F5 Distributed Cloud Security Solutions for PSD2-Compliant Strong Customer Authentication

Distributed Cloud Services help you deliver frictionless strong customer authentication and security that mitigates third-party payments provider risk, enhances customer experience, and complies with the EU Banking PSD2 Directive.

Banking ATM WIFI

Digital Transformation in Financial Services Is Driving Focus on Consumer Protection

In every industry, there is rising pressure to increase revenue and reduce operating costs and losses. In the financial services industry, digital transformation is being driven by the rise of Open Banking and the benefits that aggregators provide to consumers. While these innovations have improved the customer experience, they also create a larger attack surface that can be targeted by fraudsters. To combat this, the European Banking Authority (EBA) has issued the Payments Services Directive 2 (PSD2) to protect consumers through strong customer authentication (SCA) across banks, aggregators, and other financial services providers. Specifically, article 4, Paragraph 30 of the directive references need for “strong customer authentication” which it defines as follows:

Authentication based on the use of two or more elements categorized as knowledge (something only the user knows e.g. passwords, PINS, passphrases, memorized swiping paths, responses to challenges), possession (something only the user possesses e.g. hardware or software token generator, SMS text, OTP ) and inherence (something the user is e.g. biometrics, vein recognitions, voice recognition, keystroke analysis, heartrate) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

As cybercriminals adapt and attempt to stay ahead of regulations, it is important that consumers are kept secure without creating friction in their access to and use of applications and APIs. 

The Multifactor Authentication PSD2 Myth: Is MFA/2FA Enough?

What is clear from PSD2 is that the EBA requires strong customer authentication. In addition, aggregators and third-party payments providers (TPP) must be allowed access to customers’ accounts. The EBA outlines what needs to be done to achieve compliance—authentication based on the use of two or more elements categorized as knowledge, possession, and inherence. While PSD2 does not explicitly refer to multifactor authentication or 2FA, those practices have become synonymous with the two most prevalent authentication methods used by businesses: one-time passwords (OTP) and short message service (SMS). It is imperative that payment services providers ensure the confidentiality and integrity of the personalized security credentials and authentication codes used by payment service users during all phases of the authentication. However, SMS messages delivered in clear text have inherent known vulnerabilities (e.g. mobile malware that are designed to steal text messages from users’ devices). Additionally, sophisticated phishing kits such as Kr3pto give experienced threat actors the ability to intercept one-time passwords in real time. Based on this evidence, businesses relying on just OTP and SMS are effectively introducing a security risk and potentially exposing their customers’ accounts. Distributed Cloud Services augment the SCA requirement with real-time application protection leveraging AI, machine learning, and other technologies. 

How the F5 Distributed Cloud Platform Delivers Friction-Free, PSD2-Compliant Customer Authentication

The F5 Distributed Cloud platform offers rigorous cross-functional analysis in security, fraud, and identity functions. The use of all three secured authentication elements—knowledge, possession, inheritance—allows higher fidelity and more flexibility. The European Banking Authority acknowledges the “inherence element” as the most exciting and progressive arena for authentication. Distributed Cloud Services help financial services organizations meet PSD2 requirements by providing comprehensive web, mobile, and API protection that is effortless to operate. The Distributed Cloud Platform automatically mitigates evolving attacks by observing and learning from every interaction. Let’s look at an example scenario below:

F5's deep customer authentication in practice (3 element verification)

  • Step 1: User approaches online property or application.
  • Step 2: Username is either entered or prepopulated (note that username is not a knowledge element on its own)
  • Step 3: User enters password or PIN (a compliant knowledge element)
  • Step 4: Distributed Cloud Bot Defense performs runtime possession element verification through passive biometrics such as Device ID telemetry collection
  • Step 5: Distributed Cloud Bot Defense performs runtime inherence element verification through behavioral biometrics
  • Step 6: User is verified and completes money transfer with no step-up friction.

Distributed Cloud Services compliment OTP and SMS 2FA with behavioral, cross-functional analysis in real time that collectively authenticates users in compliance with all three PSD2’s strong customer authentication elements, achieving compliance, improving security, and removing user friction.

What Security Teams Need to Know About Third-Party Providers and Aggregators

PSD2 encourages innovation and open banking by requiring financial institutions to grant access customer data to third-party providers (TPPs). TPP applications connect to financial institutions via APIs to aggregate data and deliver single-pane visibility. For example, they might consolidate a customer’s bank balance, transactions, and profiles across accounts. App and API security is critical to mitigate risk to users’ information and prevent fraud while meeting customer expectations. Below are a few examples of the threats risks aggregators introduce:

Aggregator impersonation attacks
Aggregators that have a working relationship with their sources are often allowed access into the institution’s services. Attackers take advantage of this relationship by validating accounts using credential stuffing against the aggregator instead of directly against the institution.

Account takeover
Financial aggregators store customer banking credentials (usernames and passwords) and up to 90 days of account data, making them a tempting target for attackers. Attackers can leverage user-enabled fintech applications to steal back account balances as well as access other online payment systems.

Unpredictable spikes in traffic load
Aggregators make up a significant portion of financial institution account queries and poll the financial institution for updated consumer account up to tens of thousands of times a day. Multiply that by thousands of customers, and FIs are left adding capacity just to deal with aggregator traffic.

Screen scraping
Consumers willingly provide their credentials to fintech aggregators who, in turn, use automation tools to crawl and scrape the consumers’ data from financial institutions’ applications. While the aggregation of this data may provide some immediate perceived benefits to consumers, the way some aggregators are accessing this data may violate data compliance regulations and may ultimately expose consumers’ data to fraud.

How F5 Distributed Cloud Services Help Financial Institutions Manage Aggregators

F5 provides visibility and control to help FIs manage aggregators and defend against attacks. Customers enjoy full access to their data when and where they want it, through the apps they choose, while also being protecting against credential stuffing and account takeover (ATO) risks.

Authentication visibility
Distributed Cloud Bot Defense sees every single login attempt and labels traffic as human, automated, or aggregator. F5 blocks attacks at the financial institution’s web and mobile properties and can also detect when attackers are credential stuffing through an aggregator for account validation.

Onboarding assistance
Distributed Cloud Aggregator Management encourages aggregators to move away from storing user financial credentials and switch to APIs supported by the financial institutions they source from. F5 works with the financial institution and the aggregator to make this transition.

Least Privilege access
When APIs are used, Distributed Cloud Services can enforce only the privileges required by aggregators, reducing the threat surface. For example, transactions can be enforced to read-only access, or summary information only.

Anomaly detection
Distributed Cloud Services help both the financial institution and the aggregator with anomaly detection. F5 fingerprints every attacker framework, including headless browsers and manual attack fraud, and can block or alert both the aggregator and the financial institution.

Tackling advanced cybersecurity threats with F5
F5 Distributed Cloud Services provide best-in-class application security and fraud prevention solutions on one integrated platform. F5 leverages AI-powered precision to accurately detect attack traffic in real-time as well as detect and eliminate fraud.

Next Steps