APIs are the secret sauce that enable third-party fintech apps to communicate in real time and facilitate the seamless transactions that drive the digital economy. But In the scramble to build innovative new services with APIs, financial institutions have inadvertently created a much larger attack surface for hackers trying to access sensitive financial data and systems. 

In December, an API used by the credit reporting service 700Credit was exploited, leading to a significant breach. Because 700Credit’s service is directly integrated with multiple banks, the attackers were able to bypass their security systems and steal personal data from more than 5.8 million consumers. 

That same month, the firewall of U.S. fintech vendor Marquis Software Solutions was breached via a known API vulnerability, resulting in the theft of sensitive data from around 400,000 customers of third-party banks and credit unions.   

The foundation of fintech API security

The growing prevalence of cyberattacks in the fintech industry illustrates the need for robust API security measures to be applied more consistently by institutions. In fact, developers have long-established best practices for securing APIs which, if thoroughly implemented, could have easily prevented the above incidents. 

API security practices are guided by the Open Banking initiative, a framework that outlines how banking applications can allow consumers to securely share transaction data with authorized third-party financial services providers. Open banking has fostered rapid innovation in areas such as payments, tailored loans and consolidated account views, and it prescribes robust standards for authentication mechanisms and user consent, making it an ideal baseline for fintech developers.  

In fintech, API security starts with the implementation of authentication and authorization mechanisms such as OpenID Connect and OAuth as the basis of access control. Financial APIs should also integrate TLS-based data encryption every time they’re invoked, together with a strict private key management policy covering generation, storage and rotation. In addition, input validation and output encoding systems can be used to limit what data can be sent or modified through an API and protect users from malicious inputs. 

Other useful mechanisms include abuse prevention and rate limiting, bot detection and behavioral analytics tools, and systems for logging, monitoring and anomaly detection. 

Despite the existence of these standard security mechanisms, lax API security remains a significant problem. The difficulty stems from the fact that these measures must be replicated for each new integration between different banks, payment and services providers. Moreover, implementing them can be troublesome, for a number of reasons: 

• Third-party API integrations. The reliance on external providers for interoperability creates problems in terms of being able to vet third-party security practices and gain adequate visibility into partner’s systems, preventing uniform security across all integrations. 
• Legacy tech. Many financial institutions try to use API layers with decades-old legacy systems, which come with numerous security risks. For instance, older systems often lack reliable auditing capabilities and therefore carry substantial technical debt. 
• Microservice architecture sprawl. The widespread use of cloud-native microservices dramatically increases the overall attack surface, because each small component introduces its own potential vulnerabilities. This greatly complicates security, as responsibility tends to be diffused across multiple teams, creating a kind of “hot potato” effect. 
• Real-time monitoring. Implementing real-time threat detection without creating unacceptable latency is a major technical challenge that requires the ability to accurately differentiate between legitimate network traffic and activity from sophisticated threats. 

Common techniques used in API attacks

The challenges associated with API security are compounded by the innovative nature of cybercriminals, who are constantly dreaming up more sophisticated and resourceful techniques for identifying and exploiting vulnerabilities. Here are some of the most widespread techniques in use today: 

• Authentication bypass involves finding exploits in login mechanisms to gain unauthorized access to user’s accounts.
• Man-in-the-middle attacks refer to the interception of API communications to steal login credentials or alter transaction data. 
• Broken object-level authorization occurs when an API fails to verify a user has access to a specific service, allowing them to undertake unauthorized actions. 
• Mass assignment techniques can be used to manipulate APIs into exposing internal data fields, creating opportunities for attackers to alter protected data. 
• Business logic exploits refer to when legitimate features are misused by attackers in unexpected ways to extract funds or bypass authentication systems. 

Best practices for securing fintech APIs

Fintech API security always starts with the creation of an API gateway, which acts as a kind of middle layer, or a single entry point that manages all traffic flowing into and out of it. By using a gateway, developers gain greater visibility and control, and can enforce consistent authentication and authorization controls, monitor suspicious activity and manage the API lifecycle. 

API developers must also maintain extensive documentation, including detailed specifications and well-defined security protocols for endpoints that outline best practices for data handling. At the same time, teams should ensure their APIs are subject to regular and thorough security testing and vulnerability scanning procedures to surface any issues before they can be identified by cyber attackers and exploited. 

This is best achieved by embedding automated scanners into the build pipeline and scheduling periodic fuzz and penetration tests. In addition, APIs should be tested regularly for logic vulnerabilities. 

Organizations can further reinforce their API security baseline by adopting a zero-trust philosophy, where every API request is untrusted and automatically treated as hostile. Zero-trust security frameworks are based on the principle of least privilege and stipulate the continuous authentication of users, shifting security from outdated and ineffective firewalls to more robust identity-based models. 

A continuous battle

Fintech APIs serve as foundational pillars in the digital economy, and protecting them has never been more important. Cybercriminals are forever on the lookout for new exploits and vulnerabilities in the expanding API landscape, and they’re not going to give up. 

API security represents an ongoing battle, and teams can never claim to be victorious. But by scheduling regular security assessments and compliance checks, running automated security regression tests and monitoring APIs for compliance and abnormal traffic activities, it’s possible to adapt to the continuously evolving threat landscape and prevent most types of attacks.

Featured image via Shutterstock.