nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Funny story, this. UK.gov's 'open banking app revolution'. Security experts not a fan of it

They don't care for it. Say it's bad news

By John Leyden and Kat Hall, 10 Aug 2016

Analysis UK banking industry regulators are pushing banks to offer customers access to their data through shared smartphone apps.

The new rules from the Competition and Markets Authority are designed to promote transparency and clarity while providing an incentive for customers to switch providers. The model is taken from the UK's deregulated electricity industry.

Security experts, however, remain concerned over the potential of greater risk to customer data inherent in the new approach.

For one thing, banking information is far more sensitive than how many units of gas or electricity a family or individual uses in a month. Secondly, the security of individual banking apps is already a concern without even thinking about the extra issues a cross-industry comparison app might bring to the party.

Winston Bond, EMEA technical director at app security firm Arxan Technologies, commented: "[The] announcement from the Competition and Markets Authority that banks should offer all of their core services via mobile is great news for consumers seeking more freedom and flexibility, but could also leave the door open for an unprecedented cyber-attack if the banks are not able to meet the increased demand for security.

"Cyber security remains a major concern for mobile financial apps, and all of the most popular apps we tested for our 2016 State of Application Security Report had at least one major security flaw that could be exploited by attackers. The most common issue is a lack of binary protection, which could allow cybercriminals to tamper with the app and steal personal data, and most apps also lack sufficient protection in the transport layer, potentially enabling thieves to intercept data transmissions," Bond added.

Bill Curtis, chief scientist at software analysis firm CAST, warned: "I suspect the people happiest about this are the hackers; the question is how secure is the app and how secure are the phones?"

"So the app has to be secure and your phone has to be secure. This is going to accelerate the focus on security for mobile devices. This could be a massive disaster if security holes not shored up," he added.

The architecture of the app planned by the CMA throws up its own particular issues, according to Arxan's Bond.

"APIs (application protocol interfaces), which are a major cornerstone of the CMA's plan for banks to share consumer data, can also provide an easy route for attackers if not properly secure. Most APIs use a simple authentication protocol to confirm access to server assets. The usual approach is a simple challenge-response exchange that relies on cryptographic keys to keep it secure. If attackers are able to break into the app and decompile its code, they can root out these keys and use them to connect to any authorised system – including the bank's servers.

"With mobile financial apps already providing so many attack vectors, both the banks and 'approved firms' involved in the data-sharing scheme will need to be even more vigilant in proofing their applications against criminals. The more data is shared and interconnected, the greater the risk of attackers being able to infiltrate multiple organisations to operate large-scale data theft," Bond warned.

The Competition and Markets Authority's findings – which are not significantly different from those contained in its interim report of May 2016 – are designed to encourage competition and switching in the retail banking market.

Commentators will be looking for a significant increase in real competition, and particularly in the numbers of customers switching providers, as evidence that the CMA's proposals are working. However UK consumers have historically been reluctant to switch, and simply making the possible benefits of switching more transparent through an app may not be enough to change this deeply engrained behaviour.

Fujitsu research has found that 35 per cent of UK personal customers had never switched bank, while the Federation of Small Businesses believes that only 4 per cent of small businesses are thought to switch accounts each year.

Anthony Duffy, director of retail banking in UK and Ireland at Fujitsu, commented: "The CMA's central reform, the implementation of 'open banking' by early 2018, is to be welcomed. It will encourage further development of, and investment in, digital banking services and make it easier for customers to compare and contrast the products offered by different providers."

CAST's Curtis warned that the deadline put down by regulators may not be realistic.

"The date given by the CMA for the single app is 2018, but it's worth bearing in mind legislators are not software people," Curtis said. "I don't think the government should make that determination. Government needs to make sure the providers have time to roll out secure, reliable apps.

"The other issue is the legacy. New banks can build with more modern language, whereas the complexity of the software is the major limitation on older ones. Online-only banks have the advantage, as they won't have to modify as much code," he concluded. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing