After 15 months of banging the drum at any industry event I was speaking at, it finally looks as if we’re getting a response to my warning calls that the EBA’s Regulatory Technical Standards for Strong Customer Authentication (RTSSCA) would bring European ecommerce to its knees.
The risk of a £45bn hit on ecommerce markets in the UK and €160bn across Europe seems to have focused minds with the EBA now acknowledging ‘the complexity of the payments markets across the EU and the necessary changes… which may be challenging and may lead to some actors in the payments chain not being ready.’. It’s rather surprising that this realisation seems to have just dawned on them despite the fact that card schemes, acquirers, processors, gateways and merchants have been telling them for a long time that their suggestions were probably the most ludicrous piece of legislation to come out of Europe – and that’s saying something! It’s over 1000 days ago that the EBA launched its first consultation in August 2016 and Vendorcom and its members first realised the car crash of unintended consequences that was to come.
However, we are where we are and the EBA’s belated ‘Opinion’ on 21st June has now delivered a magical world of ‘supervisory flexibility’ that the 31 Competent Authorities (CAs) across Europe are trying to respond to. The EBA is looking for plans that meet their demands that any relaxation in the enforcement of RTSSCA should ‘…be on an exceptional basis…’; ‘…monitor execution…’; ‘…ensure swift compliance…’; ‘…set up a migration plan…’; ‘… request relevant information…’; and ‘…achieve consistency across EU…’. Good luck with that!
The banks/issuers are waking up from their stupor and beginning to realise that their siloed approach to payments have left them sleep walking towards the SCA cliff edge.
The hunger for clarity is now raging across the merchant payments world and it’s time for the EBA and Competent Authorities to shake off their negligence of the past 480 days. The European Regulatory authorities have got us into this mess and, unfortunately, only they can get us out!
The payments ecosystem needs a strong mandate from the EBA and CAs to drive the collaborative change that will be necessary to deliver a consistent, ubiquitous approach.
Fifteen years ago, I had the privilege of sitting on the UK Chip & PIN Programme Management Organisation (PMO). This group, instigated by the Association for Payment Clearing Services (APACS), was highly effective in taking all aspects of the transition into consideration and keeping the Technical, Operational and Communications strands aligned.
As we move closer to the possibility of a transitional implementation beyond ‘SCAday’, I hope we will see a similar group set up to ensure that the implications of developments in one strand are appreciated by all stakeholders who have a role in the effective, seamless rollout of RTSSCA into the merchant to citizen/consumer payment value chain.
In chip & PIN, we had the advantage of an international standard that had been locked down by a collaborative/market-aware body, EMVCo. Given that the regulatory environment for SCA ‘centres’ on 31 ‘Competent Authorities’, with rules that are so poorly drafted, I believe that in addition to working groups for Technical, Operational, and Communications strands, we must have a Regulatory strand working group to ensure consistency across all regulatory domains. I am not confident that this has much profile in the current debate and urge merchants and payments solutions providers to promote this. After all, the intent of RTS SCA is crucial to maintaining consumer trust in the payments ecosystem. Almost 15 years after locking down fraud in face to face transactions, it’s about time we offered consumers the same level of protection online.
The situation is changing daily at the moment so you can follow my #SCAday countdown as I bring all the latest updates between now and 14th September – and beyond, at https://www.linkedin.com/in/paypaul
View the FinTech Connect 2019 website to find out more
Using APIs for Better Cyber Security
What is an API?
What is an API? – For the general users of the internet and computer interface, it is normally understood that the screens, keyboards, monitors, etc. are the only computer interfaces in front of them. These are the visible computer interfaces with which we interact with the machine and the internet. There is another type of interface that we come across every day, but is hidden from our view. These interfaces enable software components to interact with each other. For a long time, this process was not standardized and developers of the operating system Unix made protocols for interprocess communication (IPC).
By the early 2000s, the need for a standard, open software-to-software interface was felt by the technology industry. This led to the development of the application programming interface, commonly known as API. API’s could provide a standardized interface through which software could communicate amongst themselves by sharing data and managing shared memory. APIs made software services available to workloads and applications. They facilitate bidirectional communication between two processes. An API includes all information needed to carry out a task and, unlike a web form, an API does not need multiple user transactions to successfully complete a process.
Cyber security and API
API security encapsulates integrity protection of the APIs you use or own. API’s are used by microservices and containers to communicate among themselves. With the development of API’s, we find ways to connect everyday things to smart devices, like a refrigerator with an android smartphone. As integration of computers increases, interconnectivity becomes more important, and so do APIs and their security. With the rise of the Internet of Things (IoT) applications, API security has become a growing concern.
Web scraping and APIs
Other than communicating within the software, an API is also used for providing access to the data of an application, web page, or operating system. Similarly, web scraping refers to the process of ‘scraping’ data from a webpage or multiple web pages.
Web scraping is used to extract data from a given web page, whereas an API provides the data directly. This poses a problem where the developer has not provided the API with the data. Sometimes APIs can be given at a charge, and that fee might not be affordable. In these scenarios, web scraping is necessary to obtain the data you need.Web scraping with software written in Python is one of the more common methods used to extract data from web pages.
