PSD2 could open up unintended security risks, warns expert

Yogesh Patel, Chief Data Scientist with Callsign

The PSD2 regulation, which came into force last year, could have the unintended consequence of leading to more abandoned transactions as well as additional security risks, an regulatory professional has warned.
Yogesh Patel, Chief Data Scientist with online ID specialist Callsign, pointed out that the new rules involve opening up banking services to third parties to allow them to access a customer’s bank account information and to make payments, with the customer’s permission. In conjunction with that, he said, the legislation has required the implementation of strong customer authentication [SCA] to protect these new processes and reduce online payment fraud in general.
“While this all sounds very positive for the consumer, given that SCA needs to be applied to a range of existing services and additional third party channels, we could be about to witness a new set of security and integration issues,” he warned. “There’s a wide range of new use cases to contend with and different demographics are likely to be familiar with different authentication methods Some don’t have access to mobile phones, some don’t use banking apps”
Consequently, he claimed, as banks move towards the final regulatory deadline of 14th September 2019, PSD2 and SCA will lead to more abandoned transactions than usual if a more appropriate user authentication technology is not implemented, and that it will actually expand the number of attack vectors a cybercriminal can exploit.
“As users become accustomed to being prompted for credentials in situations other than direct online banking services, the opportunity for a new set of phishing attacks and the orchestration of false authentication journeys is created,” added Patel. “This exposes consumers to a new set of risks that don’t exist today – despite the fact that the intent behind the PSD2 is to reduce fraud and risk. All of this creates something of a multifaceted dilemma for banks. While they’re required to open up access to accounts through the PSD2, they’ll face significant penalties under GDPR if that access is breached. Which is why there’s a premium placed on getting the implementation of SCA right and on ensuring that the digital identities of financial institutions’ customers are properly controlled.”

Related Posts