Cybercriminals – Karl Mattson, Chief Information Security Officer, Noname Security: The Open Banking initiative is designed to enable the community of developers and fintech companies to innovate and meet new financial services needs. Open Banking APIs handle everything from account status to fund transfers, to password changes and account services. Cyber attackers with access to these services would also gain access to these capabilities and sensitive customer data. Customer, account and payment data requires greater precision to ensure transaction integrity and data security.
As open API development accelerates, so does the security risk. Even well-governed, highly secure businesses are under enormous pressure to keep up with the pace of change and respond to API threats.
Additionally, many enterprises employ third-party API code shared by multiple customers, which may contain vulnerabilities. Research shows that third-party API code presents a significant opportunity for cyberattackers to reuse cyberattacks targeting third-party code across multiple enterprises.
In addition to the open banking that drives API usage, APIs have become the de facto standard for modern application development, with businesses often deploying thousands of APIs for a variety of purposes. Each connection point between these APIs represents a potential attack vector. Faced with such a massively expanded attack surface, many businesses, especially small ones, struggle to protect them due to a lack of resources.
Why are APIs in open banking a common target for cybercriminals?
Mattson: Cybercriminals will target APIs in open banking because they have direct access to funds. Combined with the trend for API attacks to be one of the most common and effective forms of cyberattack today, this means that open banking APIs face particular risks.
While installing API security precautions enables integration between banking apps and fintech companies, these numerous touchpoints are also places for vulnerable code exploited by cybercriminals. So it’s no surprise that cybercriminals are empowered to target open banking APIs, as APIs are often insecure, as has been seen recently, and the reward for successfully cracking them is an immediate gain.
What can financial services institutions do to improve API security?
Mattson: The first step is to get a full inventory of all APIs, including data classification and configuration details, to provide a holistic view of the environment. One of the main challenges associated with securing APIs these days is that most businesses have thousands of APIs they don’t know about – these are called shadow APIs. Existing infrastructure such as API gateways and WAFs cannot address API risk when not in use. For high-risk open banking APIs, the margin of error is zero.
With a view of the state and configuration of all APIs, businesses can prioritize the highest risks. This starts with identifying runtime exceptions, or abuse attempts observed in the process. APIs are well suited for behavioral analysis models to identify anomalies in each API.
Next, configurations and vulnerabilities should be identified upstream for rapid resolution by network and application teams – reducing the risk of API exposure through firewall changes, API policy enforcement, and other applied techniques.
The final step is to actively test the API to verify integrity before and after deployment to production, especially as the environment evolves through regular code shipments or continuous integration/continuous delivery (CI/CD) deployments.
Can consumers trust open banking? What should they look out for?
Mattson: Consumers benefit from open banking by opening up new services and benefits to meet their financial needs. However, consumers are at a distinct disadvantage in understanding how to assess the risk of their personal information. For example, bank customers may have little insight or control over how their financial institution provides these services on the back end.
Likewise, there are few data points consumers need to consider when assessing whether a new fintech service offering is truly safe. Consumers still rely heavily on financial industry regulators for quality oversight and as gatekeepers for responsible risk management and data protection.
How to embrace innovation while ensuring safety?
Mattson: Open banking innovation is less secure than traditional models – but it does significantly speed up the pace of change. Even though the API itself can be highly secure, changing environments can be prone to bugs and human or technical errors. Cybercriminals do take notice.
The proliferation of APIs makes it difficult for security teams to effectively observe and adequately address these issues. Rapid innovation forces developers to potentially give up security in their quest to deliver software faster. Keeping up with the need to innovate has become a race between developers and cybercriminals, which in itself creates problems.