In this interview with Help Net Security, Karl Mattson, CISO at Noname Security, explains the wide usage of open banking and how it can easily be exploited if adequate security measures are not implemented.
As open banking becomes widely used, it opens new possibilities for cybercriminals to plan their attacks. What is it that makes open banking so vulnerable?
Open banking initiatives, by design, empower communities of developers and FinTech companies to innovate and to satisfy new financial services’ needs. Open banking APIs handle everything from account status to fund transfers to pin changes and account services. Attackers able to gain access to these services will also gain access to these functionalities and sensitive customer data. Exposing sensitive customer, account and payment data requires a new level of precision to ensure the integrity of transactions and the safeguarding of data.
As the pace of open API development picks up, the security stakes are high. Even well-governed, highly secure companies face tremendous pressure to keep up with the pace of change and to match the API threats.
In addition, many companies adopt third-party API code shared by multiple customers and which may include vulnerabilities. Research indicates that third party API code presents significant opportunities for attackers to reusing attacks targeting third party code at multiple organizations.
On top of open banking driving API utilization, APIs have become a de facto standard in modern application development, with organizations often deploying thousands of APIs for a wide variety of purposes. Each connection point between these APIs represents a potential attack vector. Facing such a massively expanded attack surface, many organizations, and especially smaller ones, can struggle to secure them due to a lack of resources.
Why are APIs in open banking a common target for cybercriminals?
Cybercriminals will target APIs in open banking because of their ability to provide direct access to capital. Combined with the fact that the trend of API attacks as one of the most common and effective forms of cyberattack today means open banking APIs are at particular risk.
While the installation of API security precautions allows for the integration between banking apps and FinTech companies, these numerous touchpoints are also where cybercriminals look to exploit vulnerable code. Therefore, it should not come as a surprise that cybercriminals are empowered to target APIs open banking, because as we have recently seen, APIs are often left unsecured while the payoff for successfully hacking them is direct monetary gain.
What can financial services organizations do to make APIs more secure?
The first step is to gain a complete inventory of all the APIs, with data classification and configuration details to provide a holistic view of the environment. Today, one of the main challenges associated with securing APIs is that most organizations have thousands of APIs that they don’t know about – these are referred to as shadow or rogue APIs. Existing infrastructure, like API gateways and WAFs, don’t address API risks when they are not used. For high-risk open banking APIs, the margin of error is zero.
With a complete viewpoint on the posture and configuration of all APIs, organizations can prioritize their focus on highest risk exposure. This starts with identifying runtime anomalies, or attempted misuse observed in progress. APIs are well-suited for behavior analysis models to identify unique anomalies in each and every API.
Next, configuration and vulnerabilities should be identified upstream for quick resolution by network and application teams – firewall changes, API policy enforcement and other applied techniques to de-risk API exposure.
The final step is actively testing APIs to validate integrity before and after they are deployed to production, especially as the environment evolves through regular shipments of code or continuous integration/continuous delivery (CI/CD) deployments.
Can consumers trust open banking? What should they look out for?
Consumers benefit from open banking by opening a new universe of services and benefits for their financial needs. However, the consumer is at a distinct disadvantage with respect to knowing how to evaluate risks to their personal information. For example, a banking customer may have little insight or control over how these services are delivered on the backend by their financial institution.
As well, there are few data points for consumers to consider when evaluating whether a new FinTech service offering is truly secure. The average consumer is still largely dependent on quality oversight by financial industry regulators to be the gatekeepers of responsible risk management and data protections.
Can innovation actually set back the financial services industry security wise? How can it embrace innovation while ensuring security?
Open banking innovation is neither more or less secure than traditional models – but it does accelerate the pace of change considerably. Any changing environment may be prone to mistakes and human or technical error, even when the APIs themselves can be highly secured. Cybercriminals do take notice.
The surge in API growth has left security teams struggling to efficiently observe and adequately address the gaps. Rapid innovation is forcing developers to leave security by the wayside as they seek to deliver software at a faster pace. The need to keep up with innovation has become a race between developers and cybercriminals and is creating issues in itself.