{"id":770,"date":"2018-05-29T15:40:34","date_gmt":"2018-05-29T15:40:34","guid":{"rendered":"https:\/\/securitycurve.com\/?p=770"},"modified":"2018-05-29T15:40:34","modified_gmt":"2018-05-29T15:40:34","slug":"psd2-why-i-care-only-a-little-bit","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=770","title":{"rendered":"PSD2: Why I care only a little bit."},"content":{"rendered":"

OK, so everyone keeps telling me about why I need to drop everything and go read about PSD2<\/a> this very second because it’ll take a nutcracker to security for financial institutions.\u00a0 Having become at least cursorily educated about it, I have to say that now I’m overall pretty “meh” about the whole thing.\u00a0 At least from a security point of view.<\/p>\n

Here’s what I mean by that.\u00a0 Firstly, it’s probably ultimately good for consumers.\u00a0 I’m not doubting that… well, OK, maybe I am doubting that a little bit… but since I only write about security, I’m willing to hold my peace on that front to see how the market reacts and what new services arise because of this.\u00a0 The part that I would tend to comment on – i.e., the security impact of it – I really don’t think is going to be the huge “hammer of doom<\/a>” that everyone says it will.<\/p>\n

If you don’t know about PSD2, I’m referring to EU Directive 2016\/2366<\/a>.\u00a0 In a nutshell, it requires banks and other financial institutions (e.g. retail lenders, etc.) to provide API’s such that other parties can provide services around finances in addition to the institutions themselves.\u00a0 Meaning, it’s about fostering competition in “financial-adjacent” services (by “financial adjacent”, I mean like opening up information so that technology providers can provide more services to you that would otherwise not be practicable because there’s no way for them to get to the data.)\u00a0 \u00a0So less like Google is going to become your bank and more like a “Google Financial” service where you can go to see a consolidated financial profile of what you have, what you owe, stock positions, etc.\u00a0 Would I use that?\u00a0 Again: “Meh?”…<\/p>\n

Now on to the security part.\u00a0 Don’t get me wrong here, I’m sure there will be security implications of this.\u00a0 Having worked at a large financial institution, I trust the ability of the average developer there about as far as I can throw them (I say this with love having been at the time a) also a developer and b) working in financial services).\u00a0 As an example of the shenanigans that go on and why I say that, I recall being in a meeting once to discuss a new order entry application… the developer of that spent (not kidding) about 15 minutes explaining in intricate detail the new “connect via URL” methodology they were using to “relay data” about the user to the app.\u00a0 After politely listening to the explanation, the colleague I was in the room with said “so… it’s a link… and you click it?”\u00a0 The developer grumbled, “yeah, you could also say it that way.”\u00a0 Point being, I’m sure that the API’s bit will introduce some security challenges, there will be some “kinks” to iron out along the way, and the first few stabs might not be the final end product.<\/p>\n

But other than this (which is to be expected), there are really two levels to the security impact: the program level and the API level.\u00a0 At a program level I’m referring to new protections that are required to secure what they’re trying to do.\u00a0 \u00a0And here, those security requirements are pretty high level.\u00a0 They also don’t really require much from the FI to adhere to as it’s arguably all stuff that they should be doing anyway.<\/p>\n

Consider the final report from the EU Banking Authority<\/a>\u00a0for example — i.e. “Guidelines on the security measures for operational and\u00a0security risks of payment services under Directive (EU) 2015\/2366 (PSD2)<\/em>.\u00a0 (side note to remind you that I AM NOT A LAWYER.)<\/strong>\u00a0 It requires (paraphrasing from the “Guidelines” section): risk management (including risk assessment), “Protection mechanisms” that include things like “defense in depth”, continuous monitoring, BCP, physical security, situational awareness, etc. Sound familiar?\u00a0 It should… because it pretty much says the same thing that every other security guidance document does since time immemorial.\u00a0 \u00a0The tl;dr?\u00a0 It’s super high level and any financial institution keen on not getting sued is already doing these things already.\u00a0 The most interesting part is Guideline 9 which relates to user awareness about risks — that’s a bit on the “novel” and “action required” side, although it’s not going to break the bank to put in place (get it? get it?\u00a0 break the bank?\u00a0 because it’s a ba…\u00a0 Nevermind).<\/p>\n

When it comes to the specific API’s is when it gets maybe a little more complicated.\u00a0 But I think upon reflection it will ultimately bolster security.\u00a0 I say this because services like Yodlee<\/a> and Mint<\/a> have channels already — as do more specific services like Fiserv<\/a> (formerly Checkfree) — to gain access to this data.\u00a0 The difference is that each one is a one-time kludge<\/del> “proprietary transactional mechanism” supporting an individual service.\u00a0 So conceptually, what’s new is the scope – i.e. the parties on the other end.\u00a0 But underneath, it’s an opportunity for standardization. I think that’s a good thing for the security of the system overall.<\/p>\n

Will there be problems along the way?\u00a0 Of course there will… in large part because appsec isn’t really anybody’s strong suit, but also because it’s increasing surface area about who has access to financial data.\u00a0 But ultimately, is it going to transform how FI’s implement security?\u00a0 I’m skeptical.\u00a0 Or, said another way, “meh”.<\/p>\n","protected":false},"excerpt":{"rendered":"

OK, so everyone keeps telling me about why I need to drop everything and go read about PSD2 this very second because it’ll take a nutcracker to security for financial institutions.\u00a0 Having become at least cursorily educated about it, I have to say that now I’m overall pretty “meh” about the whole thing.\u00a0 At least […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[94],"class_list":["post-770","post","type-post","status-publish","format-standard","hentry","category-security","tag-psd2"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=770"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/770\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}