Open banking should not be open on your APIs

Open banking has become the latest technological advancement for financial services applications that is modernizing the industry. For instance, MasterCard recently launched its Start Path Open Banking program, which offers select startups the opportunity to utilize Mastercard’s expertise while learning how to apply open banking to their own business. Open banking creates new opportunities for revenue sharing and reduces data licensing and transaction fees between financial institutions and their partners.

Customers who take advantage of open banking also get a more complete and holistic view of their finances so they can be in a better position to manage their wealth. Equally important, open banking will provide more opportunities to use data for products and loyalty programs across their organization’s offerings. Financial services companies like MasterCard also believe that open banking programs improve inclusivity and financial literacy. With improved financial literacy, clients can work to reduce the risk of fraud in their accounts.

This follows a general trend of breaking down barriers when it comes to connecting financial organizations to consumers through innovative new financial technologies. In reality, 96% of consumers globally are aware of fintech services, including at least one money transfer and payment. Additionally, US consumers are regularly embracing new financial technologies, including peer-to-peer payments.

While open banking has the potential to shake up the foundations of the banking industry, it is also possible that it will become a target for threat actors and cybercriminals. The reason: application programming interfaces (Apis) that the power of open banking is targeted.

Dangers associated with open banking

Open banking uses APIs to connect financial institutions to third-party applications. The Open banking project is a leading provider of open source APIs for the banking industry and is built on an open source system for financial service providers to access consumer banking and financial data.

Yet, the more financial services organizations rely on APIs, the more their attack surface increases. API, like the building blocks Today’s modern web applications are already a major target for threat actors and a primary attack vector. Banks and the financial services industry as a whole are also targets for cybercriminals.

from IBM X-Force Threat Intelligence Index 2022 noted that finance and insurance organizations were the second targeted industries. In addition, IBM also discovered that of these attacks, 70% were against banks and 14% against other financial organizations. This tells us that while other organizations may make headlines when it comes to data breaches, banks and financial institutions are most often attacked by threat actors and cybercriminals. While a major driver of this development is financial gain, there is also a wealth of data in the banking industry, including Personally Identifiable Information (PII), Payment Card Industry (PCI) data , account and payment information. Much of this can be exploited on the dark web for financial gain.

Unfortunately, the attacks on financial institutions and APIs that drive much of our engagement aren’t going to change anytime soon. The problem associated with APIs is that, if they are not secure, they can provide threat actors with access to sensitive data that may be exploited. Additionally, many organizations don’t have a true understanding of how many APIs they have (many are interconnected) or how these vulnerable endpoints are protected. It’s incredibly hard to protect something you don’t even know exists! Adding an extra layer of complexity to the API conundrum is how third-party APIs are often used. Using these sources, while potentially a time-saving strategy, can expose your networks to attacks.

Secure Open Banking Means Protected APIs

If you’re a business considering starting to take advantage of open banking, it’s important to mitigate some of these threats by establishing strong API protection strategies. First, gain visibility across your entire attack surface. After all, knowing yourself, including your APIs and web applications, as well as understanding your enemy, will lead to success on the battlefield (to paraphrase Sun Tzu). Once you have a complete view of your endpoints, including older and deprovisioned APIs, you can be in a better position to protect yourself against the multitude of threats they face. Ideally, you’ll be able to get real-time analysis of the traffic reaching your endpoints to get a more holistic view of an ever-changing surface.

It’s also worth pointing out that sophisticated attacks consist of armies of bots generating API traffic and attacks. Malicious bots are increasingly being leveraged in attacks, including DDoS attacks and account takeovers. Although many bot attacks are automated, the ability to detect and block them in real time, combined with continuous monitoring, can help reduce the threat posed by bots.

A future with open banking is an exciting prospect as it will put financial control back in the hands of businesses and consumers. While reasonable care should be exercised in many API-centric open banking solutions, there are ways to mitigate these concerns. Strong API security, along with blocking and detecting bots, can go a long way in protecting against modern threats.