The banking industry and online merchants are fighting against fraud by developing fraud detection systems that are increasingly subtle and complex.

Because of our online habits and the number of transactions that are done through the internet, they created the concept of digital identity in order to reinforce the level of online protection. In other words, fraud detection systems created digital fingerprints of real users to better recognize fraudsters. The process is a combination of various elements which help to determine your identity. For instance, before validating an online transaction, they do not just check the number, the validity date and the cryptogram of the credit card. They will also comb through the user’s identity and behavior, using statistical analysis and artificial intelligence. Where does it connect? What time is the purchase? Which browser does he use? In which shop, does he shop? What is his order history? What are the technical specificities of his screen and his computer? Etc. If something does not fit, the transaction is rejected or a manual check is triggered (a call, for example).

On March 14, the banks had to have made available a test API portal dedicated to developers.

Cybercriminals naturally reacted to this manoeuvre. To remain under the radar of detection systems, the fraudster has a fake digital identity that is as close as possible to the owner of the credit card: an IP address of the same country or city, the same browser version, the same screen, the same way of navigating, etc. The ideal is obviously to have the identity of a real person. These identities can be purchased on the Darknet. According to Kaspersky’s security researchers, the largest marketplace of its kind is called Genesis, an invitation-only site with more than 60,000 fingerprints for sale.

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

Using a Genesis digital identity is not complicated. Just buy it and load a browser extension provided for this purpose, available for Chromium-based browsers. From that moment on, it’s as if the criminal put on a mask. His online behaviour now impersonates the stolen identity. If the mask is of good quality, it will allow him not to raise an alarm when performing a fraudulent purchase. 

It’s in this context and faced with these impersonations, that the notion of strong authentication becomes relevant. Indeed, it would be sufficient for all transactions to be systematically validated by a second authentication factor in order to make the fraudster of digital identities ineffective in its described form. The notion of strong authentication required by the Payment Services Directive 2, therefore, requires banks to set up a procedure that seems to be the only way to really fight against digital identities fraud.


The world of banks is changing and the European Institutions are leading this revolution, but we decided to ask ourselves a simple question: are banks following this movement? We will first take a look at the French banking system

It all started when the European Union adopted two directives on payment services: the PSD 1 adopted on November 13 2007 and the PSD 2 adopted on November 25 2015. The main objectives of the PSD1 were to harmonize the legal framework for payment and the creation of the SEPA space. The PSD 2, for its part, was introduced as part of the implementation of the connected digital single market (one of the top ten priorities of the EC’s working program for the period 2014-2019). The objective is to foster the opening of the payments market, mainly occupied by banks, to new payment service providers (PSPs) while strengthening the security of users. With the PSD 2, the security of the payment must be reinforced with strong authentication (SCA – Strong Customer Authentication) which requires the use of at least two authentication factors.

On March 14, the banks had to have made available a test API portal dedicated to developers.

Before the full implementation of the Directive (in September 2019), the PSD 2 timetable includes a number of intermediate steps. The last deadlines are those already passed on March 14, 2019 and April 14, 2019. On March 14, the banks had to have made available a test API portal dedicated to developers.

This image has an empty alt attribute; its file name is les-API-des-banques.png

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

The respect of the calendar by the French banks must not however hide the fact that quantity does not guarantee quality. The JDN points out that the three main French aggregators are not fully satisfied with the proposed APIs, often because they are incomplete. From a technical point of view, it seems that the account is not there either. TPPs have more demanding criteria than banks when it comes to API.

French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.

This test period was to last one month. Since April 14, 2019, reminds the Prudential Supervisory Authority, the banks had to provide an “API meeting the conditions of extended use as defined by the security standards and guidelines of the EBA (the French banking authority, editor’s note) “. It would therefore seem that French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.