How open banking opens the door for fraud

Open banking has long been championed by some in the finance industry as a windfall for consumers, but there's another party quietly cheering it on from the shadows: fraudsters.

As a result of the “seismic shift” open banking promises, consumers and third parties will now have greater access to personal banking data — and they won’t be the only ones. Cyber criminals, already making big bucks in Australia, may soon find themselves on the doorstep of a data treasure trove. 

A tantalising prospect 

In all honesty, the launch of the open banking pilot project’s so-called “seismic shift” would have barely registered on the Richter scale. Within days, the federal government was left scrambling to address the inevitable data privacy risks, which have delayed the legislation’s passing. 

This is deeply concerning. Australia is, unfortunately already a prime target for scamsters. More than half a million was siphoned off local consumers by fraudsters throughout 2017. Meanwhile, a more recent study by KMPG revealed that there were 177,000 scam reports in Australia last year, costing Australians half a billion dollars, compared with 85,000 scam reports in the US and Britain combined.

What’s more alarming, according to KMPG, is the “exponential increase” in the volume of scams in Australia, compared with the rest of the world. Although spurred mainly by Australia’s increasing appetite for the convenience offered by digital payments and online shopping, this should set alarm bells ringing at a time when Australia is preparing to open the floodgates on data sharing.

So how exactly does open banking work? Essentially, banking “product data” can be shared by way of an application programming interface (API), the method by which apps and websites communicate with one another. In theory, the move will empower consumers to switch providers more easily. Over time, it is expected to encompass all sectors, from telecommunications, internet, and energy.

But as more data flies through the digital ecosystem, inevitably there is a heightened scope for breaches, frauds and scams. With millions of customers’ priceless data going through APIs, cyber criminals are looking at a tantalising new attack surface. The recent attack on Australian property valuer LandMark White, which occurred via an exposed API, demonstrated the need for cyber security vigilance in this relatively up-and-coming area of computing. 

Unauthorised access to that data has the potential to cause unmitigated harm to Australian consumers and businesses, either via large-scale fraud and use in a crippling ransomware attack. These are risks of which all parties need to be aware and prepared.

Pure scale

Granted, the federal government has taken steps to address the threats it faces, both in terms of fraud and cyber protection. The notifiable data breach scheme now forces organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) in the event of a significant data cyber breach. A consultation is meanwhile underway to help resolve the epidemic of online transaction fraud. 

But fraud protection in the digital transaction landscape was never going to be an easy task. As payment services are increasingly digitised, it is more natural and more common than ever to use financial service platforms without interacting with another human being. And, as more services become digitalised and fraud becomes more sophisticated, regulation can only go so far, and solutions have to evolve to keep pace. A business needs to be able to go beyond the obvious; spot and flag separate data points, which together may point to fraudulent behaviour. 

Machine learning alone could mark fraudulent transactions as safe if they seem to come from existing or previous customers who may have had their data stolen. That’s why human intuition is also required. But as the number of online payments grows exponentially, machine learning must be brought in to deal with the pure scale of transactions within a modern business.

Nevertheless, while these risks should remain top-of-mind for business leaders, that is not to say they should close the door shut entirely on open banking. When finally rolled out in full on 1 February 2020, it will present a wealth of opportunity and benefits across customer services, visibility, competition and frictionless transacting. 

It has been a long-time coming for Australia. Already overseas markets are well ahead in terms of adoption, through legislation in the UK and organic growth in the US. PSD2 meanwhile opened the floodgates across the European Union. Australia and the business community are in a prime position to learn from overseas examples, lay the foundations correctly now and ultimately embrace a healthy new ecosystem without fear of attack.

Original article at: https://www.fintechbusiness.com/blogs/1472-cybercriminals-to-embrace-open-banking