“Change with the times or the times will change you”
How true this saying still is, and how dangerous it can be, especially in the IT sector, not to keep up with the times, is something we can repeatedly read about in the media: For example, who still remembers the “WannaCry” ransomware attack, which was all over the news in 2017 and, unfortunately, also on many infected computers? Cybercriminals exploited outdated security vulnerabilities in Microsoft Windows that had actually already been patched weeks before the attack. However, companies and organizations that had not updated their systems in time became vulnerable and were promptly attacked.
It had significant consequences: The WannaCry ransomware attack caused an estimated global damage of up to 4 billion USD. This massive financial impact resulted from the infection of about 230,000 computers in over 150 countries. The attack affected critical infrastructures such as hospitals, emergency services, gas stations, and factories, leading to substantial operational disruptions and production outages.
Conclusion: If companies do not continuously update their systems and adapt to the latest security standards, it can have unpleasant consequences for all of us.
Surfing Safely with Confidence Thanks to QWACs
In our digital world, more and more aspects of daily life are shifting into the virtual realm. Trust in security is crucial for all actions on the internet, as we often share highly sensitive personal data or make payments over the World Wide Web. Our counterpart is usually not a real person, but a digital input or onboarding form. The EU has recognized this need for security and introduced Qualified Web Authentication Certificates (QWACs), special digital certificates that ensure the secure authentication of websites and their operators. They offer a high level of trustworthiness, as they are only issued by qualified trust service providers, based in the EU after strict verification processes. These providers are organizations that offer services that establish trust in the digital world, such as qualified electronic signatures, timestamps, or certificates. They allow users to reliably identify 7the responsible organization behind a website, while also ensuring secure, encrypted data transmission.
Certificate Revocation
However, QWACs must also “keep up with the times.” In other words, they expire, get revoked, and become outdated. They are literally withdrawn from circulation and are then placed on so-called QWAC Certificate Revocation Lists (CRLs), which are special certificate revocation lists for QWACs. These lists are created by qualified trust service providers and contain the serial numbers of the revoked QWACs, the timestamp of the revocation, and often the reasons for it. The lists are regularly updated and published at so-called CRL Distribution Points, which are embedded as URLs in the QWACs themselves. When a browser or application checks a QWAC, the current CRL is retrieved and checked to see if the certificate is listed. The CRLs are also digitally signed to prevent tampering and are updated periodically.
By regularly checking the Certificate Revocation Lists, browsers or applications can reliably keep anyone browsing the internet away from potentially harmful websites, thereby ensuring a high level of security. This also applies to QWAC certificates, which enable registered Third Party Providers (TPPs) to access banks’ PSD2 APIs, ensuring secure and trusted interactions within the world of financial services. There is no doubt that financial data, alongside health information, is among the most sensitive and valuable data that must be protected.
Risks and Side Effects of Neglected PSD2 Interfaces
Banks, to whom we entrust our financial data, have a particular responsibility to regularly check the CRLs to ensure that they only use valid and trustworthy certificates. Using revoked certificates can create security vulnerabilities, such as through compromise or misuse. Regular certificate checks also help meet compliance requirements like PSD2, protect against service interruptions, and minimize the risk of fraud. This ensures the integrity of banking systems and maintains customer trust.
Unfortunately, it still happens that banks accept outdated QWAC certificates. This can occur when the implemented PSD2 interfaces have vulnerabilities. Robust PSD2 APIs, such as Qwist’s PSD2 API solution, should have several security measures implemented to prevent revoked QWACs from being accepted.
For secure QWAC validation, multiple steps are required: regular CRL checks, real-time OCSP (Online Certificate Status Protocol) queries, validity period checks, validation of PSD2-specific information such as roles and authorization numbers, and the use of robust validation software for CRL and OCSP checks. These measures ensure that only valid, non-revoked QWACs are accepted.
Banks and financial institutions that use PSD2 APIs that do not implement these measures expose themselves to significant risks. Outdated QWAC certificates, used by third-party providers (TPPs) to access PSD2 APIs, can have serious consequences for security and compliance:
- Violation of Regulatory Requirements
PSD2 mandates that financial service providers maintain high security standards. The use of outdated certificates could violate these requirements, potentially leading to regulatory fines or sanctions. - Disruption of Access to PSD2 APIs
Outdated certificates can cause banks to block access to their APIs, preventing TPPs from accessing financial data. While this is generally desirable, it can lead to downtime while certificates are updated. - Trust Issues with Customers
Using insecure certificates can undermine customer trust in the service. Customers may move away from providers deemed less secure, leading to a loss of business and reputation.
None of this has to happen if banks and financial institutions keep up with the times and keep their PSD2 APIs up to date. By partnering with an experienced external technology provider offering mature, proven solutions, such as the PSD2 API from Qwist, this source of danger can be reliably eliminated. This way, banks can move forward without risking being left behind by time. After all, the next cyberattack is sure to come.
