We strongly agree with the reasoning set out by the EBA on the need for strong customer authentication, to deliver on the aims of PSD2. Smart, connected mobile devices are the primary platform that consumers choose to use to interact with their financial services providers. Mobile payment platforms are ubiquitous, overtaking web-browser based interfaces and in-person transaction. While this makes life easier and more convenient for the consumers, it introduces a level of risk for users, technology platforms and service providers who make use of those platforms.
Efforts by regulators in support of strong customer authentication to mitigate these risks is welcome, but only to the extent that it promotes innovation and allows room for payment services to keep up with the fraudsters and deploy new solutions when necessary.
Our concern is that the authentication procedure and authentication code described in Article 1 Chapter 1 of the draft RTS is too prescriptive and may result in crowding out other forms of authentication. Security is a moving target and if the EBA enshrined a given authentication procedure in its guidance, this will ultimately become a point of vulnerability for malicious actors to exploit. We encourage the EBA to take a high-level, principles based approach, which sets baseline requirements but does not develop detailed requirements prescribing the concrete authentication procedure.
The threat landscape outlined in this section of the guidance is accurate but not comprehensive. We would suggest that the EBA take account of the shifting nature of the threat landscape: 84% of cyber-attacks now happen at the app layer. Existing software based protection has failed to keep up with this threat landscape – antivirus software only catches 45% of all malware attacks. Authentication with a discrete hardware component has proved effective at eradicating software attacks, but has scaled badly. For the coming few years, its unlikely that 100% of devices will provide accessible hardware security, so we suggest that a combination of software and hardware-based is the best way to deliver on the aims of the EBA guidance. The EBA guidance could however spell out more clearly the benefits of hardware enabled security to underpin strong customer authentication. It is the direction the industry should go to alleviate many possible attacks.
We strongly support the protection of the confidentiality and integrity of payment service user’s personalised security credentials as outlined in the EBA guidance, but observe that the EBA guidance should not seek to duplicate or overwrite the high standards of protection for personal data as enshrined in the General Data Protection Regulation (GDPR).
We strongly endorse the provision which states that “Secret cryptographic material related to the encryption of the credentials is stored in secure and tamper resistant devices and environments”. Providing a Trusted Execution Environment is the best means of delivering the most secure level of protection for any given device.
We support common and secure open standards for the development of authentication technologies and do not have any objections with the provisions outlined in Chapter 4 of the RTS.
We support an open and competitive environment for the development of payment services. The use of ISO 20022 is a good starting point to help ensure interoperability between PSPs and to promote and open and competitive landscape. We don’t envisage any particular technical constraints which would present the use of such industry standards at this stage.
Our primary observation with regards to website certificates issued by a qualified trust service provider under e-IDAS is that this does not follow the direction of travel set by the market. Research demonstrates that in-app web activity vastly outstrips web based mobile activity, a trend which is only set to increase in the future. This phenomenon is even more pronounced when it comes to mobile banking and payment services: according to the British Bankers Association, apps represent 42% of interaction in 2015 rising to 73% by 2020.
While the measures for website certificates set out in the guidance are well meaning, they fail to account for the fact that a steadily diminishing percentage of online activity (and payment services in particular) takes place on the web. Instead consumer are opting for in-app payment services, largely on account of the superior user experience (speed and ease of use). As such we suggest the EBA guidance take better account of the measures which can be taken to safeguard mobile banking apps and in-app payment services.
[IT services provider "]"
Trustonic develops a secure environment that runs at the heart of smart connected products and enables developers and service providers to access a range of security features.