Open Banking in Brazil: security challenges and lessons from the external market

Guest writer: Thiago Zaninotti, CTO & Tech Advisor at Celcoin

By September 2022, the implementation of a new banking technology in Brazil, called Open Banking, is expected to be complete. This is what the Central Bank, responsible for the adherence and management of the practice in the country, states. As the new subject of the moment, Open Banking (OpB) lives up to its reputation: this system has arrived to revolutionize the Brazilian financial landscape.

With the proposal to share customers' data—with their express consent—between financial institutions, OpB returns control of banking data to the customers themselves, providing enormous autonomy in the search for products and services between one institution and another.

Are you a client of bank A, want a loan from bank B, and prefer the investments from bank C? No problem! The technology allows the APIs of the institutions to communicate for the sharing of your data and history, streamlining transactions and bringing a level of market competitiveness never seen before. Additionally, it opens up space for future payment services that integrate the technology.

So far, so good, right? Certainly, Open Banking has tremendous positive potential for the country, but the truth is that we need to have a serious conversation about the security challenges of OpB (which are not few) before discussing its implementation.

Where did Open Banking come from?
The system is already a reality in several countries around the world, such as India and the United States, each applying it according to their regulations and financial culture. However, the lessons we must pay attention to come from Europe, especially the United Kingdom. Since we stand on the shoulders of giants, we must learn from their steps—and their missteps.

I say this because the implementation of OpB in Europe was, at the very least, tumultuous. In the land of GDPR—the data privacy regulation that inspired laws like the LGPD, where privacy is an inherent topic in the culture of the continent—the term "Open Banking" (the approximate translation of Open Banking from English) was quite alarming. Not only that, but the security of Open Banking has always been treated as a very conceptual issue, as if it needed to be understood between the lines. Something that is by no means sufficient for the adoption of a new technology like this, with such a name.

An innovation with many caveats
Another factor contributing to public resistance to OpB is that it disrupts the comfort zone of the well-known Home Banking model. Change is always frightening, even one that promises to simplify processes. After three years since the start of Open Banking in Europe, the adoption rate was still low (around 10% of the population), but it has been showing month-over-month increases. Many customers express concerns about security and privacy. In a PwC survey, 55% of people stated they fear becoming victims of fraud, and 54% say they prefer not to share their data for fear of becoming targets of attacks.

Lesson 1: Simplicity is everything
One of the most important lessons we learned from the implementation of Open Banking in Europe is that complicated policies, like PSD2, only hinder the adoption of the technology by institutions and customers. The RTS (Regulatory Technical Standards), in this case, is too vague regarding the standards that must be followed by the API for the secure sharing of data. I used all this technical jargon to illustrate that if you complicate a process too much, trying to reinvent the wheel, you will end up driving institutions away and even encouraging participants to take unsafe shortcuts. And this is how fraud and attacks occur, dragging the credibility of the new technology down.

In the United Kingdom, our winning example, the proposal was to standardize the API clearly and scalably, using open protocols such as those of the established OpenID Foundation. With a clear focus on security and privacy, especially to comply with GDPR, the UK OpB managed to create flexibility for any Third Party Provider (TPP), whether financial or non-financial, to participate in the ecosystem. And to ensure controls against potential abuses in the environment, it was enough to create a mechanism for whitelisting participating TPPs, with quick dispute resolution and the eventual removal of non-compliant participants. In other words, by using open technologies with a good track record of implementation, it is possible to accelerate the adoption process while preserving essential principles, such as privacy and security.

