PSD2 is centered around exposing sensitive customer data. This means the security measures you take to expose this data cannot have any loopholes. Just like your API management strategy, your security strategy is critical to implementing successful compliance.
WSO2 Open Banking comes with inbuilt capabilities to support Strong Customer Authentication (SCA) and access management. Built around the key requirements of the Regulatory Technical Standards (RTS) it provides the end to end security requirements for compliance, while ensuring that customer experience is not compromised.
This webinar will cover
The key requirements of the RTS for PSD2 Compliance - Strong Customer Authentication (SCA), federated authentication, consent management and more
The capabilities of WSO2 Open Banking to meet these security requirements
How to ensure a secure yet frictionless customer experience
A demonstration of WSO2 Open Banking
SQL Database Design For Developers at php[tek] 2024
Building a Fool Proof Security Strategy for PSD2 Compliance
1. Building a Fool Proof Security
Strategy for PSD2 Compliance
Pushpalanka Jayawardhana
Financial Solutions - WSO2
2. Line Up
• PSD2
• PSD2 RTS on SCA and Secured Communication
• Compliance Requirements
– API Security
• Specifications to meet recommandations
Eg. OpenBanking Org UK specification/ Berlin Group/ STET/ FAPI
- OIDC Hybrid Flow
- Private Key JWT authentication
– Strong Customer Authentication
– Consent Management
– Fraud Detection
• Implicit Requirements
– Conditional Authentication
– Adaptive Authentication
– Fine Grained Authorization
3. PSD2
Mandates Banks to
- securely expose
- customer Account and Payment data
- with customer consent
- to regulated third parties
- via APIs
4. With the Objective of
● Providing a frictionless user experience
● Making electronic payments more secure
● Establish a platform for effective and integrated payment services
● Providing openness required for innovations in the domain, with enhanced
competition.
6. PSD2
RTS on SCA and Secured Communication
● Two factor Authentication
● Strong authentication is required with at least two factors from below,
i. Knowledge factors (username and password, pin)
ii. Possession factors (mobile, security device, token generator)
iii. Inherence factors (fingerprint, voice, iris pattern)
● Open secured APIs for payment initiation and account information
● Access delegation with explicit user consent
● Secured Communication
● Fraud detection and audit logs
7. More Requirements
● Conditional Authentication
● Adaptive Authentication
● Fine grained authorization
● Federated Authentication
● Continued security procedures
9. Strong Customer Authentication (SCA)
● Correctly identifying and authenticating the end user is a necessity.
● More secure than just having basic authentication.
● WSO2 Open Banking Solution provides,
○ Multi Factor Authentication (MFA ) support with SMS/OTP, FIDO, DUO, MePin etc.
■ WSO2 connector store - https://store.wso2.com/store/assets/isconnector/list
○ Extensible to support any other mechanism preferred by banks to authenticate users.
Knowledge Ownership Inherence
Password, PIN, ID number Mobile device, token or
Smart card
Fingerprint, face or voice
recognition
10. API Security
● Exposing confidential internal data to external parties
● Inbuilt OAuth2 security layer provided by IAM capabilities ensures secure API invocations
through WSO2 Open Banking Solution.
● Supports common grant types such as Client Credentials, Authorization Code, Password,
Implicit, SAML Bearer, JWT assertion bearer and Integrated Windows Authentication
(IWA) allowing APIs to be used by different types of Applications.
● Applicable entitlement management and enforcement layer
Our recent webinar on API Mgt :
https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd2-compliance/
11. Standards
JSON REST OAuth
OpenID
Connect
Sources -
ODI OBWG : Open Banking Standard 2016 &
Ⓒ By 2016 Nomura Research Institute https://www.slideshare.net/nat_sakimura/financial-grade-oauth-openid-connect
12. Specifics for OIDC
• OIDC Hybrid flow
• Request object
• s_hash
• Private_key_jwt client
authentication
➢ Less round trips than
authorization_code
➢ Avoid multiple mix up attacks Eg. IDP
mixup
➢ Protection from ‘state’ parameter
injection
➢ Strengthen source authentication
13. Consent Management
● Comprehensive support to manage user consent
○ For payment transactions or account information aggregations
○ Revoking consents
○ Operations from custom care officers
● GDPR Implications (May 2018)
14. System is breach proof?
Data Breaches
Frequency 998 Incidents, 471 with confirmed data disclosure
Top 3 patterns Denial of Service, Web Application Attacks and Payment Card Skimming represent
88% of all security incidents within Financial Services
Threat actors 94% External, 6% Internal, <1% Partner (all incidents)
Actor motives 96% Financial, 1% Espionage (all incidents)
Data compromised 71% Credentials, 12% Payment, 9% Personal
- DoS attacks were the most common incident type.
Summary
Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords,
along with ATM skimming operations.
Source : Verizon 2017 Data Breach Investigations Report - 10th Edition
15. Fraud Detection
• Allows Organizations to
– Detect known anomalies via contextually evolving rules
– Detect unknown anomalies via Machine Learning
– Detect Anomalous event sequences via Markov Modelling
– Reduce False Positives via Fraud Scoring
– Further investigate and identify complex relationships using
Interactive Analytics
Quantity
Value
Anomaly
17. Adaptive Authentication
● Adaptive Authentication allows the solution to adjust the authentication strength
● This is based on the feedback from analytics engine.
● Maked the authentication stronger or relax it based on the context at hand.
● Provides better user experience, enforcing strong authentication only when it’s necessary.
Transaction amount
> 10000 EUR
Transaction amount
< 10000 EUR
Basic Authentication
SMS OTP
Authentication
Basic Authentication
Authenticated
Authenticated
18.
19. Fine Grained Authorization
● In the Authentication Flow
○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0
○ User authentication decision can be affected by other factors
■ Eg. In a specific time interval, users cannot login
● In the API calls
○ WSO2 AM can intercept the flows to apply fine grained authorization
○ Consume authorization decisions from IS, acting as a PEP
■ Eg. API response can be further customized according to user attributes.
● If the user belongs to ‘Platinum’ tier let them take online loans below an
amount x.
20. Continued Assurance Process
• Proactive strategy (Continuous Integration)
– WSO2 Security Guidelines based on OWSAP
– Commercial static code and dynamic security scan tools
– Third party dependency scans
• Reactive strategy
– Any vulnerabilities reported are addressed with the
highest priority
– Issue fixes to customers before public disclosure
Resources :
https://wso2.com/technical-reports/wso2-secure-engineering-guidelines
https://wso2.com/security
21. Creates an “Open Banking” platform to be PSD2 compliant and as a result become a Digitally
Transformed Bank.
API Specification
○ API Definitions
○
WSO2 Open Banking
Customer
TPP
(AISP/PISP)
FinTech
Merchants
Core Banking
Internal Payment
Services
Bank Internal Network
ISO 8583
(TCP/IP)
HTTP
HTTPS
Other Banks
HTTPS
22. WSO2 Open Banking
● API Specification
● API Security + SCA
● API Analytics
● API Monetization
PSD2 Compliance
● API Integration
● Fraud Detection
● API Analytics
● Dashboards
TPP Provider
● Web/Mobile App Suite
● Insight Sales
● Required Integration
Digital
Transformation
24. Resources
More Information http://wso2.com/solutions/financial/open-banking/
Try out WSO2 Open Banking https://openbanking.wso2.com
On Demand Webinars
https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd
2-compliance/
http://wso2.com/library/webinars/2017/08/wso2-open-banking-digital-transformation-through-psd2/
Open Banking White Paper
http://wso2.com/whitepapers/digital-transformation-through-psd2-and-open-banking/