I had a conversation with a financial fraud expert at BAE Systems recently about some of the security risks being created by the PSD2 regulations.
You can put all the security technology under the sun in place but human fallibilities, which PSD2 might inadvertently increase, will undo them all.
Gareth Evans at BAE Systems told me how PSD2 creates more potential entry points for fraudsters who prey on consumer confusion.
There has been a lot of discussion about security standards around payments with for example PSD2’s Strong Customer Authentication (SCA) rules, being introduced. SCA means that any online payments worth over €30 would require two methods of authentication from the person making the payment, such as a password, biometric authentication like a fingerprint, or having a phone that can identify them.
SCA was due to be introduced on 14 September but due to The Financial Conduct Authority has given payments and e-commerce firms an extra 18 months because of the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”.
But consumers have other things to worry about according to Evans, with the introduction of PSD2 likely to be seized on by fraudsters to take advantage of consumer confusion.
Instead of just having your mobile app or internet banking app to access your account it is opening up your bank account to a whole host of third parties. “They can do really innovative things for you but it also means you are opening up vulnerabilities that people can exploit,” said Evans.
“I am less worried about the technical vulnerabilities from traditional hacking, I am more concerned about the human element that PSD2 brings in,” said Evans. “When anything changes it creates confusion. When you create confusion it gives people a chance to phone you up or send you an email to try and get people to divulge information you shouldn’t.”
Evans said there has been a general increase in financial fraud although he has not seen any directly related to PSD2 yet. “PSD2 has not captured the public’s imagination yet. While I think a lot of banks have been working behind the scenes to get the technical side right there has not been a lot of take up,” he added.
“It is not about what we have seen but where this could go.”
As an analogy he said in the past if you had your money under your bed and you had one door, when you locked it that route was secure. But he said PSD2 creates more doors to your finances. “For example fraudsters could set themselves up as third parties and spoof their way to gaining access to a bank account.”
Basically the target for criminals is being made bigger by PSD2, added Evans. “I don’t think there will necessarily be any groundbreaking new threats but the number of attack vector is growing.”
He said that third party financial services providers, which will include many fintechs, might not have done the same level of security work as the banks have, which could open up vulnerabilities.
There will also be questions over which financial services supplier is responsible when a fraudster manages to get access to a consumer’s account. “At the moment it is usually the bank’s responsibility but where will that go after PSD2 takes off?”