are currently set to come into force in 2018, aim to make it much easier to compare and contrast different services and products when choosing to move providers, as well as assessing new offers from their current bank.
The mobile boom
The use of mobile apps is a key element of this new era of openness, with the CMA stating that banks should offer the same services via apps as would be available in a branch. It’s well known that the number of branch visits have been plummeting for years as customers switch to more convenient digital services, but even websites have seen a decline more recently.
The British Banking Association found that Internet banking logins dropped by 100,000 a day from 2014 to 2015, from 4.4m to 4.3m. By contrast, mobile apps were used 11 million times a day in 2015, a sharp increase of four million from 2014.
While more access to open information, as well as the flexibility of mobile banking, can only be a good thing for consumers, the drive towards mobile apps has also raised some major concerns. In particular, the use of Application Programming Interfaces (APIs) to share transaction data via apps has raised a red flag with organisations, including the British Chamber of Commerce.
Connecting with APIs
APIs are a set of instructions or routines that complete a specific task or interact with another system, whether it’s a server or application. APIs are increasingly popular with developers because they can be easily integrated into software to complete complex tasks. In this case, APIs would help the various apps access the other banks’ servers. However, while they are ideal for the task of facilitating the data exchange between multiple servers and applications, APIs also introduce a new attack vector that can enable access to the back-end server.
Most API Management Solutions use a simple authentication process to confirm that the client app on a device is genuine and has been authorised to access and utilise server assets – in this case, retrieving customer data for comparison. The challenge-response exchange used for this is generally a cryptographic operation, which means that the mobile client will contain a secret key for an asymmetric cipher, like RSA or ECC.
If an attacker is able to break through the app’s security measures and decompile its code, they can root out these keys and trick the system into recognising them as a legitimate client, enabling them to connect with anything the API was authorised for.
In the case of the proposed universal data access through mobile apps, this would literally be giving cyber criminals the keys to the kingdom, enabling them to potentially pull off a monumental digital bank heist by raiding all of the bank servers connected to the app.
The security risks of financial apps
This comes at a time when cyber security is already a major concern for mobile financial apps. Our 2016 State of Application Security Report tested some of the most popular financial apps around the world. Every app we tested had at least one major security flaw that could be exploited by cyber criminals.
The most common issue is a lack of binary protection, which could allow cybercriminals to tamper with the app and steal personal data, and most apps also lack sufficient protection in the transport layer, potentially enabling thieves to intercept data transmissions.
The lack of binary protection is also a security flaw that can be exploited to access cryptographic keys, and mobile apps are particularly vulnerable as they can be downloaded and attacked indefinitely until a weakness is found.
Alongside mobile apps already providing so many attack vectors, the large number of organisations involved also makes security even more of an issue. With so many banks, as well as ‘approved firms’ set to be sharing data, it is imperative that every single one has top notch security. A single weak link could be enough to infiltrate multiple organisations for a large scale data theft.
Stopping the digital bank robbers
White-box cryptography is one of the most important tools for securely hiding cryptographic keys, shutting attackers out even if they do manage to break into the app. This means the original key material is converted to a new representation in a one-way, non-reversible function. This new format can only be used by the associated white-box cryptographic software, preventing the hacker from finding it and using it for the challenge-response.
Even this can be defeated if the hacker is able to decompile the original application and modify the app or lift out the entire white-box software package, and include it in their cloned version of the application. Attackers that have the advanced capabilities to go this far can still be seen off with anti-tampering techniques that prevent code-lifting attacks or the app being tampered with. These techniques, with RASP (Runtime Application Self-Protection) built in, can respond to runtime attacks with customisable actions and notify the app owner that app is being modified.
While the proposed new era of open banking should make life much easier for the average consumer, the level of interconnectivity and number of players involved creates a huge risk. All organisations should be keenly aware that the cyber criminals of the world will be watching developments with interest. With the right protection in place however, consumers can still get the best deal – while preventing the thieves from celebrating their biggest ever payday.
Winston Bond us EMEA Technical Director at Arxan Technologies