Security threats with API
Some common threats associated with APIs are:
- Man in the Middle (MITM): An MITM attract refers to an attacker secretly intercepting communication between two APIs to obtain sensitive information. MITM attacks can grant access to personal financial and credential details to the attacker.
- API injections: API injection refers to the insertion of malicious code into vulnerable software. Malicious commands can also be inserted into an API message, like a SQL command. All web APIs that require parsers and processors are susceptible to API injections.
- Distributed denial of service (DDOS): DDoS attacks lead to the crashing of a website by flooding the bandwidth or resource of the attacked system. A DDoS attack topples the functioning of the memory and bandwidth by injecting a huge number of concurrent connections and sending/requesting huge amounts of data with every transaction. The machine resource will eventually crash under such pressure.
SOAP and REST API
SOAP and REST are the two most common approaches to implement APIs.
SOAP (Simple Object Access Protocol) is based on XML and used for communicating among computers. SOAP uses a built-in WS security standard that utilizes XML Encryption, XML Signature, and SAML tokens for messaging security considerations.
REST (Representational State Transfer) makes use of HTTP to get data and perform operations on remote computers. SSL authentication and HTTPS are used in REST for securing communication. It is easier to track and maintain all of these security protocols if you deploy to a centralized cloud deployment platform suited to creating and hosting APIs.
How to improve cyber security
A hacked API can cause a serious data breach. Owing to their vulnerability, it is important to take additional steps to ensure security.
- Using tokens: Assigning tokens to trusted identities and controlling access to data can protect your machine from malicious attacks.
- Authentication verifies the identity of the end-user. Authentication is implemented using the TLS protocol in REST APIs. OAuth 2 and OpenID are even more secure than the TLS protocol.
- Using an API gateway can secure your APIs. These gateways check the API traffic. A good gateway allows you to authenticate traffic. You can also control and analyze how your APIs are used.
- Using sniffers to detect vulnerabilities is a safe practice to secure your APIs. In addition, be updated about your API components and major leaks and threats.
- Authorizing what data a user can access from the API prevents malicious users from accessing data that is beyond their role. This keeps them away from being able to access admin functionality.
This article covered everything you need to know about API’s and cybersecurity. API security protects the integrity of APIs and is something that should be a concern for organizations and individuals with the evolution and constant development of IoT.
Konsentus Verify supports checking of UK-RTS compliant certificates
Konsentus today confirmed that its open banking third party provider (TPP) identity and regulatory checking solution, Konsentus Verify, can validate the identity of TPPs regardless of whether a UK-RTS compliant digital certificate or EEA issued eIDAS certificate is presented.
This follows OBIE’s recent announcement that UK-regulated TPPs must complete their migration from OBIE Legacy Certificates to UK-RTS compliant certificates (OBWACs/ OBSEALs) no later than 30 June 2021 by which time they must also have revoked any active OBIE Legacy Certificates.
From the end of June 2021, ASPSPs must reject the use of OBIE Legacy Certificates for PSD2 identification purposes ensuring they only accept certificates that are compliant with the UK-RTS.
Konsentus Verify provides TPP identity and regulatory checking services to protect Financial Institutions from the risk of open banking fraud. The identity checking element of the Konsentus solution is based on the validation of a TPP’s digital identity certificate.
Konsentus Verify checks in real-time a certificate’s validity and whether it has been issued by a trusted certificate issuer. In addition, Konsentus Verify checks the Payment Services a TPP is authorised to provide by its home country National Competent Authority.
However, digital identity certificates are not usually updated over a certificate’s lifespan and do not list the roles a TPP can perform outside the TPP’s home country. Any ‘Passporting’ information must be obtained for each country the TPP wants to provide services into.
Any EEA TPP wanting to access accounts held by a UK-based ASPSP must either be on the FCA’s Temporary Permissions Regime list or registered directly with the FCA. Konsentus Verify validates in real-time the legitimacy and current authorisation status of TPPs providing payment services in the UK regardless of whether an eIDAS or UK-RTS compliant certificate is presented.
Mike Woods, CEO Konsentus commented, “With over 200 UK TPPs regulated to provide open banking services in the UK, we can offer our customers a single solution that means both UK-RTS compliant certificates and eIDAS certificates can be checked without having to introduce additional processes or delays. No matter where the transaction is taking place or where the TPP is located, we offer our customers a single solution providing identity and regulatory checking at the time of the transaction.”
The Hidden Challenges of Data Retention
Companies are drowning in enterprise data. While such data can serve as a conduit to innovation, it can also be a liability.
Having the right data retention policies in place not only protects data from unauthorized access or other malfeasances, it also ensures data is primed for business usage. Furthermore, recent regulations such as GDPR mandate the creation of a data retention policy to prove data is properly managed and utilized throughout its entire lifecycle, but especially at the very end.
While many organizations excel at saving data, few have mastered data disposal.
