Identification in online payment services

The electronic payments have been evolving considerably, with its use expanding due to the impact of the measures adopted with regard to the coronavirus pandemic. Some of the risks for data protection may arise out of methods to authenticate the identity of the payer and the vulnerability of mobile devices and any possible additional processing activities that may occur in certain implementations.

Payment services are regulated through Royal Decree-law 19/2018, of 23 November, on payment services and other urgent financial measures, implementing Directive PSD2.
The traditional way of accessing online services through credentials that are solely based on the user and the password have proved to be insufficient, as evidenced by the recent history of the many security breaches that have occurred. Some have resulted in the leak of millions of credentials and others have materialised as a result of too simple passwords.

Hence, the security provided by the use of a single factor of authentication has been considered as too limited and the necessity has been statutorily established to introduce a strong authentication, that is to say, an authentication that is based on at least two of the following factors: something that is known by the user, something that is held by the user and something that the user is.

With this goal in mind, PSD2 introduces the requirement to implement the Strong Customer Authentication (SCA), based on a second authentication factor that provides a robust way of identification. In this regard, additionally to the traditional combination of the user and the password, something held by the user could be requested, such as a digital certificate, a cryptographic device that generates a single number (One-Time-Password or OTP) for each user that is the size of a key-ring, a telephone line to receive an SMS or an app in a mobile device. Coordinate cards are not part of this set of options, given that the European Banking Authority, through its Opinion dated November 2019, where valid mechanisms are identified, rules out this system together with the introduction of the details printed on the card itself such as the CVV.

The operation to provide a second authentication factor has mainly focused on strategies that are based on the user's mobile phone, either through OTP or through the use of apps. This approach sought to benefit from the facility of implementation, as the device was provided by the very user, and it permitted the financial entity to implement additional products and services in the case of an App.

For OTP, an SMS is typically sent with a code (OTP) to a mobile number at the time to carry out a financial operation. Such mobile number is priory authorised by the banking entity in the user’s account, and the user needs to introduce this code in the website or app where the purchase is being made or in the banking service where the operation is taking place.  Thus, the double factor is achieved through knowledge of the banking data and availability of a phone number where the one-time password can be received.

The protocol used to send these SMS, called SS7, was developed more than 40 years ago and did not seek security as one of the goals of its creation. This protocol has recently been in the public eye as a result of the security breaches occurred in relation to its vulnerabilities. On another note, the several weaknesses of this way of identification can be seen reflected in the shape of news where warnings are made on the occurrence of banking operations carried out by a third party who has gained online access to bank accounts. The procedure is as follows:

  • First, they obtain the user and the password, either because of a security breach suffered by another provider where we are reusing those credentials or as a result of a phishing attack where this information has been stolen while trying to access a fake bank website.
  • Once our username and password have been obtained, our telephone operator is addressed through phishing. In order to do this, they usually use data that are publicly available in social networks or data affected by a security breach, such as an image of an official document we may have submitted to another web service.
  • After overcoming the operator’s verification mechanisms, our identity has been phished, and a duplicate of our SIM card may be requested for a swift performance of the fraudulent operations in our bank account. This technique is called SIM Swapping and if we were to suffer from a lack of coverage at places where this should not be the case, there is a possibility we may be suffering this fraud.

In order to fight against this type of fraud, banking entities and big Internet companies have started to apply alternatives to the OTP service via SMS through an option to send such codes via App notifications from their own Apps installed in verified mobile devices. In case of duplication of the SIM card, the message with the code would still arrive to the App installed in the original device via Internet, instead of an SMS to the attacker's device. Notwithstanding, the threat may persist while this migration is not completed or if the procedures for changes in the trusted device are weak for the fact of being based on passwords, security questions or SMS.

Directive PSD2 does not establish which precise technical mechanisms are valid for the reinforced authentication of clients. It is the guidelines of the European Banking Authority that present a non-exhaustive list of the different alternatives that are valid for each authentication factor. One of them is the submittal of OTP in Apps installed in related devices, but there are others that could be offered to clients such as a digital certificate or a certain token hardware/software, which may minimise the risks regarding data protection.

On the one side, a mobile phone is a device owned by the majority of the population,  but not all people have a smartphone or the necessary skills to use certain applications. Furthermore, this approach makes it compulsory to provide a mobile phone number at the time to sign in. For frequent smartphone users, that is, for users who expose their terminal on a frequent basis, both because they carry it permanently, because they need to show it for other services and because they access the Internet through such terminal frequently, this entails the need to put the second authentication factor under permanent risk.

On another note, the use of mobile terminals and apps may expose the user to additional processing activities, as a result of the use of personal information by the data controller or by third parties obtained either directly or through unique identificators linked to the mobile terminal, as well as the processing of personal information through the libraries or SDKs in preinstalled apps.

When mobile applications introduce new personal data processing activities, the data controller needs to have the legal basis for such processing activities.  More precisely, when such legal basis may only be based on consent, no additional processing activities may take place, subject to the responsibility of the entities or that of third parties, as a condition to access the financial services.

In addition, they will need to adequately manage the risks for the rights and freedoms of data subjects and to avoid including processing activities of accessory personal data that may have a negative impact on the privacy of the citizens and may breach the minimisation principle established by the GDPR.

As recommendations for users, firstly, it should be noted that the same passwords should not be reused in different services and simple or weak passwords should be avoided. Users should be careful when accessing the bank's website or online shops, and should avoid doing so through links provided in messages or emails. They should also limit the information published on the Internet and be aware of the possible processing operations that may be carried out with such information.

It is important to keep the device used for financial transactions updated and protected against malware, as well as to install only the essential apps and always from official repositories (official app stores in the case of mobile devices).  If you notice that your mobile phone is not covered by the telephone line while other nearby mobiles are, you may have suffered a SIM swapping attack, and you should contact your telephone provider immediately.

Finally, in the event of fraud, you should file a report with the Police or Guardia Civil as soon as possible and inform your bank and the telephone company providing the service.
You may find further information about data protection and privacy on the Internet on the Innovation and Technology website of this Agency, as well as on our blog: