Rapid API-based digital innovation in financial services requires urgent focus on API security to maintain customer trust


By Philippe Verloy, EMEA Technical Evangelist, Nameless Security

Open banking is the perfect example of API-driven digital transformation. APIs are the plumbing fixtures of today’s financial infrastructure that allow fintechs to integrate banking services into their applications, and banks to deliver a more unified experience to their customers as they demand more from their existing financial service provider.

This cycle of continuous innovation propels the use of APIs across the industry, allowing third-party developers to build applications around a particular financial institution. However, the speed at which fintechs and traditional banks are bringing these services to market means that their security will be inadvertently challenged.

Innovate to be competitive

Traditional banks today must compete with digital neobanks and respond to new consumer demands. They are rushing to deploy new technologies that enable frictionless digital experiences. Globally, open banking programs have spawned API-centric services that open up payments, account services, and other customer data to third-party vendors. The effort to attract new customers and retain existing customers by providing additional value has resulted in more application services and supporting APIs. This increased adoption of using APIs has resulted in a dramatic increase in the attack surface they present to attackers and other malicious actors.

Security should not be an afterthought. Whether it’s a compliance requirement or a business strategy, ensuring the organization doesn’t become synonymous with a data breach should always be a priority. Therefore, API security should be a priority when it comes to the application development process. However, many financial services and fintech companies have chosen not to develop their apps in-house and have instead outsourced their API and mobile app development to third parties.

Noname Security recently published research findings based on ex-hacker Alissa Knight’s analysis of security in 55 mobile banking apps in the United States. Takeaway is as relevant to the UK market as it is to the US. Scorched Earth: Hacking Bank APIs highlighted several vulnerabilities:

  • 54 of the 55 mobile apps that were reverse engineered contained hard-coded API keys and tokens, including usernames and passwords for third-party services.
  • All 55 apps tested were vulnerable to woman-in-the-middle (WITM) attacks, allowing Knight to intercept and decrypt encrypted traffic between mobile apps and core APIs.
  • One of the banks has outsourced the development of its mobile app and APIs. This developer reused the same vulnerable code affecting 300 of its other banking customers.
  • 100% of APIs tested were vulnerable to OWASP API1:2019 Broken Object Level Authorization (BOLA) vulnerabilities, allowing Knight to change the PIN of any bank customer’s Visa ATM debit card number and transfer money money to and from accounts.
  • Due to an API request authentication failure, the tested APIs were also vulnerable to OWASP API2:2019 Broken Authentication, which allowed Knight to transfer money to and from different bank accounts and modify codes Customers debit PIN as long as she knew the account numbers without authentication.
  • APIs were deployed behind Web Application Firewalls (WAFs) – the bad security check. It is unable to detect logic-based attacks like authentication and authorization vulnerabilities.
  • During multiple engagements, some banks were unable to find specific API endpoints affected by the vulnerabilities, indicating a clear visibility issue in their API attack surface.

It is clear, based on these findings, that authentication and authorization are very flawed; there is still some way to go towards a “zero trust” model when building API-driven services. Pre-production API security validation is paramount.

Fix API security issue

API security vulnerabilities affect all businesses, but the financial services industry is perhaps the most sensitive. After all, security goes to the heart of people’s trust in banking, so it’s critical to its success and adoption.

In Alissa Knight’s research, she found the same API security vulnerabilities in banks that had 25,000 customers and a few million dollars in assets under management, as she did in banks that had 68 million customers. and $7.7 trillion in assets under management. Large, mature, and well-funded security teams are unable to keep pace with API security challenges with traditional tools and processes.

API security must be operationalized in all financial services

Many teams play a critical role in securing APIs. Developers should write code with security in mind; cloud and platform teams should use properly configured APIs; and security teams need to quickly detect, investigate and respond to incidents. Often, especially in large organizations, APIs are deployed to production faster than they can be secured and there is often no clear line of communication between business teams.

Specific to Knight’s research, the APIs it leveraged were developed by a third party, introducing yet another variable. Moreover, hacking was not detected in any of the banks. This highlights the fact that API security needs to be operationalized across more enterprises to ensure vulnerabilities are detected and remediated before an attack occurs. And it’s not just the responsibility of one team. Developers, DevOps, DevSecOps, and security teams need to standardize, collaborate, and communicate how they build, deploy, and secure APIs.

It’s easy to jump to conclusions when exploits or attacks make headlines, but detecting and blocking behavior like Alissa Knight’s is only one piece of the API security puzzle. Businesses need to think about API security in 3 main areas:

  1. API security posture — organizations need a complete inventory of APIs (including associated data and metadata), in order to have a better idea of ​​their security posture. It is imperative to identify and correct misconfigurations and vulnerabilities before an incident occurs. As evidenced by Knight’s research, many organizations are completely at risk and will only be aware of it after an attack.
  2. API Runtime Security — organizations need better visibility into their API traffic and behavior. This allows for better detection and response to abnormal and suspicious behavior, so attacks can be averted in real time when something unusual happens.
  3. API security testing — organizations need to identify security vulnerabilities as part of the software development lifecycle. For example, at no time should business-critical APIs be deployed to production if they fail basic security checks (e.g. lack of authentication). Active testing ensures trust in your APIs throughout an API’s lifecycle.

Reconciling innovation and safety

As the banking industry continues to adapt to the new market environment, institutions that adapt to new technologies will have a better chance of long-term success. Open banking is a foregone conclusion, and the current ecosystem will be replaced by new frameworks of digital tools. Banks need to develop not only a new vision of where they fit into the new financial services infrastructure, but also a new perspective on how they can ensure these digital tools are secure and resilient against various attack vectors to protect themselves and protect their customers.


About Author

Comments are closed.