As of a few days ago, customer authentication has to be strong. In an interview accompanying the BaFin “IT Supervision in the Banking Sector” event (see info box), Jens Obermöller, head of the BaFin division dealing with policy issues relating to cyber security in the digitalisation and regulation of payment transactions, explained the innovations brought about by PSD2, the Second European Services Directive, and the sensitive subject of cyber resilience.

Mr Obermöller, 14 September 2019 was not just another day for bank customers. Some of them will have noticed that their printed iTAN list no longer works – is that a loss?

In theory at least, everybody should have known about it. After all, the banks had to give their customers ample notice that the iTAN procedure was going to be discontinued, and tell them what alternative authentication arrangements would be available. And that’s just what they did. But you know yourself what it’s like: nowadays, you get so much mail from your bank that it’s often difficult to tell what’s important and what’s trivial.

In light of the new regulatory requirements, it was impossible to retain the iTAN procedure. PSD2 (see the “ZAG and PSD2” info box) prohibits a physical element used for authentication from being easily reproduced. But you can make any number of copies of a printed TAN list on any photocopier. Or photograph it using a mobile phone. So from a security aspect, getting rid of iTAN lists is certainly no loss.

On the topic of PSD2: The revised PSD is designed to make online and mobile payments more secure. Along the lines of “Two are better than one”, customers now have to confirm two separate security credentials. Is that tamper-proof?

Well, no authentication system will ever be 100 percent secure. But PSD2’s requirements for SCA – strong customer authentication – mean that we have reached a good balance between greater security and user-friendliness for online payments. SCA requires elements from two of the three categories of “knowledge”, “possession” and “inherence” (see info box “Strong customer authentication”). In addition, payment service providers must continuously analyse whether new attack methods have evolved. And they must improve or replace a procedure if necessary.

As customers, though, we are already used to strong customer authentication. We use a card and enter a PIN to pay at the checkout. The card falls into the “possession” category and the PIN into the “knowledge” category. Or take the example of online credit transfers: in this case, the online banking password belongs to the “knowledge” category and the TAN, which is communicated in a text message, for example, belongs to the “possession” category. That’s because the TAN proves that you own the mobile phone, or more precisely the SIM card. PSD2 only changes some of the details here.

Nevertheless, BaFin announced on 21 August 2019 that payment service providers whose registered office is in Germany may continue to process online credit card payments without strong customer authentication for the time being. Has that not impaired the collective interests of consumers, who BaFin is obliged to protect?

We were facing a difficult trade-off here, as were the other European supervisory authorities. The first problem is that in the past, strong customer authentication was extremely unusual for online credit card payments. To give just one example: if you bought something from an online retailer and wanted to pay by credit card, you entered your credit card number and the CCV number on the back of the card. That was all that was needed in most cases.

That’s why the switch to PSD2 is particularly complex in this area. The German payment service providers completed their part of the preparatory work on time. But many online retailers as well as the majority of travel companies were not prepared for the switchover on 14 September – for a variety of reasons. As a result, it could have happened that consumers were no longer able to pay online. Companies could have also had the same problem and it would have been tremendously chaotic.

That was something we had to avoid. In cooperation with the European Banking Authority – the EBA – and other supervisory authorities, we developed a transitional arrangement in order to avoid any disruption of payment transactions and ensure a smooth transition to the new rules.

There is something else that’s important: liability rules under civil law, for example between the credit card holder and the payment service provider, continue to apply. So nobody will be disadvantaged by the measures we’ve taken when they make online payments.

Banks have to create new interfaces (application programming interfaces – APIs) for third-party payment service providers such as apps that access an account on behalf of the customer. But the old access path is still open in case of emergency. Why was it not dropped entirely?

I believe that powerful, secure account interfaces constitute one of the most important technical advances that PSD2 has introduced. The banks could also have adapted their existing access paths to the new requirements. However, most German institutions decided to invest in new account interfaces.

In fact, PSD2 stipulates that, whenever a bank decides to offer a new API, it has to retain the old access paths for the time being and with minor modifications – as a sort of emergency mechanism. The background to this is that the switch to new access paths essentially has to happen during day-to-day operations. This is a highly demanding project for everybody involved, and a large number of technical questions have to be answered.

