Building a Fool Proof Security Strategy for PSD2 Compliance

Pushpalanka JayawardhanaFinancial Solutions - WSO2

Line Up• PSD2• PSD2 RTS on SCA and Secured Communication• Compliance Requirements

– API Security• Specifications to meet recommandations

Eg. OpenBanking Org UK specification/ Berlin Group/ STET/ FAPI- OIDC Hybrid Flow- Private Key JWT authentication

– Strong Customer Authentication– Consent Management– Fraud Detection

• Implicit Requirements– Conditional Authentication– Adaptive Authentication– Fine Grained Authorization

PSD2

Mandates Banks to - securely expose - customer Account and Payment data - with customer consent - to regulated third parties - via APIs

With the Objective of ● Providing a frictionless user experience

● Making electronic payments more secure

● Establish a platform for effective and integrated payment services

● Providing openness required for innovations in the domain, with enhanced competition.

Timeline

PSD2RTS on SCA and Secured Communication

● Two factor Authentication● Strong authentication is required with at least two factors from below,

i. Knowledge factors (username and password, pin)ii. Possession factors (mobile, security device, token generator)iii. Inherence factors (fingerprint, voice, iris pattern)

● Open secured APIs for payment initiation and account information● Access delegation with explicit user consent● Secured Communication● Fraud detection and audit logs

More Requirements● Conditional Authentication● Adaptive Authentication● Fine grained authorization● Federated Authentication● Continued security procedures

WSO2 Open Banking

Strong Customer Authentication (SCA)● Correctly identifying and authenticating the end user is a necessity.

● More secure than just having basic authentication.

● WSO2 Open Banking Solution provides,

○ Multi Factor Authentication (MFA ) support with SMS/OTP, FIDO, DUO, MePin etc.

■ WSO2 connector store - https://store.wso2.com/store/assets/isconnector/list

○ Extensible to support any other mechanism preferred by banks to authenticate users.

Knowledge Ownership Inherence

Password, PIN, ID number Mobile device, token or Smart card

Fingerprint, face or voice recognition

API Security● Exposing confidential internal data to external parties

● Inbuilt OAuth2 security layer provided by IAM capabilities ensures secure API invocations

through WSO2 Open Banking Solution.

● Supports common grant types such as Client Credentials, Authorization Code, Password,

Implicit, SAML Bearer, JWT assertion bearer and Integrated Windows Authentication

(IWA) allowing APIs to be used by different types of Applications.

● Applicable entitlement management and enforcement layer

Our recent webinar on API Mgt :

https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd2-compliance/

Standards

JSON REST OAuth

OpenID Connect

Sources - ODI OBWG : Open Banking Standard 2016 & Ⓒ By 2016 Nomura Research Institute https://www.slideshare.net/nat_sakimura/financial-grade-oauth-openid-connect

Specifics for OIDC

• OIDC Hybrid flow• Request object • s_hash• Private_key_jwt client

authentication

➢ Less round trips than authorization_code

➢ Avoid multiple mix up attacks Eg. IDP mixup

➢ Protection from ‘state’ parameter injection

➢ Strengthen source authentication

Consent Management● Comprehensive support to manage user consent

○ For payment transactions or account information aggregations

○ Revoking consents

○ Operations from custom care officers

● GDPR Implications (May 2018)

System is breach proof?Data Breaches Frequency 998 Incidents, 471 with confirmed data disclosure

Top 3 patterns Denial of Service, Web Application Attacks and Payment Card Skimming represent

88% of all security incidents within Financial Services

Threat actors 94% External, 6% Internal, <1% Partner (all incidents)

Actor motives 96% Financial, 1% Espionage (all incidents)

Data compromised 71% Credentials, 12% Payment, 9% Personal

- DoS attacks were the most common incident type.

Summary

Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords, along with ATM skimming operations.

Source : Verizon 2017 Data Breach Investigations Report - 10th Edition

Fraud Detection• Allows Organizations to

– Detect known anomalies via contextually evolving rules– Detect unknown anomalies via Machine Learning– Detect Anomalous event sequences via Markov Modelling– Reduce False Positives via Fraud Scoring– Further investigate and identify complex relationships using

Interactive Analytics

Quantity

ValueAnomaly

Conditional Authentication

Adaptive Authentication● Adaptive Authentication allows the solution to adjust the authentication strength

● This is based on the feedback from analytics engine.

● Maked the authentication stronger or relax it based on the context at hand.

● Provides better user experience, enforcing strong authentication only when it’s necessary.

Transaction amount > 10000 EUR

Transaction amount < 10000 EUR

Basic Authentication SMS OTP Authentication

Basic Authentication

Authenticated

Authenticated

Fine Grained Authorization● In the Authentication Flow

○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0

○ User authentication decision can be affected by other factors

■ Eg. In a specific time interval, users cannot login

● In the API calls

○ WSO2 AM can intercept the flows to apply fine grained authorization

○ Consume authorization decisions from IS, acting as a PEP

■ Eg. API response can be further customized according to user attributes.

● If the user belongs to ‘Platinum’ tier let them take online loans below an

amount x.

Continued Assurance Process• Proactive strategy (Continuous Integration)

– WSO2 Security Guidelines based on OWSAP– Commercial static code and dynamic security scan tools– Third party dependency scans

• Reactive strategy– Any vulnerabilities reported are addressed with the

highest priority– Issue fixes to customers before public disclosure

Resources : https://wso2.com/technical-reports/wso2-secure-engineering-guidelineshttps://wso2.com/security

Creates an “Open Banking” platform to be PSD2 compliant and as a result become a Digitally

Transformed Bank.

API Specification

○ API Definitions○

WSO2 Open Banking

Customer

TPP (AISP/PISP)

FinTech

Merchants

Core Banking

Internal Payment Services

Bank Internal NetworkISO 8583 (TCP/IP)

HTTP

HTTPS

Other Banks

HTTPS

WSO2 Open Banking

● API Specification

● API Security + SCA

● API Analytics

● API Monetization

PSD2 Compliance

● API Integration

● Fraud Detection

● API Analytics

● Dashboards

TPP Provider

● Web/Mobile App Suite

● Insight Sales

● Required Integration

Digital

Transformation

Demohttps://openbanking.wso2.com/

Resources More Information http://wso2.com/solutions/financial/open-banking/

Try out WSO2 Open Banking https://openbanking.wso2.com

On Demand Webinars

https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd

2-compliance/

http://wso2.com/library/webinars/2017/08/wso2-open-banking-digital-transformation-through-psd2/

Open Banking White Paper

http://wso2.com/whitepapers/digital-transformation-through-psd2-and-open-banking/

THANK YOU

wso2.com