According to a 2020 Deloitte survey, while 80% of companies surveyed have a defined data retention policy in place:
“only one out of three respondents provided data to the business process owners for final disposition. Data is seldom reclassified or anonymised per current practices. Organisations may not be aware of techniques to use anonymised/pseudonymised data in an effective manner. Only 30 percent of the organisations were adopting automated erasure techniques for data on completion of the retention period.”
Furthermore, the report found that an alarming number of companies relied on ineffective data deletion and drive/device formatting methods that can leave sensitive data unprotected. In fact, more than 15% of second-hand drives purchased from an online retailer contained leftover data from the previous users.
GDPR and like-minded regulations also require proof of data disposal in the event of a consumer complaint. However, this too has been woefully overlooked as only 32% of companies “are prepared for and may have conducted audits of processing activities with respect to end-of-life of personal data.”
It is clear that CISOs need to become involved with the data retention process. Though policy decisions can be left to chief data and privacy officers, CISOs are increasingly being compelled to oversee the execution of data retention strategy, especially when it comes to the logging and verification of data disposal.
Data Lake Security & Governance
Over the past decade, data lakes have surged in popularity amongst data scientists looking to experiment with advanced analytics. However, if not properly maintained, data swaps can easily devolve into data swamps whereby the system is flooded with irrelevant, unusable data.
Such an environment poses a number of data security and privacy risks. To start with, data that can’t be found can’t be disposed of or retrieved in response to subject access requests.
Secondly, even well governed data lakes are vulnerable to false data injection and malware obfuscation as datasets are not segmented by clear boundaries. As a result, someone with access to a particular file object can modify it, and there is no trail or history of what was modified.
CISOs, CDOs and CPOs must work together to create security-first data governance frameworks for data lakes to protect the business, it’s customers and it’s most valuable strategic data assets. Such a plan should also address:
- Data access control
- Data protection (encryption)
- Data lake usage audit
- Data leak prevention
- Data lineage documentation
In the event the business opts to “drain the data swamp” it’s critical for the CISO to play an active role in determining what data to keep and how to dispose of unusable or corrupted data in the securest way possible.
Millions of Connected Cameras Open to Eavesdropping
Flying Pencil: Inside United’s Boeing 757-300 Operations
‘Larcenauts’ Review-in-progress – Bringing the Hero Shooter to VR
5 tips for brands that want to succeed in the new era of influencer marketing
US lawmakers want to restrict police use of ‘Stingray’ cell tower simulators
Antonov Airlines Transports 5 Helicopters On The AN-124-100
Lordstown Motors reverses claims about ‘binding orders’ for electric pickup truck
SolarTaxi Adds The XPeng G3 To Its Growing Range Of EV Models For Sale & Leasing In Ghana!
‘RuneScape’ opens up to everyone on iOS and Android
SEC v. Ripple: Implications of Ripple’s Fair Notice Defense
China launches 3 astronauts to its new space station core module
Watch Microsoft’s second E3 showcase here at 1PM ET
How to Land a Data Analytics Job in 6 Months
Amazon’s Appstore lowers its cut of developer revenue for small businesses, adds AWS credits
Neo4j raises Neo$325m as graph-based data analysis takes hold in enterprise
Vuram hires 100 in 10 Days
Polestar 3 Electric SUV Will Be Manufactured In US
Volvo Group introduces flexible benefits plan for staff
How to Get the Valorant ‘Give Back’ Skin Bundle
League of Legends Patch 11.13 Preview
Death Stranding Director’s Cut Release Date Information
Icelandair returns to MSP
Ultimate List: The Longest Airbus A321neo Routes In 2021
‘Madden NFL 22’ has exclusive features for PS5 and Xbox Series consoles
UK Financial Conduct Authority: More People Hold Crypto Now
CF Snowbirds Update – 17 Jun 2021 London ON
‘Tetris Effect’ Multiplayer Mode is Coming to All Platforms With Cross-play & New Features
IT-OT Convergence Steers the Global Industry 4.0 Market for Mechanical Test Applications towards Prosperity
Valorant Celebrates Year One with Free Event Pass
KAY/O Revealed as New Valorant Agent
MoneeMint chooses TruNarrative platform for onboarding and transaction monitoring
Esports1 week ago
Genshin Impact Echoing Conch Locations Guide
Esports1 week ago
All 17 character locations in Collections in Fortnite Chapter 2, season 7
Esports1 week ago
Here are all the milestones in Fortnite Chapter 2, season 7
Esports1 week ago
How to complete Pokémon Go’s A Very Slow Discovery Collection Challenge
Esports1 week ago
Free boxes and skins up for grabs in Brawl Stars to celebrate one-year anniversary of China release
Gaming1 week ago
MUCK: How To Get The Best Weapon | Wyvern Dagger Guide
AI1 week ago
How to Become a 21st Century Engineer?
Esports1 week ago
What Time Does Minecraft 1.17 Release?
Blockchain1 week ago
BPI No Longer Allows Crypto Transactions
Esports1 week ago
How to Fly UFOs in Fortnite
Esports1 week ago
MLB The Show 21 Kitchen Sink 2 Pack: Base Round Revealed
AR/VR1 week ago
‘Warhammer Age of Sigmar: Tempestfall’ Gets First Look at Gameplay, Invite-only Beta