Lesson 2: Security cannot be just a concept!
The lack of clear and objective communication regarding the security and privacy initiatives governing Open Banking is one of the main reasons for its slow adoption. Even though it is rigorously controlled, regulated, and introducing standardizations, the OpB, as it is today, still has a long way to evolve in its communication with its participants. Security and privacy need to be priority topics in all interactions with the public and institutions. Recently, I have even seen commercials on television about the topic—without a single word mentioning how OpB is secure. I emphasize here that marketing should not operate

** 2: Security Cannot Be Just a Concept!**

The lack of clear and objective communication regarding Security and Privacy initiatives governing Open Banking is one of the main reasons for its slow adoption. Even though it is rigorously controlled, regulated, and introduces standardizations, Open Banking, as it exists today, still has a long way to go in its communication with participants. Security and Privacy must be priority topics in all interactions with the public and institutions. Recently, I have even seen advertisements on television about the subject—without a single word on how Open Banking is secure. I emphasize here that marketing should not operate without Security on the agenda at all times.

Lesson 3: Security and Privacy as Standards

You have probably heard of the concepts of Security and Privacy by design. Used for some time by other industries, such as aviation, they advocate that Security and Privacy are functional requirements that must be part of the project from the start, rather than appearing late as a reactive implementation in response to incidents and problems as they occur.

For Open Banking, these concepts are especially important in the development of applications, platforms, and services, especially APIs and third-party systems (TPPs). Thus, common Security mistakes that we frequently see, such as confidential customer data in code, tokens, or accessible via URL; TPP applications using third-party ads and data analytics plugins; or even APIs integrated with legacy systems in an insecure manner, will become less common.

The Security Challenges of Open Banking After Implementation in Brazil

A New Realm for Phishing Criminals and scammers who exploit users, whether to commit fraud or steal both data and financial assets, will have a new realm to attack. Fake forms and malicious applications, using the name of Open Banking to solicit victims’ data and steal their consent, are just some of the concerns. Security tips here include continuously working on the end-user culture, teaching best practices, and warning against threats; building a strategy for whitelisting secure TPPs; and following a good checklist for URL hygiene (for certificates, domains, etc.).

Fintechs in the Crosshairs as the Weakest Link

While banks are well-established institutions with a long history and resilience in Security, Fintechs still need to prove their worth, and many are investing in their protections for the first time. Inexperience and limited financial resources to deal with disasters create a target for attackers. This situation presents an attractive opportunity for criminals who prefer to attack the weaker institution, acting as a kind of "man-in-the-middle." The broad database and legal basis for storage is another attraction. Here, the main tip is to strengthen your Security team. If hiring people isn’t feasible, or even if you don’t have a security team, rely on solutions that automate the protection of your infrastructure. One recommendation is Unxpose, which acts as an additional security arm for your team. The solution continuously discovers digital assets, monitors vulnerabilities in your environment, performs intelligent prioritization that takes into account your business context, informs the potential impact of found vulnerabilities, and even teaches how to fix them with simple tutorials—all in an automated manner—saving hours of manual work in vulnerability detection and showing where you should act first. It is also worth reinforcing the need for data encryption in the cloud to prevent leaks. Enable and make mandatory encryption in transit and at rest on disks and databases.

API Attacks Will Rise

After all, the API is a shortcut to the core data processing. Since APIs will become public in Open Banking, following an open standard, automated requests will become the norm (not an exception). Denial-of-service attacks will become even more damaging, potentially affecting the operations' effectiveness. Security tips that apply here include working with extra Security layers for applications (such as a WAF); ensuring the implementation of rate control and managing API traffic; and adopting a multi-premises (or multi-cloud) approach for scalability. Another tip is to start continuously monitoring code repositories for API keys that may leak during development cycles. Here, Unxpose can also help.

Applications and Platforms Under Stress

Since Open Banking transforms participating applications and platforms into a sort of “extension” of access to the Bank, malicious and fraudulent applications will become a new focus for criminals interested in stealing customer data. On the other hand, even in official applications, brute force attacks or credential stuffing will be on the rise against applications and platforms that mediate between the bank and the customer, amplifying the exploitation of their vulnerabilities. Security tips for these cases include applying the previously mentioned concepts of Security and Privacy as standards from the beginning of the development processes of these applications and platforms. Another tip is to ensure a well-controlled management of customer consent, paying attention to its revocation.