Open season on Open Banking
Jonathan Tanner, Senior Security Researcher at Barracuda Networks discusses how cloud can play a role in helping FS organisations overcome some of the challenges posed by the move towards Open Banking.
Jonathan Tanner, Senior Security Researcher at Barracuda Networks discusses how cloud can play a role in helping FS organisations overcome some of the challenges posed by the move towards Open Banking.
The banking landscape is changing. Most of the modernised world is focussing on Open Banking and, as a consequence, empowering fintech companies that seek to disrupt how banking has traditionally been done. North America, Europe, Australia, and much of Asia are already major players in the FinTech market. The U.S. and EU are currently looking to expand Open Banking. The UK is leading the way, having already adopted the Open Data API to allow customer data from banks to be made available to FinTechs in a standardised way.
While many banks have put in considerable effort to make their services more user-friendly, they are largely built on older technologies and have considerable regulatory and compliance concerns that can slow this process. Using newer architectures and technologies from the ground up enables FinTechs to not only be more agile but to design their systems around the solution rather than design the solution around their systems. Many banks have already partnered with FinTechs to add popular services and capabilities such as person-to-person fund transfers, but the landscape is changing rapidly as many push for Open Banking to accelerate the transition to the new age of banking.
Open Banking stands to cause three major high-level shifts in the banking industry:
Open Banking will drastically increase the amount of data associated with users being generated and transacted, as well as the number of entities accessing this data. To some extent this trend was inevitable, but Open Banking pushes for FinTechs to have better access to this data. While data can be powerful for advancing technology and quality of service, it is also widely used for more nefarious outcomes. For many jurisdictions, data exchange is prescribed to be opt-in, but it is doubtful that most users are fully aware of what they are opting into. What’s more concerning is it seems that regulations have been left out of the planning process with the intent to address them after problems occur that warrant attention rather than proactively planning for negative outcomes.
The data perimeter is expanding as smaller, more specialised companies partner or exchange services to provide a more robust overall experience. While it is unlikely that most users know exactly where their data is going, in some cases not even the primary company handling it even knows as the “as a Service” revolution creates increased layers of abstraction along the data pipeline. It’s not unheard of to have up to sixth-party access to data. In other words, five different companies utilising each other’s services have touched any single piece of data, each with their own systems and (you would hope) security.
While empowering users to have control over their data has become more widespread – especially in the EU following GDPR – the landscape is often so complex that it’s impossible for a user to truly know the reach of their data, let alone have full control over it. Many security professionals can’t comprehend the full scope of securing such data, which is why architectures are built around the concept of shared responsibility where various components of security are divided among the parties involved based on the nature of how they handle the systems and data.
Newly created software systems benefit from being able to use any technology or methodology available, but it is much more difficult for existing systems to do this due to incompatibilities or significant changes that would be required. While banks may be able to add new features, the existing systems they must interface with are built around the technologies available when they were first implemented, which for many is decades ago. This may drastically limit the capabilities of systems, but it has allowed the security of these systems to evolve over time as well. Better understanding gained with age also leaves less room for more nuanced security holes. Thus, while most banks are using mainframes and running software written in programming languages emerging students haven’t even heard of, they are still some of the most secure and stable systems in existence.
Technologies such as cloud computing, machine learning, and blockchain already boast wide adoption across emerging FinTech companies that are attempting to provide the best user experience possible. However, they may also provide the next attack surface. The security risks associated with these technologies can be complex, not widely known, or not even explored yet.
Cloud computing is quickly becoming the standard for how software is deployed, but the shared responsibility model for cloud security adds complexity and room for security holes if all parties involved don’t fully understand their security responsibilities. It takes cloud-specific security expertise to properly configure and manage these systems, which takes investment in human capital on the part of the companies using cloud services – investment that small startups often are not willing to make.
The FinTech movement also looks to machine learning to better serve potential customers and help make complex financial decisions. While machine learning holds huge potential, it is often not fully understood by those implementing it. Simply collecting a large dataset and pushing it through algorithms is a naive approach to machine learning. In reality, the data set must be carefully curated and the features selected with thought. Producing an inferior model in most cases will simply hurt the software using it, but when the model is being used for tasks such as making financial decisions on behalf of users or detecting fraud the stakes are even greater. Emerging research is finding that there is potential for tricking these algorithms to defeat, or even mislead, the systems using them.
