Open Banking: an Open Goal for Security?

Open Banking ultimately refers to the underlying financial technology, born alongside a new regulation – the second ‘Payment Services Directive’ (PSD2) – which came into force on January 13th of last year. This new regulation will see the banks’ previous monopoly on their customer’s account information and payment services being challenged; 3rd party organisations are now competing with banks for access to customer data. PSD2 is the successor to the first Payment Services Directive (PSD1) that came into force in 2009 and which facilitated the provision of uniform payment services across the EU. PSD2 sets out to (in addition) provide consumers with better security to take advantage of using third-party providers (TPP’s) and their services which ultimately integrate directly with an individual’s bank account.

A white smartphone with tangled earphones,a credit card from Deutsche Bank,a notebook,and a pen arranged on a dark surface.

Probably the main concern surrounding banking was how very closed their environments were. Now that legislation is forcing them to open them, or at the very least expose an API, they have had to make huge changes to their architecture because of this completely different approach. Whilst traditionally ‘disconnected’ from the internet, they were able to do pretty much anything, they could skip all of the traditional security measures that you take when you’re on public networks or in the cloud. Now with an open environment, the banks, at the very least, need to protect the API with stringent security measures. And customers will also want to know that their data is kept securely as the banks open up their infrastructure to the public.

Book a demo today to see GlobalDots is action.

Optimize cloud costs, control spend, and automate for deeper insights and efficiency.

Book a demo today to see GlobalDots is action.

Reputation, compliance and relationships with key partners are key factors when doing business in this landscape. TPPs have to have professional indemnity insurance to cover liability in the case of a security breach or unauthorised transaction. Liability and security are major issues in earning the trust of consumers and their payment providers. One dodgy outfit and the whole sector could end up being tarred with the same brush.

PSD2

A cornerstone of PSD2 is the abolition of the monopoly that banks have over accessing their customers’ account data. This will allow consumers (or businesses) to unlock their data and obtain a wide range of value-added services. It will strengthen the position of financial start-ups, and should invite widespread development and innovation in key areas such as online and mobile payments and account information services. Consumers will need to be really careful when it comes to sharing data. They will only be protected by their bank (if something goes wrong) if they share their data with an authorised company, and these authorised third parties will be regulated by the Financial Conduct Authority (FCA) and will appear on the FCA’s Register, and/or the Open Banking Directory.

Banks are now obliged to grant these TPPs access to their customers’ accounts through open interfaces. This in turn will allow TPPs to build financial services on top of banks’ data and infrastructure. Consumers will benefit from things such as easier online payments (without the need for a credit or debit card) and money management services that better help consumers keep on top of their finances.. Whilst the competitive landscape will undergo massive change, consumers face relying on new institutions, instead of the traditional banks to keep their sensitive financial data safe. This will require a different security mindset as companies investigate and implement new security measures.

Banks have traditionally been victims of a style of attack that is able to alter transactions while they’re happening in the browser and steal user’s credentials without them knowing. With the introduction of open banking, data will become increasingly vulnerable to attack as it passes through an open interface; this could happen on any customer’s device, for example, a mobile phone. In the process of ‘opening up’ the access to customer data, TPPs suddenly become very attractive targets to attack by cybercriminals.

Many high-profile companies, including banking institutions, have been attacked and users are rightly more concerned than ever with privacy. Even with the rising amount of attacks on mobile devices and applications, financial institutions and other organisations are still not taking proactive steps to protect the user’s apps on their devices. We hope to see open banking also provide the opportunity for developers and the like to work hard to provide robust protection against hacking and phishing attacks in the light of the new landscape.

Application shielding will continue to play a major role in protecting mobile applications. It does this by detecting and mitigating any tampering with a mobile app to prevent any damage. Open banking could see a rise in overlay attacks, phishing attacks, and mobile app threats, perhaps even more dangerous versions. It is estimated that users are three times more likely to fall for phishing attacks via mobile devices than they are other channels! In order to meet PSD2 compliance, which is due before the end of the year, financial organizations need to investigate new solutions to block these threats. Remember, preventing this type of fraud is key for financial organisations if they want to avoid costly reputational and brand damage.

Conclusion

It is still early days for TPPs in the UK but the way is paved for significant change in the way we understand payment services. Many firms are currently exploring opportunities that are being presented and others will be looking to come up with the next big idea. However, now that open banking is a reality, consumers need to be able to trust those charged with looking after their assets and feel confident when carrying out banking transactions online. Don’t let it be an open goal for cybercriminals!

If you have any questions about how to effectively protect your web applications, or how to optimize your cloud performance and reduce costs, contact us today to help you out with your performance and security needs.

Latest Articles

Gaming Company SuperPlay Reduces ElastiCache TCO with Strategic Optimization

About the Customer: SuperPlay is a leading Israeli gaming company that develops and publishes mobile games for a global audience. The company specializes in creating engaging social casino and casual gaming experiences, reaching millions of players worldwide. As a technology-driven gaming company, SuperPlay relies on robust cloud infrastructure to deliver seamless gaming experiences to their […]

Itay Tal
1st July, 2025
What is an API Security Audit?

 In January 2024, a misconfigured API exposed 650,000 private messages. These included passwords and internal communications. No exploit chain. No zero-day. Just a public-facing endpoint with no authentication. This wasn’t an isolated incident. From T-Mobile and Twitter (now X) to Kronos Research and the US Treasury, attackers have consistently used APIs as entry points. They […]

Ganesh The Awesome
26th June, 2025
The Ultimate API Security Checklist for 2025

APIs are now the top attack vector in enterprise apps. In 2024 alone, breaches tied to APIs cost an average of $4.88 million, and that number is rising fast. Attackers exploit gaps in API authentication, input validation, and outdated endpoints to compromise systems. Legacy controls no longer suffice, and the OWASP API Top 10 outlines […]

Ganesh The Awesome
26th June, 2025
10 API Security Best Practices for 2025

APIs are the backbone of today’s interconnected software. They power everything from mobile apps and SaaS platforms to internal microservices and partner integrations. But their rapid growth has left many security teams flat-footed. In 2025, many attackers prefer to exploit API misconfigurations hiding in plain sight. What used to be fringe cases (token leakage, zombie […]

Ganesh The Awesome
23rd June, 2025

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services