Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Apart from dynamically linked TANs that will only allow for those transactions that are linked to them some schemes further ask for credentials like the online banking PIN. This PIN will allow for full and repeated access to almost all information with online or home banking. Furthermore these credentials will allow for payments orders not only by payment initiation services, but anybody by accessing the ordinary online banking features provided to their customers.
In its recital 14 of the draft EBA itself points at the risk of phishing or other fraudulent activities. The recital states that it is with that deemed important to ensure that the account servicing payment service provider shall be aware that he is being contacted by a payment initiation service or an account information service provider and not by the client itself. Yet this is not enough.
We may expect that fake or hacked online shops may direct consumers to fake payment initiation services as those services will always be accessed by a consumer via a link. Thus fake initiation services may collect the credentials and may initiate payments the same way as a consumer and with that anybody with those credentials could do. Up to the new regulation some services had to do this themselves just in order to be able to offer their services.
Keeping this practice would allow fraudsters to further use those credentials provided by a consumer to mimic a payment order by that consumers himself. And with that those efforts set to ensure for secure connections in between account institutes and initiation services would almost be in vain, if any fraudster could easily circumvent these precautions as described above.
Furthermore dynamically linked credentials will provide for the amount but the recipient or payee is likely to be stated only by their bank account number. The latter is a credential not known in detail to the consumer. While there can be no more tricks on the amount, the payee of that payment could still be forged.
We ask to reconsider whether the use of secured links in between account service providers and initiation services could as well be used to plan for credentials that only those services can actually use to induce a payment.
The implied risk that phishing activities will reignite once the practice of payment initiation services gets wider acceptance and consumer are ready to share this data more frequently to use these payment options should be blocked by concept.
The EU regulator decided to allow for those services. With that it is no longer possible to give a simple advice to consumers like never to use their main key for online banking on another website but that of their own bank to keep these credentials safe.
With this decision it is now important to prevent consumers from falling prey to fraudsters due to that decision. We may even see that those who do will not necessarily be adequately safe by the legal standards set for unauthorised payments. This is because we expect discussions whether anybody entering these credentials at a fake side may become suspected of having acted with gross-negligence.
By adding a difference in what an initiation service is expected to present to account holding service from what customers themselves are expected to present to their payment service provider, there is a good chance to prevent this kind of fraud. Because in the follow-up of recital 14 and respective regulation a bank is to know the difference.
Apart from the issue of fraudulent payment there are further risks that arise, if criminals get hold of those credentials. Insight into the account and on further details like address and card limits etc. may support criminal activities against consumers. Their actual financial situation, when and where a consumer is usually or at a certain point of time located and even important codes sent by 1-cent transactions could get compromised. This would further allow criminals to mimic a card holders activities in order to circumvent security schemes that monitor the way payments instruments are used to detect unauthorised usage. And by those codes sent to bank accounts even further payment accounts could be opened on the name of an unsuspecting consumer in order to be abused for money laundering.
We further support the issue named by BEUC on the issue of restricting the rules only to card based transactions.
With answering we have restricted ourselves to point on issues with three of EBAs questions only and furthermore refer to and endorse those answers presented by BEUC.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
NA - see BEUC and our General Comment on Category of OrgansiationQuestion 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
NAQuestion 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
Within the concept of securing the communication in between the payment service users and payment service providers – including payment initiation services - we see the issue that not all items of credentials actually in use are protected adequately by the concept of dynamic linking and the use of different elements of credentials.Apart from dynamically linked TANs that will only allow for those transactions that are linked to them some schemes further ask for credentials like the online banking PIN. This PIN will allow for full and repeated access to almost all information with online or home banking. Furthermore these credentials will allow for payments orders not only by payment initiation services, but anybody by accessing the ordinary online banking features provided to their customers.
In its recital 14 of the draft EBA itself points at the risk of phishing or other fraudulent activities. The recital states that it is with that deemed important to ensure that the account servicing payment service provider shall be aware that he is being contacted by a payment initiation service or an account information service provider and not by the client itself. Yet this is not enough.
