The global API ecosystem is exploding. As the fuel of today’s digital services, organizations are creating more APIs than ever before, and they’re creating them much faster and changing much more frequently than in the past.
More than three-quarters of software developers say participating in the API economy is or will be a top business priority for their organization. However, in financial services, that number is even higher, at more than 80%, surpassing all other industries. Nowhere has API delivery been accelerated as much or as quickly as in financial services. By leveraging APIs, financial services organizations can innovate and quickly bring unique customer experiences and services to market.
However, the rapid growth of APIs has also widened the attack surface and introduced new security risks. Financial institutions have always been a prime target for attackers because successful attacks are so lucrative that minimizing security risks has always been a top priority. In today’s digitalized financial services landscape, risk has never been greater – these four realities drive an urgent need for better API security:
- The use of APIs in financial services is increasing
- API Attacks Threaten Major Financial Services Initiatives
- API Security Incidents Harm Consumer Trust
- Traditional security solutions don’t protect APIs
API usage will grow even more
In financial services, API’s strong growth trajectory will continue to increase. With each use case and each new service, the number of APIs in a typical financial services company increases more and more.
APIs provide the data connection required to support today’s mobile financial applications and peer-to-peer payment systems. APIs are central to open banking. APIs allow financial services companies to standardize how they connect and exchange data, allowing consumer financial information to be shared instantly between organizations and third-party service providers. With different partners and technology providers, API connections are continually being added to the financial ecosystem.
Moreover, the growth of open banking has only just begun. According to Simon Torrance and Bain Capital, the new integrated financial markets made possible by open banking will reach $3.6 trillion in market share by 2030and this figure only takes into account the United States. The Simon Torrance and Bain Capital report adds:
“To put this into perspective, integrated finance could potentially create businesses worth more than the total pre-Covid value of the top 30 US financial institutions.”
For financial services, this means even more APIs and an ever-growing attack surface that must be adequately protected.
API Attacks Threaten Key Business Initiatives
Open banking offers consumers more choice and convenience in meeting their financial needs. Equally important, it increases competition in the financial services industry and generates new revenue streams. Open banking also offers more traditional financial institutions the opportunity to compete with faster-moving fintech companies.
Covid has accelerated digital transformation in many sectors. In financial services, it accelerated the adoption of mobile and branchless banking; consumers want integrated services and the ability to connect their financial lives when and where they want. This forces banks and other financial firms to deploy new capabilities or risk becoming obsolete and losing customers and, with them, revenue.
Digitization has become a critical business initiative and is becoming increasingly important in financial services. However, without the ability to protect the data used in these services, financial organizations lose this opportunity entirely. Unlocking the value of these business opportunities requires protecting these APIs.
A single API attack has the potential to undo all the gains made through an organization’s digital transformation.
API Security Incidents Harm Consumer Trust
Have you ever had an experience with a company and sworn never to do business with them again? Have you ever changed providers due to poor customer service? Once trust is lost, it is very difficult to regain it.
In financial services, costs can be high. Salt Labs, the research arm of Salt Security, provides ongoing research into API vulnerabilities. In his last reportSalt Labs has discovered a server-side request forgery (SSRF) flaw in a major fintech platform that provides a wide range of digital banking services to hundreds of banks and millions of customers.
The vulnerability had the potential to compromise every user account and transaction data served by its client banks. Imagine the leaking of customers’ bank details and financial transactions and users’ personal data or, worse, unauthorized fund transfers to attackers’ bank accounts.
None of those nightmares happened, because Salt Labs found the problem before a bad actor did, and all the problems were fixed. But this type of exploit, if it had happened, would likely have caused irreparable reputational damage, not to mention financial loss, theft, and fraud.
The nature of financial services applications is to exchange sensitive financial and customer data, making APIs a high-stakes asset in need of protection.
Traditional solutions do not offer adequate API protection
Most financial services companies have sophisticated runtime security stacks with multiple layers of security tools, such as bot mitigation, WAFs, and API gateways. These traditional tools provide fundamental security features and protection for traditional applications. however, they lack the necessary context to identify and stop attacks that target each API’s unique logic.
Attacker activity resembles normal API traffic to traditional tools, such as WAFs, API Gateways, and other proxy-based solutions. The architecture limits them to inspecting transactions one at a time, in isolation, and beyond the rate limit. They also depend on signatures to detect well-known attack patterns. If the transaction does not match a known attack signature, the WAF will send it. Since every API is unique with unique vulnerabilities, signatures cannot prevent API attacks.
API security requires big data to capture all API traffic and artificial intelligence (AI) and machine learning (ML) to continuously analyze large volumes of API traffic. Without continuous analysis of API traffic, you cannot understand the normal behavior of each unique API and gain the context required to identify attackers.
Additionally, while open banking sets standards for how APIs should be structured to enable predictable integrations and communications, open banking provides no standards to meet the majority of API security requirements. Additionally, basic controls, such as authentication, authorization, and encryption, fall short of API security challenges.
API security must be at the forefront of financial services
API usage is on the rise. In financial services, APIs have become essential to meet changing consumer expectations and innovate to remain competitive. At the same time, APIs are now the most common attack vector. In the past 12 months, 95% of organizations have experienced an API security incidentand API attack traffic grew 681%, more than twice as fast as overall API usage traffic.
Financial data breaches cost the company compliance and regulatory fines and lost revenue and cause irreparable harm to an organization’s brand. Reputation is everything in the highly competitive financial services market.
Financial services organizations must put API security at the forefront to protect this growing attack surface. This requires dedicated API security tools for the entire API lifecycle that provide continuous attack surface visibility, early attack prevention, and automated insights for continuous improvement. of the API.
*** This is a syndicated blog from the Security Bloggers Network of Salt Safety Blog written by Jennifer Dignum. Read the original post at: https://salt.security/blog/4-reasons-why-financial-services-companies-need-better-api-security-now