Noname Security and Alissa Knight, Partner at Knight Ink and recovering hacker, announced a research which unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries.
Open banking has propelled the ubiquitous use of APIs across banking, enabling third-party developers to develop apps around the financial institution. Whether pursued as a compliance requirement or a business strategy, open banking has ignited financial services firms to focus on APIs and API security.
Given this growing trend, Knight focused her vulnerability research on financial services and FinTech companies and was able to access 55 banks through their APIs, giving her the ability to change customers’ PIN codes and move money in and out of customer accounts. Vulnerable targets ranged from companies with 25,000 to 68 million customers and $2.3 million to $7.7 trillion in assets under management.
Financial services API security issues
- 54 of the 55 mobile apps that were reverse engineered contained hardcoded API keys and tokens including usernames and passwords to third-party services.
- All 55 apps tested were vulnerable to woman-in-the-middle (WITM) attacks, allowing Knight to intercept and decrypt the encrypted traffic between the mobile apps and backend APIs.
- 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities allowing Knight to change the PIN code of any bank customer’s Visa ATM debit card number or transfer money in/out of accounts.
- 100% of the APIs tested were vulnerable to Broken Authentication vulnerabilities allowing Knight to perform API requests on other bank customer accounts without authenticating.
- One of the banks tested outsourced the development of their code; the developer reused that same vulnerable code across hundreds of other banks allowing the same attacks to be employed against those other bank targets.
Knight said, “For the last decade, I’ve been focusing my vulnerability research into evaluating the security of the APIs that are now the bedrock of much of our nation’s critical infrastructure. My exploits have transcended APIs in emergency services, transportation, healthcare, financial services to FinTech. APIs have become the plumbing for our entire connected world today.”
Knight went on to say, “Unfortunately though, this is not without consequence as my research has proven. Many financial services and FinTech companies have opted to not develop their apps internally – instead they’ve outsourced their API and mobile app development to third-parties. It’s clear based on my findings where authentication and authorization are very much broken, that there is no ‘trust but verify’ happening with these third-party developers.”
“Exacerbating the issue is the fact that these third-parties are reusing the same vulnerable code with their other bank customers. In my research, I was able to exploit broken authentication and broken object level authorization issues that allowed me to perform unauthorized money transfers and PIN code changes for any customer account, indicating a clear and present danger in our financial system caused by these insecure APIs,” continued Knight.
Increased adoption of APIs has expanded the attack surface
With traditional banks having to compete against the neobanks and fintechs to keep up with the new demands for how consumers want to bank today, traditional Main Street banks are rushing to deploy new technologies to enable frictionless digital experience to try and erase the lines between neobanks and traditional.
Globally, open banking programs have driven API-centric services offerings, opening payments, account services, and other data to third party providers. In addition, digital transformation initiatives are top priorities as financial services organizations look to improve the customer digital experience.
The effort to attract new and keep existing customers by delivering additional value has resulted in more application services and the supporting APIs. This increased adoption of API use has resulted in a dramatic increase in the attack surface they represent.
“As Knight’s research has shown over the last couple of years, no industry is immune to an API attack; however, more and more are occurring especially within the Fintech space due to the sensitive nature of the data the APIs can provide and hackers have realized just how easy they are to exploit as Knight’s latest research reflects,” said Mark Campbell, Sr. Director at Noname Security.