Securing Open Banking for Africa
As Open Banking is being embraced by markets all over the world, what unique solutions will help secure Open Banking in Africa.
As we continue to see the fervent adoption of Fintech and the advancing innovation in digital financials services globally, there is growing support for Open Banking in markets across the world. Open Banking initiatives are being put in place to empower consumers to take greater control of their financial information and how and who it is being used by. By taking control of their own financial data, consumers will be equipped to manage their finances better. They will be able to decide who they want to share their information with, in order to make it cheaper and easier to find superior products and services.
Open Banking is gaining traction in markets such as Nigeria and Brazil, in Europe with Payment Services Directive 2 (PSD2), and in the United States, with the Consumer Financial Protection Bureau (CFPB) endorsing principles for sharing and aggregation of financial data. In these markets Open Banking is being supported by central authorities like central banks and the initiative is being formalised with regulation and frameworks. Fundamental to any framework or regulation for Open Banking and, indeed essential to making Open Banking work effectively, is ensuring security around customer verification and consent.
Consumers will need to be able to authorise access to their accounts through explicit consent and this will apply to any remote channel activity that may imply risk of fraud. Mandatory requirements for authorisation and authentication being outlined in regulations for Open Banking agree on certain similar standards, as laid out in the requirements for Strong Customer Authentication (SCA) for PSD2:
- Payments will need to be authenticated using at least two of the following three elements, i.e. requires 2 factor authentication (2FA):
- Something the customer knows (e.g. password, PIN, security question)
- Something the customer has(e.g. phone, smartwatch, hardware token)
- Something the customer is(e.g. biometrics – face ID, fingerprint)
- Authentication based on the 2 factors needs to take place through independent channels, and ensure confidentiality of the authentication data
- An authentication code needs to be generated that is dynamically linked to the transaction amount and payee i.e. providing particulars about the transaction that are uniquely linked to the specific transaction
To enable Open Banking in Africa and, indeed, to ensure that any financial service transaction is securely authenticated in markets where access to a reliable data connection may not be available, provision of ubiquitous technology for authentication is essential.
One-Time-Password over SMS
When it comes to ubiquitous technology, one-time-password (OTP) over SMS is popular globally, for the authentication of digital financial services. However, OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards. In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap. It poses a challenge to providers using the service, as there is no audit trail, opening a door to large scale fraud through a single point of failure. What is of concern is recent researchamong leading financial services CIOs in Kenya found that 87% of financial services providers deploy OTP via SMS to protect transactions; which echoes a trend for use of OTP via SMS all over the world.
Unstructured Supplementary Service Data for Authentication
Unstructured Supplementary Service Data (USSD) can be used as a ubiquitous technology to provide secure digital financial services. USSD can be used as an Out of Band Authentication (OBA) channel that is separate from the channel on which the transaction is taking place. This way, if the web browser a customer is using for online banking is compromised, for example, the fraudster will not have access to the USSD channel for authenticating the transaction. Combined with SIM swap detection services, this makes for a robust service to protect digital transactions. USSD for authentication hereby helps provide a technology that is accessible to everyone, but one that is inherently more secure than OTP over SMS.
Payment details to protect against social engineering
One of the main benefits of including dynamic linking, as part of any resilient authentication service, is helping to secure against social engineering. If a customer is provided with details of the transaction amount, along with the details of payee to authenticate, customers will be far more likely to pick up when a fraudster is the actual intended recipient of a payment – not the bank/service provider the fraudster is purporting to be. This way, despite the fact someone may call claiming to be from the bank, or a if a user has clicked on a link from a text message to make a payment, when they are authenticating the transaction they will be given clear reference to the payee, which will highlight it isn’t the bank they’ll be paying.
Myriad Connect’s secure customer authentication service
Myriad Connect’s market-leading authentication service uses USSD to provide an entirely out of band channel for authentication, with all interactions transmitted over the mobile network, which is separate to the browser or online channel being used by the customer to initiate the transaction. Myriad Connect’s session-based service sends an advanced push notification to open up a conversation between the enterprise and its customer, which can include details of amount and payee, specific to the transaction.
In addition, Myriad’s SIM Swap detection service provides a real time check on the SIM, while no persistent data is held with any third party, providing a more secure service than current two factor authentication services. This results in a technology that greatly enhances the security of transactions vulnerable to SIM swap fraud and other digital transaction frauds.