PSD2 a banking standard for scammers?

In 2022 i gave a talk at conference May Contain Hackers. Because the feedback on this talk was so positive i have included it here on this blog including a transcription.

Welcome to PSD2 a banking standard for scammers? With a question mark because that’s what we’re trying to find out.
I won’t be giving a presentation today, because that’s usually not what i do. But i will tell you a story. And with this story i’m going to take you on an epic journey from The Netherlands to Belgium, to our capital of Europe, to Portugal and all the way back to Latvia. So i think that’s pretty interesting. Let me start by telling you a little bit about me.
I have a background in electrical engineering. That’s what i studied and in 2002 i founded my company CloudAware. I’m a technical consultant and everyone always asks me so what is it that you do. That’s a difficult question because in the word cloud next to my name you can see it’s quite a lot so what i usually say is i go to mostly non-technical companies and i help them with their technical questions. About 10 years ago i also started working with VoIP services. As far as i know, and please do correct me later if you know that i’m wrong, i’m the only telco in Europe that is providing emergency services 112 in every member state in Europe.

If you want to talk to me later after the talk you can find me in the in the Swiss village here at May Contain Hackers. All right, so a while ago i was working for a customer and the customer wanted the PSD2 product. So i started working on that and while i was working on that i thought: “Okay what is it exactly?”. Well PSD2 is a Payment Service Directive. It’s has been active since 2019 and for those who are not familiar with a directive: A directive is a document that is crafted in Brussels by the European Commission and that document has to be implemented in law in every different member state in Europe. That is very important: It is implemented in every member state in Europe. I’ll get to that later.
It’s meant to drive innovation. Because in the “old” days you needed to be a bank to in order to provide financial services and now you can also register yourself as a Payment Institution. And a Payment Institution is not someone who’s a bank or a credit card company, but it still has very strict capital and risk management requirements and i’ll definitely get back to that later. Because that’s very important in this talk. So let me focus a little bit on how The Netherlands does this, because that’s where i’m from and i know the most about it in The Netherlands.
The body that regulates this is called De Nederlandse Bank, the dutch national bank. I’ll just call it for now DNB because that’s that’s less dutch and more international. The DNB says okay so first you have to draft all these documents to proof stuff and provide information to us and then we’re going to make a decision about it. The decision is going to take minimum three months. So okay that’s quite some time but it’s still doable. They did not want to be too specific about the price, but i do understand from people in the industry you can buy a really nice car with that money. And i mean a really nice car.
So it’s not cheap to get a PSD2 license in The Netherlands. And then there’s a document. The document describes the requirements you have if you want to have a PSD2 license in The Netherlands. This document is eight pages long and it is basically just refers to law. So it is very very extensive and i just picked four out of them because otherwise we wouldn’t have enough in 30 minutes here. Let me have a look at the first one it’s article 3.9 from the Dutch “Wet op Financieel toezicht”. This is the law that governs financial institutions and it says you need to have a reliable decision maker. In other words if you have a criminal record or something like that you cannot be a board member of the company that wants a PSD2 license. Okay that makes sense, you don’t want for example scammers to have a banking license.
Furthermore you have to register everything in procedures. Everyone who has an ISO certification knows how difficult that can be so the three months is definitely a minimum and it probably takes a lot longer to get one of these licenses in The Netherlands. I know one very interesting one: all your employees have to take an oath. I was a bit interested in that as i’m not sure what the oath says, but it specifically said that all your employees have to take an oath if you want to have this license. I have never seen that before.
The article 1117 was also interesting that basically states that you have reasonable wages. It doesn’t state that but i’m guessing it’s not a low end of the wages, but it’s probably board members who cannot make three or four times more than the whole revenue of a year for this company. This also makes sense because you don’t want specific people to withdraw all the money from that company and then go bankrupt or something like. That would create huge problems you want to have trust in financial institutions so actually this is a very good idea. This is how you would want to do it. Don’t make it too easy, but do create opportunities for fintechs to create financial products.
So then i thought: “Yeah that’s that’s a lot of work, can it be done easier?” And then i thought of of a different law: i thought of Lisbon. And Lisbon, it’s a nice city, nice people, good food, good wine and better weather than The Netherlands. But it has something else: it has the Lisbon treaty and specifically article 56 of the Lisbon treaty. And this article says the following:

Within the framework restrictions on freedom to provide services within the union shall be prohibited in respect of nationals of member states or established a member state other than that of the person of whom the service are intended

