Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.
In traditional architectures, core systems (and the personnel that build, design and run them) tended to be under a bank’s direct control. The technical interface to the consumer was through the bank’s wall via an ATM. Even with the advent of the smart card, while anyone could attempt to attack the chip, hardware and security controls were rigorous and effective, put in place by an industry that has always been security aware, leaving the issuing bank in effective control of the device.
We now find that, not only is the hosting of core systems outsourced, but the technical interface to the customer is the mobile phone. This opens up a whole host (pun intended) of means of attack. In most instances, the hardware holding (for example) cryptographic credentials is not as secure as a smart card chip, and it could be that the app developers are not well-versed in software security techniques. A third area of concern has been opened up by open banking mandates. The temptation is to allow mobile and web access, via new APIs, to deep legacy systems, which were never designed for remote access and may be barely understood by their latter-day custodians.
We have recommended and implemented ongoing programmes for our customers to address these issues; comprehensive minimum standards can only help but need to be backed by rigorous certification processes.
Consult Hyperion is a leading expert in secure electronic transactions. Advising customers globally for over 30 years, we’ve helped organisations design and deliver solutions for mass-scale adoption, If you’d like to learn more about our team of experts who live and breath secure transaction technology, and how we can help you, we’d love to hear from you firstname.lastname@example.org.