Blog, Events & News

Open APIs part two: How secure are open APIs?

By Netacea / 13th Nov 2019

On 26th November, we’re giving financial services organisations the opportunity to put their API security questions to our experts. In the meantime, our two-part open API series puts the crux of the challenges facing banks, FinTechs and aggregators into context.

In part one we covered the basics; what is an open API and what are the associated benefits? In part two we explore how open APIs will affect the financial services industry; what are the security implications of connecting two businesses via third-party technology?

Why are open APIs vulnerable to attack?

As discussed in part one, in the open banking infrastructure APIs sit between the payment service provider (PSP) and third-party provider (TPP). The API makes it possible for data to be shared between the two organisations.

The API therefore sits at a crucial point in the shared infrastructure between the PSP and TPP. If the API is attacked, both connected parties are vulnerable.

It’s vital to remember that threat actors are always seeking the easiest point of entry; which makes APIs an extremely attractive target. After all, APIs can’t detect, prevent or respond to automated attacks. They are open by design, and therefore attacks against API endpoints can be less complex than those targeting websites and mobile applications.

If an API is exposed, bots can be used to takeover accounts, scrape data and prevent the API from running properly.

Who is responsible for maintaining API security?

PSPs and TPPs alike are responsible for ensuring a resilient API environment. As such, PSD2 and the UK’s open banking legislation restrict API access to regulated TPPs that have been subject to extensive verification of their security, operational governance and risk management controls. But that doesn’t automatically mean PSPs are 100% safe from attack.

James Maude, Head of Threat Research at Netacea said:

“APIs can extend the ways in which an attacker will attempt to gain entry – through the TPP, mobile applications, or access to the API directly.

"The problem for banks is that, even if they take every precaution to make sure that the API is secure, there are ways to attack it that are out of their control. A hacker with access to a TPP’s system could use it to scrape personal details, but it doesn’t have to be quite so direct. An improperly secured and poorly designed third-party app configured to share the bank’s data is a direct link to an API that can be exploited in a “supply chain” attack – in which instance, automated attacks that test credentials and card details and commit fraud become possible.”

Securing your open APIs

Creating a resilient API environment is critical to protecting your financial services organisation, customers and any connected TPPs, starting with securing the API’s three points of vulnerability with the appropriate mitigation methods:

At Netacea, we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability. We monitor all site visits to a specified path and analyse them in context relative to each of the visitors to the enterprise estate. This enables us to understand not just whether a user is human or bot, but whether a user has good or bad intent.

To find out more about securing your APIs in the open banking environment, why not register for our upcoming Beyond Open Banking event?

Hosted by API security experts Andy Still – CTO and co-founder at Netacea – and James Maude, we’ll be exploring:

  • How attackers are evading your existing defences
  • Real-world examples of by-pass techniques in financial services
  • How to strike the right balance between innovation and security

What?

Beyond Open Banking: The Evolving Threat Landscape

When?

6pm, 26th November 2019

Where?

Hixter Bankside, London