APIs leave digital banking unlocked


How to Fix Open Banking Vulnerabilities

Major cyberattacks have made international news several times over the past few years, and there is no sign that cyberattacks will slow down. It is not just ransomware that is a growing problem for the financial industry, but credential stuffing attacks that pose major risks to banks and credit unions.

In 2020, the FBI issued a credential stuffing warning and shared research which indicated that these attacks frequently targeted APIs. Gartner predicts that APIs will be “the most common online attack vector by 2022”.

Why are APIs such good targets?

Over the past decade, banks and credit unions have deployed innovative, customer-centric digital banking services through the widespread use of application programming interfaces (APIs). APIs are widely deployed due to the intense demand for a seamless and simple digital customer experience.

With increased pressure, banks and credit unions are partnering with third parties to improve the customer experience. It’s called open banking or open banking data – the practice of a bank or credit union partnering with a third-party service that gives consumers open access to their banking information and to their transactions, and networking with several other financial institutions.

Customers want to be able to access their information with just a few taps on their smartphone screen, but sometimes that’s at the risk of security.

Financial data, from credit card numbers to mortgage reports, as well as personal data contained in accounts, are all tempting targets for cybercriminals.

Convenience or security

Now is a crucial time to step back and examine the digital landscape of open banking. An August 2020 report found that about half of all organizations surveyed “knowingly push vulnerable software.” When developers are under pressure (deadlines, low risk, or just oversight), it means security is no longer top of mind.

Either way, when security isn’t a priority, it makes it easier for hackers to gain access to customer data.

What can be done?

Financial organizations need to get more involved with existing API vulnerabilities. Every step of the process, from code to interface development to deployment, needs to be looked at defensively. There are many vulnerabilities to address, but organizations can start with a few basics:

  1. Know how many APIs exist in their environment.
  2. Keep track of them. Catalog all APIs, keep records of what they do, and log the type of information the system handles.
  3. Audit APIs for existing and potential risks. Determine existing vulnerabilities and extrapolate to a situation where the API has been attacked.
  4. Make changes. Respond to issues found in the process.

There are also ways for institutions to immediately strengthen their defenses against credential stuffing attacks, which will massively solve API security issues overall.

In credential stuffing attacks, cybercriminals automatically “stuff” combinations of usernames and passwords into a login form. The credentials may have been obtained in a previous breach or stolen from another organization.

To combat the possibility of these attacks, banks and credit unions can:

  1. Web Application Firewall Institute – WAFs can help banks and credit unions monitor attacks.
  2. hashed passwords – instead of plain text, all stored passwords must be hash protected, which means they will always be secure in the event of a data breach.
  3. Mandate the use of Multi-factor authentication – making MFA mandatory (as opposed to optional, as many systems currently offer) decreases the risk of breach.
  4. Screen for Compromised credentials – one of the most immediately effective changes to make is to screen credentials against a blacklist of previously compromised passwords. Ideally, this should be done the moment a new password is created, as well as on an ongoing basis.

When companies go ahead and try to quickly meet customer expectations with insecure APIs, it’s easy to compromise system security. Financial insights offering open banking services must have a common API goal: to balance security with customer expectations of digital experience.

The post office APIs leave digital banking unlocked appeared first on enzoic.

*** This is a syndicated blog from the Security Bloggers Network of enzoic written by Enzoic. Read the original post at: https://www.enzoic.com/banking-services/


About Author

Comments are closed.