Open banking for beginners: how safe is your data?

“Why do I need to share my date of birth and mother’s maiden name when I buy socks on Wednesday,” hypothetically asks Alastair Johnson, the founder and CEO of Nuggets, the UK-based e-commerce payments and ID platform. CyberNews spoke to him about the risks that open banking poses to consumers and ways to avoid them.

In July, the US fintech giant Dave admitted that it suffered a breach of its customers’ personal data via a third-party provider. Millions of records were put for sale online, the Information Security Magazine reported.

“As the result of a breach at Waydev, one of Dave’s former third-party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm,” it explained.

Under the open banking concept, banks are required to share users’ data with third-party providers so that they could perform a number of tasks, such as transactions, personal budget planning, etc.

Naturally, with great opportunities for fintech and customers alike, open banking amplifies the risk of data breaches, as customers’ personal financial information now sits not only within banks’ databases but is also available for third parties.

“You’ve seen some of the best people phished through very intelligent approaches,” Alastair Johnson, CEO at Nuggets, told CyberNews.

• Protect your devices with these best antivirus software in 2021
• Find out how a VPN can help you stay protected online
• See our list of the best VPNs on offer

Because a lot of breaches happen due to human error, he suggests getting rid of things such as usernames, passwords, and SMS-based two-factor authentication (2FA) because these are security hazards that people can trip over.

He reckons that open banking might be brilliant in terms of what it provides, but it is a big concern for banks, customers, and businesses.

Alastair Johnson said.

“Even the best of us get phished”

“More and more we see that consumers are wanting to take back control and access to services, and convenience. It’s a wonderful drive forward that enables the fintech industry. The opportunity is fantastic, but anything new like this is going to be dangerous, and criminal groups will see new opportunities in it,” Mr. Johnson said.

In November, Ticketmaster UK was fined £1.25m for failing to keep its customers' personal data secure, BBC reported. Ticketmaster had installed a third-party chatbot built by Inbenta Technologies on its website. The chatbot had a vulnerability, and cyber attackers were able to exploit it in order to steal payment details. As a result, 60,000 Barclays bank customers were victims of fraud. Meanwhile, online bank Monzo had to replace 6,000 payment cards due to fraud.

In this case, millions of people in the UK and Europe were exposed to potential fraud. Now, if you are embracing the open banking concept, you let your bank share details with third party providers all the time: when you pay your bills when you shop online, when you download an app for daily budget planning, or an app for saving your spare change, or use an online mortgage broker, etc.

Technically, there are systems in place to protect your financial data. Most European banks already use strong customer authentication that is required under the EU Revised Directive on Payment Services (PSD2) on payment service providers. The requirement ensures that electronic payments are performed with multi-factor authentication to increase the security of electronic payments.

Yet breaches do happen. “It’s good as a whole,” Mr. Johnson reckons. Banks have liabilities to protect consumer data, and fintech, hopefully, is doing their best to protect it, too. Users have become more vigilant because many have been affected by cybercrime themselves, or know someone who did, or have read warnings on social media. 

“If we take away the simple premise of username and password that can’t be phished, then that removes the possibility. You’ve seen some of the best people phished through very intelligent approaches,” Mr. Johnson said.

The problem also lies within using email and SMS for user identification. “We are actually using security verification through a phone communication system that was never designed for that,” Mr. Johnson said. 

Digital identity

It’s important to say that a third-party provider needs your agreement so that your bank could share your financial data. Still, you are handing over your data to a business entity.

“Our drive is to say that you should have a verified digital identity,” Mr. Johnson said. It should be established with a government-issued photo ID, associated with existing payment sources, data stored via blockchain so that nobody could see it, and used with biometric solutions instead of passwords.

Verification of your digital identity should be based on the transactions you make. After you've made, for example, a thousand transactions, which were verified as good transactions by the merchant, the issuing bank, and the receiving bank, you are going to be considered trustworthy.

“Maybe you don’t need to know the date of birth or what my mother’s maiden name is when I’m buying socks on a Wednesday. You don’t even have to know who’s behind the transaction. You know that the real person is verified and making good payments. It’s a solid way forward,” Mr. Johnson said.

Personal information supplied by an individual should be owned and controlled only by the individual themselves. If necessary, it should only be provided on a read-only basis, which can be revoked, or only made available to specific ID holders, or through verified claims.

“Even if that financial service was breached a week after you interacted with it, there’s no information available about you in that breach,” Mr. Johnson said.

Now, you are still handing over your data to the business. That’s why, he argues, there’s a need for self-sovereign data storage. 

“Yesterday, all the businesses held data. Tomorrow the individual will own and control that,” he said.

While there may be fairly obvious safeguards, Mr. Johnson explained, such as not clicking on links in an email you receive from your bank if you’re unsure that the email is genuinely from your bank, the bigger issue is that usernames, passwords and 2FA have proven to be unsafe time and time again.

“I think the issue here is that we fundamentally don’t think that existing methods of username and passwords, 2FA, etc., are secure, which is why we are advocating the use of verified digital identities. Attacks arising from SIM swapping and email hacking can easily circumvent 2FA in its most basic form. The way institutions can offer their customers true protection - and, in turn, users can feel safe about their data - is by adopting biometrically-verified digital IDs, tied to a payment method,” he told CyberNews.