Two years ago, opportunity for the FinTech community was abound with the arrival of Open Banking. And while the initial uptake was slow to materialise, we are now finally realising the potential of an application program interface (API) integration as 2020 gets underway.
How fraudsters are attacking Open Banking weaknesses
But as we celebrate the second anniversary of Open Banking, fraud is becoming a major concern for financial institutions considering partnering with start-ups and smaller FinTech firms. Criminals are seeing Open Banking as a means of gaining easy access to millions of consumers’ banking and personal information – writes Mark Taylor, fraud market expert, Featurespace.
They know that third-party providers do not necessarily have advanced fraud systems in place – a recent open banking survey of FinTechs by cyber security firm Trend Micro found the average provider has just 20 employees and no dedicated security professional. Big brands are also aware of the potential weak spots created through open banking.
This year, it will be on those firms who are riding the Open Banking wave to ensure that weak security measures aren’t their undoing.
Every change and update can become an unlocked window
To gain the requisite permissions to partner with regulated financial institutions and be added to the Open Banking directory, the Financial Conduct Authority (FCA) will put TPPs through a rigorous process to ensure they are up to the task. But, for large financial institutions, the concern is that once the FCA has checked a business, any further updates and changes may adversely affect their security.
As businesses grow, they will undoubtedly update their web pages and platforms. Also, as they onboard new open banking partners they will also have to make changes to digital infrastructure to accommodate the new financial institution. It’s these updates that fraudsters are monitoring and looking to take advantage of as a simple security misconfiguration may create new opening for them.
Fraudsters are already finding opportunities where they can inject malware as a means of getting hold of precious user data. Cross-site scripting (XXS) for example, can allow a user to be tricked into performing an action he or she didn’t intend to do. We have seen examples where fraudsters clone the login page of the web application for example, and then using the vulnerability they created they can ask a user to re-enter login information.
Customer education is paramount
Core to spotting weaknesses in security is to use customers as eyes and ears. Large financial institutions absolutely rely on the reports from their users to flag potential fraud events. Users have been educated by financial institutions to be aware of out-of-the-ordinary requests, emails and calls that are asking them for login or personal information and as such, create thousands of reports daily.
The concern for TPPs is that many of their users are new to the service and not adequately aware of what the ‘real’ journey of a customer looks like on a day-to-day basis. This means they are much more susceptible to phishing emails, unexpected pop-ups and social engineering attacks. We are particularly seeing a concerted effort by fraudsters to use phishing emails to convince users to log into fake websites and hand over sensitive information.
As such, FinTechs and other small firms who are beginning to develop under the Open Banking banner need to begin educating their users as larger financial institutions do. Offering regular alerts on possible scams and doing more to encourage users to report any irregularities will be key in helping develop a sophisticated fraud detection infrastructure. Furthermore, financial institutions will be more likely to partner with TPPs that are as communicative on the risks of fraud as the they are.
Financial institutions are watching you
If TPPs and FinTechs can’t adequately address fraud issues, they may cause themselves irreparable damage to their reputation. Financial institutions are watching closely and are very sensitive to how their future partners protect their customers, so for propositions reliant on many partners to power their open banking platforms need to make fraud prevention number one priority.
Moreover, financial institutions’ fraud detection systems are being calibrated to distinguish whether suspect traffic is originating from their TPP partners. Smart monitoring now allows for data to be fed into their systems to profile all their Open Banking partners. Then, it’s a case of flagging high-risk activity and including TPPs in their overall fraud scoring. If that score reaches a certain watermark it might mean that transactions are frozen from that source, disabling the Open Banking functionality of the third party.
After years of working with large financial firms, we have seen first-hand how seriously fraud prevention is now taken internally. To succeed in this new Open Banking ecosystem as head into the third year of Open Banking, FinTechs hoping to become trusted partners of financial institutions need to approach fraud detection with the same sense of urgency.
The post How fraudsters are attacking Open Banking weaknesses appeared first on Payments Cards & Mobile.