We may expect that fake or hacked online shops may direct consumers to fake payment initiation services as those services will always be accessed by a consumer via a link. Thus fake initiation services may collect the credentials and may initiate payments the same way as a consumer and with that anybody with those credentials could do. Up to the new regulation some services had to do this themselves just in order to be able to offer their services.
Keeping this practice would allow fraudsters to further use those credentials provided by a consumer to mimic a payment order by that consumers himself. And with that those efforts set to ensure for secure connections in between account institutes and initiation services would almost be in vain, if any fraudster could easily circumvent these precautions as described above.
Furthermore dynamically linked credentials will provide for the amount but the recipient or payee is likely to be stated only by their bank account number. The latter is a credential not known in detail to the consumer. While there can be no more tricks on the amount, the payee of that payment could still be forged.
We ask to reconsider whether the use of secured links in between account service providers and initiation services could as well be used to plan for credentials that only those services can actually use to induce a payment.
The implied risk that phishing activities will reignite once the practice of payment initiation services gets wider acceptance and consumer are ready to share this data more frequently to use these payment options should be blocked by concept.
The EU regulator decided to allow for those services. With that it is no longer possible to give a simple advice to consumers like never to use their main key for online banking on another website but that of their own bank to keep these credentials safe.
With this decision it is now important to prevent consumers from falling prey to fraudsters due to that decision. We may even see that those who do will not necessarily be adequately safe by the legal standards set for unauthorised payments. This is because we expect discussions whether anybody entering these credentials at a fake side may become suspected of having acted with gross-negligence.
By adding a difference in what an initiation service is expected to present to account holding service from what customers themselves are expected to present to their payment service provider, there is a good chance to prevent this kind of fraud. Because in the follow-up of recital 14 and respective regulation a bank is to know the difference.
Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
We fully endorse BEUCs response and only like to add that with respect to Article 74.2 of PSD 2 such further choices do exist in the German market. Payees do accept IBAN or credit card numbers to enable card or direct debit payments and take the risk that some default may occur by lack of coverage or fraud. If a provider considers the risk small compared to the extra costs for more secure payment methods even further exemptions are thinkable. As long as in accordance to Article 74.2 the payers do never face any liability for any wrong or fraudulent payments this practice so far has been acceptable to consumers.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
NAQuestion 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
As already further described by our response concerning Q03 we endorse the importance of data protection. With that we are wary on the protection of those security credentials that are further useable and not entirely restricted by dynamic linking to a single usage. A PIN code to access the online banking account is something that should be kept private at all time.Apart from the issue of fraudulent payment there are further risks that arise, if criminals get hold of those credentials. Insight into the account and on further details like address and card limits etc. may support criminal activities against consumers. Their actual financial situation, when and where a consumer is usually or at a certain point of time located and even important codes sent by 1-cent transactions could get compromised. This would further allow criminals to mimic a card holders activities in order to circumvent security schemes that monitor the way payments instruments are used to detect unauthorised usage. And by those codes sent to bank accounts even further payment accounts could be opened on the name of an unsuspecting consumer in order to be abused for money laundering.
We further support the issue named by BEUC on the issue of restricting the rules only to card based transactions.
Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
NAQuestion 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?
NAQuestion 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?
NAQuestion 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.
NAPlease select which category best describes you and/or your organisation
[Consumer or consumer association"]"Please select which category best describes the services provided by you/your organisation
[Other"]"If you selected "Other", please provide details
General remark on the answers: As a consumer organisation Verbraucherzentrale Bundesverband e.V. (vzbv) will only partially comment on important issues regarding security from a consumer’s point of view. With that the approach in general by this Regulatory Technical Standard (RTS) is expected to meet security issues in an adequate way. Yet some important aspects seem not to have been pondered regarding our remarks to the first consultation on these RTS. We see options for serious security circumvention being still undealt with.With answering we have restricted ourselves to point on issues with three of EBAs questions only and furthermore refer to and endorse those answers presented by BEUC.