More online banking could improve cyber security

16 November 2017

More online banking is good for cyber criminals, right? Not according to Senior Advisor Magnus Falk, who argues new rules allowing banks to share our data will make us more secure.

Open Banking will be a reality from early next year as banks meet their regulatory deadlines and innovators, including many of the same banks, deliver new services to our smart phones and other devices.  

The principle behind Open Banking is that consumers own their banking data and services, so should be able to tell their bank to share them with other firms.  Under new regulations (PSD2) those other firms must be regulated.

So what will you use it for?  Perhaps you want your accounting software to access your bank account to help with book keeping.  Or maybe you want to see an analysis of multiple bank accounts to stay on top of your spending and make recommendations for better banking products.  Or perhaps you want to allow a merchant to be paid directly from your account because then they’ll deliver tomorrow for free.

You might say “I already have services like these, what’s different?”  The key difference is that today you would have to give your banking user name and password to access these services, with Open Banking you don’t.

Maybe that sounds like a small difference, but it is not. When GPS (global positioning system) data was opened up, we got localised travel maps and guides, photos with locations tagged, Find my Friends and Tinder! We can now look forward to similar rate of innovation in the banking sector. The regulatory and technical hurdles to allow you to share your data were difficult but are now overcome.

You won’t have to break anyone’s terms and conditions when you share and you’ll be in control.  The right conditions now exist for new services to be invented.

Banking data over the internet – isn’t that a bad idea?

There is still a big question as to what Open Banking might mean for our online security.

Entrepreneurial-types are understandably excited about all this, sensing an opportunity for market share. But there is still a big question as to what Open Banking might mean for our online security.

Cyber-crime is big news and big business.  The impact of it on UK consumers is breath-taking, with recent impact estimates hitting £1bn and millions of us becoming victims. So surely anything that encourages people to do more banking online is a terrible idea?

Cyber-crime is a very wide term, covering activities like ransomware, theft of intellectual property, blackmail to prevent business disruption as well as more traditional financial fraud.  The level of financial fraud is well tracked: £769m across payment cards, remote banking and cheques in 2016. Putting that level of fraud into some sort of context, online sales are now over 25% of all non-food sales and on Black Friday last year over £1.2bn was spent online.  Crime is following its intended victims.

But looking at the fraud data, criminals aren’t breaking into banking apps, or managing to overcome the security on banking websites.  They achieve success through old fashioned fraud that exploits new banking tools.  Scams are a large source of these losses, with consumers tricked to move money, give away card and banking details directly, or by granting remote access to their computers.

Despite all this, Internet and mobile banking continues to gain in popularity, with over 60% of us now banking online, up from 30% in 2007.

So the focus should be on making online safer and beating the criminals.  There are a number of ways to do this; by educating consumers, the Take Five to stop fraud campaign is a good example; by make payments safer, the payments strategy will deliver important features; and finally by introducing Open Banking.

What additional security does Open Banking bring?

The additional identification factor is a game changer for protecting consumers, making it much harder to steal your banking credentials.

This might sound counterintuitive – you’d assume cyber risk is increased by encouraging more people to conduct business online -  but the regulations enabling Open Banking will trigger a number of improvements.

Let’s start with improved authentication standards.  The new standards will insist that any regulated financial institution use at least two different identification criteria from a list of three: something you know, something you have or something you are. Username and password are only one of these, they are something you know.  The additional identification factor is a game changer for protecting consumers, making it much harder to steal your banking credentials. Good examples of additional identification factors are the use of voice recognition when talking with your bank; another is the placing of digital certificates on your phones, table or PC, at the first use of a service, making them trusted for further use.

The second Open Banking improvement is that only authorised firms can participate.  Firms providing you a financial service can only participate once they have relevant authorisation and can prove it technically.  This will allow banks to simply ignore requests from unauthorised firms at their internet gateways.  This is a similar improvement to those, all important, secure internet pages showing “https:” and relies on similar, proven, technology approaches.

The third is the requirement for explicit and revocable consent to service.  You will be able to grant and revoke rights to your data easily, online and via your bank or new service, thereby putting you in total control.

Finally Open banking comes with a liability model that protects you from any breaches of security and requires rapid refunds.

What about protection from scams

If a scammer has convinced you to move your money, then you are still likely to fall victim.  The payment systems strategy has some help coming in the “identify payee” service (where the receiving bank provides you the destination account name before you confirm payment), but implementation dates are still uncertain. 

I expect the innovation stimulated by Open Banking to result in the appearance of anti-scam services.  An example could be a service allowing additional steps for payment approval. This might protect, say, a vulnerable person whose payments can be overseen by a relative.  Another possibility is detecting payments that don’t match your existing spending pattern and are delayed for double checking later.

Over two million UK citizens are already using online services which access their bank accounts.  There is a huge demand for them.  It is important to create a safe way for this to happen and remove the current uncertainty in using them.

An implementation period will see both Open Banking and these existing services run in parallel for a while, probably until mid-2019, depending on finalised legislation.

The UK banks have worked together to deliver an Open Banking solution that is safer than today and will, like the opening up of GPS, trigger a wave of innovation resulting in new services for consumers.

Open Banking will be safe to use, but keep alert for those continuously inventive scam merchants.

Get Insight in your inbox