A bank can also shut down the emergency mechanism if it can prove to us that the new API features all of the functionalities required by PSD2. However, there are some strings attached, including that the performance and availability of the interface may not be lower than those of online banking.
We will be very meticulous there. We already have an ecosystem of third-party service providers in Germany. And I’m not talking about cool new finance apps for smartphones. Many small and medium-sized enterprises use these services for their financial accounting.

It looks like PSD2 came at the right time. Hacking attacks on banks seem to have been growing in number recently. Is that actually the case?

There has certainly been no decrease in the threats coming from cyberspace. The financial sector is an attractive and vulnerable target. This can be seen from the recent attack on US bank Capital One, where a hacker was able to steal the data of more than 100 million customers.

However, our notification data tell us that most IT security incidents affecting payment transactions are attributable to operational weaknesses at the banks themselves. For example, an IT system modification isn’t sufficiently tested. In cases like this, we often talk of “cyber hygiene” – an appropriate expression, I think, because what matters here are awareness, thoroughness and perseverance.

Are the credit institutions doing enough to ensure the security of their systems and hence the security of their customers’ money??

A question back to you: what do you mean by “enough”? As supervisors, of course we check whether banks in Germany are complying with the rules in force. But even if there are no specific requirements, the banks should be doing everything within their power to safeguard their cyber resilience so as to protect their own interests (see info box “Cyber resilience”).

Hackers don’t sleep. On the contrary: the speed at which cybercriminals are becoming increasingly organised and professional is a source of worry for us. Of course what helps them is that digitalisation means that a growing number of transactions are taking place online, and that people have become used to living their lives online to a certain extent. And banks, too, should be able to leverage innovations. But they should also ensure the necessary degree of security.

Does that also include blockchain? If you compare blockchain with conventional IT systems, to what extent would transactions based on this technology increase security?

There’s no simple answer to that. The question of how secure blockchain is in a specific case depends to a significant extent, for example, on the cryptographic algorithms that the programmers used. Unfortunately, there are still no technical standards addressing the deployment of blockchain technology. BaFin is working actively in ISO, the International Organization for Standardization, to start developing them. If I were to assess the effect of blockchain technology today, then I would say that it does not by itself solve any IT security problems and does not make financial transactions inherently more secure.

So what can BaFin do to help support IT security?

For a start, we make very clear what we expect the companies to do. Our Supervisory Requirements for IT in Financial Institutions (BAIT, see info box “BAIT”) describe on 24 pages how management can make the IT systems of its institution secure. A fundamental principle is that responsibility for IT security or cyber security rests with a bank’s management and cannot ever be outsourced.

Of course we don’t just communicate with the banking sector in writing – we also use specialist and expert bodies or events such as “IT Supervision in the Banking Sector” (see info box “IT Supervision in the Banking Sector”). This is a very deliberate attempt to create a forum in which researchers also have a chance to speak. There are probably few issues where this exchange is as important as it is in the case of IT security and cyber security, because both the technology and the threat level are evolving so quickly here.

This year’s G7 cyber exercise for the financial sector demonstrated impressively what can happen if supervisory authorities, central banks, ministries and banks work together across sectors and borders. It was a successful test run for a massive cyber event. If it happens, the reactions of everybody involved must be just right, and the dress rehearsal was very useful for this.

Are penetration tests a suitable means of revealing weak points in IT security processes?

There’s nothing new about penetration tests. In the classic scenario, IT departments launch an automated, tool-based simulation of a hacking attack on their own IT applications and systems. The goal is to reveal vulnerabilities and cure them as quickly as possible.

Threat-led penetration tests (see info box “Threat-led penetration tests”) are a more recent and more effective development. They allow companies to put their cyber defences to the test under more-or-less real conditions. Contract “ethical” hackers try to compromise the company. This is a no-holds-barred approach, and the way inside the company doesn’t necessarily have to be through the technology of its IT systems. Human error would also be a gateway, for example.

How does Germany compare with other countries?

We are in a good position compared with the Netherlands, Belgium, Denmark or the UK, for instance. The whole thing already has a European dimension in any case: the ECB has issued a guide addressing these tests, the TIBER-EU Framework. The tests in this framework are termed “Threat Intelligence-based Ethical Red Teaming” (TIBER). Such tests can also be performed in Germany in the future under the leadership of the Deutsche Bundesbank.

Mr Obermöller, many thanks for this interview!