Westpac, CBA, NAB see IT security risks if consumer data right expands

Westpac, CBA and NAB want to see a centrally-coordinated security operation set up to protect consumers and industry participants from attacks and exploits of consumer data right functions.

The banks laid out a series of security concerns in submissions to a Treasury inquiry that is scoping future directions for the consumer data right (CDR).

One direction under consideration is enabling “write access”. 

Currently, the CDR enables third parties to access data from banks on a read-only basis, but “write access” could allow that third party “to change or add to data about a customer at the customer’s direction and with their consent,” according to the Treasury.

Banks imagine a few ways this might look. 

For example, a comparison site could allow users to apply for a financial product directly from their site, rather than redirect them; or having a third-party direct a customer’s bank to pay a bill or other transaction.

Banks have expressed a range of concerns about the potential arrival of write access, including timing, user demand for it, and potential limitations.

But they are most concerned at the potential for an attacker to exploit the functionality to defraud customers or to break banking IT systems.

Of the ‘Big Four’, Westpac [pdf], CBA [pdf] and NAB [pdf] all want to see a “centralised cybersecurity capability” set up to run threat intelligence and monitoring and to manage the response to any threats or breaches.

“Commonwealth Bank supports the creation of a centralised CDR cyber-security capability across the respective CDR governance entities, which would be accountable for intelligence gathering and coordinating responses to incidents and data breaches,” CBA said.

Westpac went further, asking for a “24x7 centralised security operations centre (SOC) responsible for monitoring the RAAP (Register & Accreditation Platform)” - the CDR’s IT backbone - “and coordinating responses to threats across the CDR ecosystem.”

“In considering the scope and nature of security monitoring, a 24x7 system would provide early visibility and timely response to security incidents in the ecosystem and reducing the window of exposure to external threats where cyber criminals could target unmonitored systems,” Westpac said.

Westpac said there was a need for “real-time detection and flagging of anomalous/unusual behaviour at both customer and participant level.”

“This should be mastered and monitored centrally to identify anomalous activity and trends early across the CDR ecosystem,” it said.

“This would reduce participants’ reaction time when incidents occur and better protect consumers, their money, data and identity. 

“It would also ensure that participants do not operate in isolation, but rather coordinate to shut down security threats effectively and quickly.”

Westpac revealed that a cyber security strategy was already being worked on by the Australian Competition and Consumer Commission (ACCC) and CyberCX, a company with the services of many high-profile names including former Australian Cyber Security Centre (ACSC) chief Alastair MacGibbon.

“We understand that the ACCC has engaged CyberCX to develop a cyber security strategy for the CDR which will address the register, governance, controls and monitoring and the wider ecosystem,” Westpac said.

“We take this opportunity [with the Treasury inquiry] to reiterate the recommendations we made to CyberCX.”

Westpac said that scheme-wide rules were needed in case a large-scale security incident occurred on CDR infrastructure, particularly if the right moved beyond read-only access to data.

Those rules needed to cover incident response up to drastic actions, including conditions under which the entire CDR might need to be shut down.

Westpac said that attackers were already interested in bank customers even before the CDR came into play earlier this month.

“In 2019, Westpac responded to 1460 unique phishing sites which attempted to convince customers to disclose their banking passwords, and 116 unique banking-specific malware that attempted to compromise one of our brands,” it said.

“Each of these involved material effort on the part of the attacker, in expectation of a return.”

Westpac said that any move to allow third parties to take action on a consumer’s behalf would need to be thought through carefully.

“In an environment of increasingly large cyberattacks and data breaches, it is known that attackers are developing vast stores of compromised identity information and login credentials,” Westpac said.

“API-enabled and automated or partially automated account creation gives rise to the risk that attackers could use stolen personal information to open accounts, potentially at scale.”

CBA similarly said that strong controls were needed if the CDR is to be expanded “to ensure the system cannot be utilised to fraudulently access consumers’ information, financial facilities and savings.” 

“The changes required to enable write access in existing CDR systems and infrastructure will impact the core systems of data holders while also exposing data holders to additional threats to critical IT assets, storage capacity and computing capability,” CBA said.

“Additional controls such as strong input validation and sanitisation would be required to mitigate the risks of a participant injecting abnormal volume or malicious content into data holders’ systems. 

“Given the current technical standards of the CDR were developed for read access only, Commonwealth Bank understands new technical standards would be required to support write access, including detailed security specifications. 

“Commonwealth Bank strongly recommends the prioritisation of designing strong security controls to protect consumers from exposure to material risk associated with the introduction of write access.”

ANZ Banking Group also responded to the inquiry but its submission [pdf] largely called for an examination of potential use cases for write access, rather than digging specifically into security concerns.