FIDO Alliance, a group of companies developing new biometric authentication and second factor authentication protocols, has warned that the European Commission may compromise the security of banking customers’ credentials with the new Payment Services Directive 2 (PSD2).
Non-Secure Screen Scraping Protocol
FIDO has taken issue with the fact that the European Commission is considering allowing banks to use a non-secure screen scraping protocol as a fallback option until the banks implement safer protocols.
According to FIDO, this screen scraping protocol allows third parties to log in on behalf on banking users in a non-secure way. The credentials are captured directly in plain-text from a device’s screen, rather than being transmitted as a randomly generated authentication token through an API to the third party.
The screen scraping practice was prohibited by the European Banking Authority, the main banking-related regulatory agency in the European Union (EU), when writing the final technical draft for the PSD2, because of its weak security.
Soon after the final technical draft for the PSD2 was released, some financial technology (fintech) companies complained that because some banks won’t implement the safer protocols described in PSD2 in a timely manner, the fintech companies should be allowed to continue using the non-secure screen scraping method to use the banking customers’ credentials.
The European Commission seems to have been convinced by their argument, and has proposed allowing the screen scraping method to be used at will by companies that want to use it as a “fallback option.” However, as we’ve learned from major attacks against browser protocols over the years, keeping non-secure protocols around as fallback options is just asking for trouble. If the protocol is there and can be enabled, attackers will take advantage of it, even if it’s not the main protocol used by a given company and its customers.
FIDO Alliance Recommendations
The FIDO Alliance strongly urges against making a screen scraping protocol a part of the final technical standards mandated when the PSD2 goes into effect. The PSD2 will be around for years after that, which means that the screen scraping method will be an accepted protocol for many years from now, too. Plus, fintech companies will have little incentive not to use it, especially if the safer protocols are less convenient to use.
FIDO said that if some banks really can’t get around to implementing the safer protocols by the time the PSD2 goes into effect, then those banks should be exempted through policy from being mandated to use the PSD2 immediately, rather than making the screen scraping protocol an official standard. Additionally, FIDO argues that by allowing the screen scraping protocol in the final technical standards of the PSD2, it would dilute the message that the European Commission wants the banking sector to use better security for their customers.
Updated, 9/08/2017, 12:40pm PT: The headline was update to clarify that it's the screen scraping that could be allowed in the final draft of PSD2 that worries the FIDO Alliance and not the whole PSD2 legislation.