The new generation of technologies stands to drastically change the world as we know it, arguably for the better. At the same time, these technologies are not fully understood and already have their own security challenges. Research into these challenges and methods to mitigate them has only just begun, so we are poised to entrust some of our most sensitive data to technologies without fully understanding the associated risks.
Open Banking will undoubtedly result in another boom of startups, and these startups having access to people’s banking data on a large scale has the potential to have serious consequences. For larger, well-established businesses budgeting for security is already a tough sell to the boardroom and investors. But it’s an even tougher sell for startups that aren’t even solvent yet, because bringing a product to market and gaining a user base takes top priority. Even now, the average FinTech startup has 20 employees and zero dedicated security staff. Conversely, if you look at open positions at major banks an average of 1 percent of the listings are for security staff. This average jumps to 2 percent for well-established FinTechs including PayPal and Square.
Many startups and larger companies mistakenly assume technology staff – from programmers to operations staff – have the knowledge and expertise to create and maintain software in a secure way. Job listings for non-security technology staff echoes this misconception as a single bullet point for security knowledge accompanies the other standard duties of the position – especially when companies don’t have listings for dedicated security staff.
The truth is, most workers in technology have, at most, a basic understanding of security as it relates to their profession. This is not a shortcoming on their part so much as a failure of the institutions that trained them for that profession. For example, the degrees programmers obtain at many institutions typically offer a single optional course in basic information security. While degrees for managing computer systems offer more exposure to security training, it is also often at least in part optional and almost never substantial enough to train people for the real security challenges they stand to face. Luckily, dedicated degrees in information security are becoming more common, but this doesn’t fully address the shortcomings of other training programs.
Even outside of technology, security is quickly becoming a universal concern – from C-level officers who need to manage risk to legal departments that will handle litigations following a data breach. But there’s a real lack of necessary security knowledge being imparted. An hour-long video once a year on how to avoid falling victim to cyberattacks is not going to fill this gap. The education system needs to make security training and staffing a priority as much as companies do. For those already working in their field, additional training should be sought to increase security knowledge as it relates to the job and industry. Security in general is a discipline that requires forethought, planning, and preparation, and this needs to be more widely understood and adopted.
With Open Banking seeking to widely distribute financial data and a complex and underprepared security posture to protect it, the question of who is responsible in the event of an inevitable breach of that data becomes a tricky proposition. This becomes somewhat simpler in the case of breaches of data at rest, but with data in transit it becomes trickier to identify the party at fault. Failures in either – or likely both – ends of the data pipeline will lead to long, drawn out court cases to properly assign responsibility for damages. All the while the users affected must wait even longer for any sort of reparation to take place. With the Equifax breach still not entirely resolved after two years it’s difficult to imagine positive outcomes from similar data becoming more widely shared.
Some effort has been put into standardising blame in the various Open Banking movements already underway, often either splitting responsibility or in some cases placing it solely on the banks. Inevitably, the complexity of security failures will result in parties taking blame they do not deserve, and affected companies will take action to prevent future punishment, which will stifle the movement. In jurisdictions without the foresight to set up standards for handling this, it’s possible that those with the best lawyers will often be victorious – again resulting in improper assignment of blame. Regardless of the circumstances, it’s highly likely the customers will somehow foot at least part of the bill associated with handling blame ambiguity while not quickly receiving the relief they require and deserve from the security failures.
Further, it is doubtful that judges and/or regulators would have the level of security expertise required to make an accurate assessment. Thus, a whole new field of security evaluators would be needed, which would take years to train properly. Ultimately, we are quickly headed toward a world where some expertise in security is required for just about every profession – a prospect that no schools are prepared to address.
Open Banking and FinTechs are poised to revolutionise how we interface with our finances, but also open new avenues of security risk into those finances and the data that they generate. While it’s often easier to focus on the potential benefits of technology rather than the risks, too much is at stake to not take security seriously, and all levels involved in this shift play a role. Regulators must ensure that proper security measures are required for those handling and transferring financial information, as well as devising ways to hold companies accountable when data breaches occur and ensure timely restitution for those affected.
Companies need to take securing their systems and user data seriously from the start and invest in measures and personnel to achieve this and not adopt the “it won’t happen to me” mentality so prevalent in other industries. Users must refuse to do business with companies that don’t make securing their data a top priority. Finally, institutions that disseminate knowledge need to look to incorporate security training into their curriculum to enable everyone to at least understand the risks that are out there if not take part in mitigating them.
Jonathan Tanner is Senior Security Researcher at Barracuda Networks