Blog article
See all stories »

API abuse highlights the dangers of unsafe Open Banking implementation

This year marks the fifth anniversary of Open Banking in the UK. The regulation continues to gain momentum among consumers. At the end of 2022, there were more than 6.5m regular, active users and nearly 250 regulated third-party providers in the UK, compared to 338 across the whole of the European Economic Area. Open Banking has created a number of advantages for customers and businesses alike, including greater flexibility and personalisation, better financial inclusion, and lower costs and fees. These benefits, coupled with government support for fintechs, have been instrumental in the growth of Open Banking services and further cemented the finance industry as a leader in digital transformation. 

However, innovations and the adoption of new digital services or third-party providers is continually expanding the attack surface for financial institutions. This expanding attack surface, coupled with the valuable data held by banks and other financial companies, accounts in large part for why the industry was hit by more than a quarter of all cyberattacks (28%) in 2022 - double that of the next most-targeted sector. 

In particular, researchers found that the volume of unmonitored traffic flowing through Application Programming Interfaces (APIs) has skyrocketed 89% in the last year. APIs underpin the whole structure of Open Banking and a large percentage of this traffic contains sensitive information, so it’s essential that banks and fintechs alike get control of this traffic. In fact, given the importance of APIs to virtually all aspects of digital transformation, allowing APIs to go unmonitored is the cybersecurity equivalent of ignoring a ticking time-bomb. 

Safeguarding the foundations

The reason APIs are so important to digital services is because they enable different applications to share data and ‘talk’ to each other. Crucially, the data they exchange often comes from backend databases, which means that APIs function as a pathway to companies’ most valuable asset - their data. Today, Open Banking is responsible for around 1 billion API calls in the UK per month - an enormous amount of digital traffic, much of which contains highly sensitive customer information - each one of which is made possible by APIs.

The danger for financial institutions is that nearly a third (30%) of this traffic goes through shadow APIs. Shadow APIs are either third-party APIs that a company uses but doesn’t track, or internal ones which are unsupervised, forgotten about, or otherwise outside of security teams visibility, according to Imperva Threat Research. Shadow APIs can cause all sorts of problems. Even if they aren’t discovered and abused by malicious actors, they can cause governance issues if they aren’t updated to maintain regulatory compliance. And if they are discovered, the problems can be far more severe. Because APIs can connect to backend databases, they are an ideal route for hackers to exfiltrate sensitive information or compromise enterprise applications. Already, one in every 13 cyber incidents are estimated to be related to API insecurity, so the existence of shadow APIs represents a significant security flaw which every financial business should be looking to address immediately. 

Three steps to make sure you’re secure

Eliminating shadow APIs and preventing API abuse requires three core capabilities: 

  1. Full visibility over every API within the organisation: Given the speed at which APIs are produced and modified, manual discovery and classification is virtually impossible. Instead, by automating the process, financial institutions can develop a full API inventory which is continuously updated whenever a change is made in production, providing security teams visibility without slowing down developers. 

  2. Establishing good governance for all APIs: For example, the application of common rules and security policies for how APIs should be used. Not only does this save time and money through increased consistency, but good API governance also allows for better decision-making regarding API programs and improves processes around building, deploying, and consuming APIs. This is even more important in heavily regulated industries, like finance, to ensure compliance with regulations such as the Open Banking Implementation Entity (OBIE)’s Open Banking Standards.

  3. Visibility over the full schema of every API: This also needs to include all of the data that flows through them. With visibility into schemas businesses can define expected usage of API endpoints, then compare with a baseline of normal behaviour, making it easier to identify and investigate anomalies. This is closely related to good API governance as it involves understanding the underlying payload and making sure that that is also protected. 

For these security capabilities to be effective, businesses need them to operate seamlessly across legacy, hybrid, and cloud-native environments. If not, API protection will remain fragmented. As a consequence, APIs will be left unguarded, and potentially sensitive traffic will go unmonitored. 

Taking the lead

Because of the strict regulations covering financial institutions, the industry has long been a leader when it comes to cybersecurity with many companies being early adopters of new technologies to enhance data protection or application security. Now, because of the growth of Open Banking and other digital transformation initiatives, shadow APIs have become another challenge they have to deal with. 

Strong API protection is a complicated issue. However, by focusing on ensuring full visibility of every API across all environments, mapping out the schema and underlying payload for each, and implementing good governance practices, organisations can reap the benefits of Open Banking while protecting themselves and their customers.

6320

Comments: (0)

Andy Zollo

Andy Zollo

Regional Vice President - EMEA

Imperva

Member since

06 Mar 2023

Location

London

Blog posts

1

This post is from a series of posts in the group:

API

More generic posts and blogs relating with Application Programming Interfaces (APIs) including Open Banking and PSD2


See all

Now hiring