API Security Best Practices to Protect Open Banking

API Security Best Practices to Protect Open Banking

API Security Best Practices to Protect Open Banking

Open banking usage has skyrocketed since its inception in 2018. Now, with more than five million active users, its rapid adoption speaks to consumer desire for better control over their financial preferences and an improved digital customer experience.

Open banking allows customers to easily evaluate competing banking services. Consumers can quickly compare credit cards based on interest rates or see what type of savings account offers the most interest. Conversely, financial service providers also have access to consumer financial data, so they can serve up the most appropriate solutions for an individual’s particular circumstances. Open banking facilitates new use cases for personal finance management, credit risk assessments, and customer onboarding, among others.

Open banking requires APIs to function

Application programming interfaces (APIs) enable the needed connectivity for the transfer of financial data inherent to open banking. Banks provide access to their proprietary APIs in open banking systems, so that third-party developers and fintech providers have access to financial data. This data can then be used to build additional applications and services, effectively creating partnerships rather than competition between stakeholders. 

To standardize these initiatives, all open banking APIs are designed and documented to support open banking regulations, including authentication and authorization protocols like OpenID Connect (OIDC) and OAuth 2.0. The result is a more collaborative and connected approach to the exchange of data between financial providers.

However, while these standards define how APIs should be structured to enable predictable integrations, they fall short in addressing key API security challenges. Because of their unique logic, APIs make it difficult to create regulations for how to secure them, which has been a driving factor in the lack of standardized security practices for open banking APIs. 

Increasing API attacks put open banking APIs at risk

Open banking’s reliance on APIs has made them prime targets for cyber attacks. API security threats have increased in frequency and complexity. The Salt Labs  State of API Security Report Q1 2022 found that API attack traffic has increased 681% in the past 12 month – more than double the amount of overall API traffic.. The potential value of banking, financial services, and fintech data makes these institutions particularly desirable prey for attackers.

With the safety of critical financial information at stake, these organizations need to be increasingly conscientious of API security best practices to directly address security needs until requirements can be standardized.

Legacy security tooling presents low barrier for open banking attacks

Most organizations within the global open banking ecosystem rely on basic security processes – authentication, authorization, and encryption – to keep sensitive and personally identifiable information (PII) safe. However, access control is only one facet of protecting APIs, which presents a low barrier for access by hackers that use brute force attacks and phishing to break authentication protocols. Once a hacker has access to an authenticated account, encryption does little to protect data since its primary function is to protect data from unauthenticated access. 

In this scenario, with authorization (or even multi-factor authentication) as the last line of defense, hackers can launch man-in-the-middle or Broken Object Level Authorization (BOLA) attacks to breach a system and obtain the valuable information they seek. Vulnerabilities found at this stage are often the result of the unique and complex logic of APIs, along with their frequent and shifting updates and functionalities, making API security challenging. 

Systems that rely on legacy security tooling, such as web application firewalls (WAFs) and API gateways, have also proven ineffective at protecting open banking APIs. These solutions use a proxy architecture that looks for known attacks and can only validate API transactions one at a time, limiting their ability to correlate reconnaissance activities over time. Bad actors tend to launch a number of subtle probing attacks in reconnaissance to learn the unique business logic of an API and propagate a successful API attack – making legacy tools incapable of providing comprehensive API security.

Open banking APIs need intelligent and automated security

Adopters of open banking can more effectively harden their security posture against future attacks with a holistic approach to API security that is better suited to protect modern architectures. By utilizing intelligent technologies, like artificial intelligence (AI) and machine learning (ML), APIs can be secured across their entire lifecycle. 

Intelligent capabilities for discovery can enable security teams to uncover and have visibility into all APIs, including shadow and zombie APIs that run without their knowledge and can be prone to overlooked vulnerabilities. For robust discovery of APIs, the incorporation of automation is key, as organizations (especially in the realm of SaaS) often create more APIs than they can manage and update manually. Once APIs are discovered, they can be understood, which can in turn support systems in defining each API’s intended functionality. This act brings everything full circle and alerts security teams to what is “normal” for their system. 

With AI and ML, this baseline can also be monitored automatically, with insights provided for activity that is outside of it (a potential attacker), even at the most granular level. When organizations can correctly identify attacks, they are also able to keep documentation up-to-date for reference with key stakeholders at any point in time – a critical component for open banking, which typically sees a decline of accurate documentation in this area. 

As a last piece of advice, there is no replacement for system testing. While developers do their best to code applications correctly and securely, they are human, and vulnerabilities can present themselves. This is why runtime protection is so vital, and coupled with real-world insights from AI and ML, a deep analysis and testing of system health should be conducted on an ongoing basis to eliminate found security gaps.

Defining a Secure Future for open banking

Targeting APIs now dominates today’s modern threat landscape, with bad actors propagating the attacks outlined in the OWASP API Security Top 10 list and other abuses. With the connective and personal nature that is tied to financial data usage in open banking, the hardening of APIs is essential for businesses and consumers alike. Utilizing best practices along with intelligent technologies can help prepare an organization to confidently meet security demands for API-based attacks, limit the vulnerabilities that attackers seek to find, and remediate security gaps with proactive API discovery and testing for a more protected approach to open banking.

Exit mobile version