In other words i can buy this service anywhere in the the European Union and maybe there’s a different member state where these PSD2 rules are less strict. That would be nice, so i started looking and i promised you we’re going on a journey today so let’s go to Latvia. Latvia is a member of the European Union and therefore they provide PSD2 services. And i found a reseller of PSD2 services. So i went to this reseller and i said: “This sounds interesting. This is exactly what i want. How can i you become a customer of yours?”. And they responded with: “Oh just go online and fill out your email address, choose a password and you’re good to go” That sounds fantastic. So how much does it cost? And i was thinking about this nice car right? And they were like: “Let’s see. Do you need enriched data? In other words: do you want to know for specific data if it was a transaction for a supermarket or something like that? I responded with: “No, i just want the raw data itself”. They responded with: “Oh that’s fine then it’s free!” I thought: “oh.. interesting”
So basically i went from you know big six figures plus a lot of work to five minutes of work and zero euro costs. Fantastic so now i have this capability and i should test it. So i called my friend Bob and i said: “Bob, can i try to hack your bank account?” And Bob is an is a nice guy he’s smart and this is the person who would never click on a scamming or phishing link. So i thought it will be difficult. But everyone has everything online so i checked out his LinkedIn, i checked out his social media and i now have a lot of information about him. I know his address, i know his date of birth, full name, where he works, everything. So let’s create an email not asking for any information, because that’s what scammers do. But in my email stating: “This is the information we have about you can you please confirm this?” And i thought it’s a long shot, he will never do this. A few weeks after i talked to him when he probably already had forgotten about it i send the email to him. I thought he will never click on it and… yeah i was wrong. You don’t have to read this but this is the raw data that i got from his bank account. I literally got all his bank accounts, how much money was in the bank accounts and literally every transaction of the past year of of his bank accounts. Let’s go over a few of them.
It is a bit difficult to see, but you’ll probably have to check it out later on the online streams. There is some interesting information in there. For example i know that he is going to the “Albert Heijn” every day between seven and eight. You may wonder why this is important. well for some people this could be a security issue. For some people you don’t want to have a specific pattern known and these sorts of patterns can actually be derived from this data. But you can also see that he has Spotify and Netflix account. There’s also a lot of order data in there so i can actually see that he ordered from bol.com, which is a Dutch Amazon basically. The order number and everything are clearly visible. I can actually see his address, because he paid for his water bill and the water bill actually was transferred the amount of money with the complete address and everything in it. So i know how much water he uses and where he lives. I already knew that of course because i know him, but scammers could definitely use this sort of personal data. This is such an amazing source of data.
Okay, so yeah huge amounts of information, i get raw data for free from Latvia without any certification. I could be criminal, i could have a criminal record, no one ever asked me about it. Yeah, so how difficult is it to do this? I already told you in Latvia you can get a reseller for PSD2 for free within five minutes and then i use some amazing tools: curl basically. Then i just use the rest api of that PSD2 reseller. Then i converted it to csv for viewing it in in Libreoffice calc and that’s basically it. It’s this easy you could do it in any way you could push it into a python object and do it really automatically. So i was wondering if this is actually used and then i started thinking about Paypal.
Because if you go to Paypal they say you can link your bank account. In the old days they transfer two amounts of money to your bankaccount like one cent and five cents and then you had to fill out zero one zero five and then your bank account is linked to to your Paypal account. Not anymore! So what they now say is link your bank account, Then you choose your bank and in The Netherlands this looks like this. I just choose my bank and then it says this. Now it becomes really interesting because of what this text actually says. This is an actual screenshot of Paypal and it says

Login to use your bank account instantly. This will allow us to confirm your bank account details
and view balances and transactions in your bank account anytime it's necessary over the next 90 days.
We will save and use this data exclusively for fraud prevention and risk management and to make
sure there's enough funds for your paypal payments. By continuing you agree to the above permissions

I though aha! I know for sure this is PSD2 AIS. So yeah, this is actually used and there’s very little scope. I sort of trust Paypal. They’re not scammers or anything like that but there’s a lot of data that you’re transferring to to Paypal and the real question is do you want this or do you still want to pay one and five cents to link your bank account that way. I think the latter obviously The scope is pretty much everything and once you’ve given consent the consent is valid for 90 days. So for example if after 80 days they want to know let’s see what transactions were performed in the past 20 days, they can again query your bank account and get all transactions and they can do this every day. I think that’s a problem. So conclusion.
I do think it’s good that something like PSD2 exists. It is no longer just banks who can actually create financial products but actually have fintechs who create amazing products this way. But i do think that it needs a little bit of regulation and especially harmonization and national regulations. It was really weird to see that i went from The Netherlands, where i had to do all this stuff to to get this data. And then i just went to Latvia and i was told you’re fine here it is without any questions asked. So harmonization is definitely needed here.
I do think that the consent has to be more explicit if we remember this button at Paypal it’s just this big button “click here to link your bank account” and no one is going to read this. I mean south park explained it pretty nicely in their episode about consent. So i think it should be more explicit and it should be easy to withdraw consent. So i try to query my own bank account later and and it specifically says you can always, if you want to, withdraw this consent and then the 90 days just stops from from that moment on they don’t have access to your data anymore

I haven’t found this button yet and i consider myself a pretty technical guy and i was not able to withdraw consent. So i think there’s an issue there too that should be addressed

So basically what i’m saying here is once you are in this PSD2 prison you won’t be pardoned once you’re locked in.