FinTech changes could open up new attacks on organizations and consumers

HONGKONG, CHINA - Media OutReach -18 September 2019 - Trend Micro Incorporated (TYO: 4704; TSE: 4704),a global leader in cybersecurity solutions, today release researchdemonstrating that major new European banking rules could greatly increase thecyberattack surface for financial services firms and their customers.

The new research details the impact ofthe EU's Revised Payment Services Directive (PSD2), which is designed to giveusers greater control over their financial data and the option of sharing itwith a new breed of innovative Financial Technology (FinTech) firms. The sameideas are spreading globally under the term "Open Banking."

"The financial sector has always beena highly attractive target for cybercriminals, and PSD2 and Open Banking areset to offer hackers even more opportunities to steal sensitive personal andfinancial information," said Ed Cabrera, chief cybersecurity officer for TrendMicro. "Our concern is that the industry may not be fully prepared to deal withthis greatly expanded attack surface. That's why we wanted to understand therisks before they occur, so we can help FinTechs and traditional lendersprotect their assets first."

The report highlights several possibleattack scenarios under the new regulatory regime:

• Attackson APIs: Public APIsare at the heart of Open Banking, allowing approved third parties to accessusers' banking data to provide innovative new financial services.Implementation flaws in these APIs will allow attackers to exploit back-endservers to steal data.
• Attackson FinTech companies:Users will be forced into a new trust relationship with providers that may havefewer resources than their banks and no track record on data protection. In aquick survey of Open Banking FinTechs, Trend Micro found them to have anaverage of 20 employees and no dedicated security professional. This makes themideal targets for attackers and raises concerns over security gaps in theirmobile apps, APIs, data sharing techniques and security modules that could beincorrectly implemented.
• Attackson the apps or mobile platforms:Most Open Banking services will be deployed as mobile apps, making these aprime target for attackers. Finding the username, password, or encryption keyswithin the app would allow a criminal to retrieve banking data and pose as theuser. Even if the apps don't have permission to make payments, they couldcontain transaction data, allowing an attacker to build a highly accurateprofile of their victims.
• Attacksagainst the user:Because new Open Banking apps will become the primary means for users to accessfinancial data and services, phishing attacks could reap major rewards forattackers.

To prepare for the changing landscape,Trend Micro details how financial institutions can improve their cyberresilience. These include ensuring sensitive information is never contained inURL paths, prioritizing secure protocols, and eliminating risky practices.

Meanwhile, Open Banking app developersand owners must adopt a secure-by-design approach, including regular softwareaudits.

To find outmore about the cyberrisks associated with new Open Banking rules, read ourreport, Ready or Not for PSD2: The Risks of Open Banking, here: https://www.trendmicro.com/vinfo/hk/security/news/cybercrime-and-digital-threats/the-risks-of-open-banking-are-banks-and-their-customers-ready-for-psd2.

About Trend Micro

TrendMicro Incorporated, a global leader in cybersecurity solutions, helps to makethe world safe for exchanging digital information. Our innovative solutions forconsumers, businesses, and governments provide layered security for datacenters, cloud environments, networks, and endpoints. All our products worktogether to seamlessly share threat intelligence and provide a connected threatdefense with centralized visibility and control, enabling better, fasterprotection. With more than 6,000 employees in over 50 countries and the world'smost advanced global threat intelligence, Trend Micro enables organizations tosecure their journey to the cloud. Formore information, visit www.trendmicro.com.hk.