This is the first in a series on security, banking and financial APIs. In this blog we’ll discuss current security challenges with banking and financial APIs and how the mobile endpoint is an area organizations need to focus on to prevent breaches, fraud and attacks.
Mobile Vulnerabilities that Lead to Security Challenges with Banking and Financial APIs
Attacks and data breaches stemming from poorly secured application programming interfaces (APIs) occur frequently. Gartner predicts that by 2022, API abuses will be the most frequent attack vector. Based on multiple studies, Financial Services organizations need to prioritize API security to protect their customers.
- In a study of banking, fintech and cryptocurrency exchanges, 99% of the mobile apps that were reverse engineered contained hardcoded API keys and tokens including usernames and passwords to third-party services.
- Also in the study referenced above, all the APIs tested had vulnerabilities that enabled researchers to change PIN codes and transfer funds in and out of accounts.
- As discussed in a previous blog, mobile apps are often the weak links as API keys and other data obtained through mobile devices are used to attack back-end servers. API, SSH, and SSL/TLS private keys may be discovered in mobile apps and code repositories.
- Some of the biggest risks with APIs stem from careless or poorly implemented API calls, excessive data exposure, existing unpatched bugs or known security vulnerabilities. For example, in my cryptocurrency work, a hacker exploited a security vulnerability in an open source API used by a popular eWallet and was able to divert over a million dollars from end users into his own fraudulent account.
- Using man-in-the-middle (MITM) and woman-in-the-middle (WITM) attack techniques, fraudsters and hackers can exploit vulnerable APIs to intercept API traffic between mobile apps and backend APIs,
- Bad actors find unadvertised, unused or prototype APIs that are unsecured and unmonitored, which could allow them to exploit account takeovers (ATOs) and infiltrate backend servers or other critical parts of an organization.
Proliferation and Decentralized Management of Banking APIs Leading to Security Challenges
APIs are a foundational element of many organizations’ digital transformation efforts. Traditional banks have deployed new APIs to keep up with neobanks and offer more flexible and agile digital experiences that cater to a changing and broader spectrum of users. Open banking initiatives have also driven the rapid development and proliferation of APIs, making it easier for payments, accounts services and other data to be accessed by third party providers. As a result, the creation, development and deployment of APIs are often loosely managed. Security teams have to deal with APIs they have not worked with before and exist outside normal processes and controls. These APIs may not have the security needed, introducing significant and often unknown risk.
As the pace of innovation requires banks and financial organizations to work collaboratively, these partners have to somehow quickly get past organizational boundaries and build in security. Where organizations have not done this quickly enough, risk increases as a result of an expanded attack surface.
Organizations Lack Specific Skills and Roles to Address Security Challenges with Banking APIs
Based on a recent Gartner survey, lack of skills was one of the top 2 challenges in an organization’s API strategy. In addition to API specific skills, organizations need to account for the skills required to address new attack surfaces. Due to COVID-19 and increasing digital nature of our lives, mobile app security is an area many organizations do not have specialization in. While many companies have focused on developing new features for users, they may have not kept up with the nuances of every combination of OS, development framework, and security feature out there. On top of that, iOS and Android are changing continuously, resulting in multiple releases for app makers per year for each new OS, app and SDK. Each new revision of iOS or Android means new development, new testing and troubleshooting—and the skills and resources to do so.
Current Solutions Addressing Security Challenges with Banking APIs are Lacking
While solutions include API testing to general purpose application security solutions, companies need to consider the drawbacks, in addition to the benefits the vendors are pitching:
- Protecting APIs with general purpose application security solutions alone is ineffective. Each new API represents an additional and potentially unique attack vector into your systems. In addition, many general purpose application security solutions do not take into account the ways mobile apps are uniquely compromised.
- Many DevSecOps teams have focused on improving API testing in development, using traditional tools such as static AST and dynamic AST. While these tools are important in identifying issues, they don’t resolve them. Developers still need to code the security features to address the vulnerabilities identified. In addition, traditional AST tools (e.g. SAST, DAST and interactive AST) were not originally designed to test for vulnerabilities associated with typical attacks against APIs, or for newer types of APIs.
- API threat protection technologies have been developing, but they are still in early development and almost all require manual coding efforts. Contrast that to Appdome’s no code solution for protecting the mobile endpoint. For more information see this blog.
The mobile app needs to be protected as it often contains the API address and key. Malware and other threats harvest that data for account takeovers and malicious activities. For information on how Appdome can help you with mobile api security and fraud prevention, please Contact Appdome today to learn how easy it is to get started with Appdome.