Participating at the #fintechEU conference brought home to me the vibrancy of the European fintech scene. European innovation, coupled with sensible regulation, is opening the market to new entrants, and they are ready to shake things up. However, EU citizens will only take it up if they trust fintech products to be secure. Today, the EU leads the world in cybersecurity products and services, but it can’t rest on its laurels – it must ensure it continues to support and protect European innovation.
This second and updated version of the European Payments Services Directive (PSD2) will facilitate a revolution in payments when it comes into force next year. Traditional banks will now face competition from entirely new third-party providers leading to disintermediation of traditional banking services. Established banks will have the opportunity to rethink business models and to out innovate their rivals and new entrants, resulting in overall better services.
However, these benefits will only be achieved if the cybersecurity challenges are also addressed. Smartphones are now the primary device for accessing digital services, and so with more sensitive apps and services ‘going mobile’, the need for mobile device security is greater than ever. Consumers are demanding quick, convenient and, importantly, secure access to all of their digital services, from whichever device they are carrying in their pocket.
Most manufacturers of mobile devices recognise the importance of security and now embed Trusted Execution Environment (TEE) technology at the point of manufacture. The TEE offers hardware protection in the form of a secure operating system that is completely isolated from a device’s main operating system. Recognising the benefits of this technology, the European Union Agency for Network and Information Security (ENISA) have included TEE in their best practice guidelines for smartphone app development.
Today, almost every premium Android smartphone contains TEEs accessible to third party app developers. Applications secured by TEEs can protect their critical operations and data from scalable (think mass takeover) software-based attacks. They can also make use of advanced services such as biometrics (fast, strong authentication) and trusted user interaction (removal of phishing and key logging threats). Beyond this, most TEE-enabled devices are also imprinted with a Root of Trust that ensures a trusted identity is preserved within the device. Giving each device a unique identifier during manufacture enables a host of security applications. It makes it easier to identify counterfeit or compromised devices, prevents remote takeover of accounts and services, and it gives service providers high assurance that the user attempting to log in to a service is doing so from a device they know is trustworthy.
Although much of the global TEE research is currently conducted in the EU, Europe is at risk of being left behind when it comes to scaling the technology. Work by groups such as the European Cyber Security Organisation (ECSO), and a long overdue look into how ENISA can be better resourced, are a step in the right direction. However, Europe must also look to other policy levers to ensure European businesses, and especially SMEs, continue to be at the forefront of bringing greater security to EU citizens. It is not sufficient that only innovation happens in Europe – the infrastructure to support businesses as they scale up is also necessary for Europe to continue to play a leadership role.
This blog, by Trustonic CEO Ben Cade, was first published on the European Union’s Digital Single Market thread.
