Fintech organizations and financial institutions are grappling to sustain a reliable app security environment around application program interfaces (APIs) in its omni-banking platforms, especially given the increased role of remote workers and customer engagement models.
APIs are now pervasive across industries. In mid-2020, ProgrammableWeb charted over 24,000 public APIs, including over 4,000 in financial services alone. The potential attack surface has grown significantly as many financial institutions and fintechs have various APIs handling an assortment of personally identifiable information (PII) such as user credentials, payment data, and social security numbers tied to their internal and external facing services.
That is a scary proposition as API abuses as many cybersecurity experts expect APIs to become the most frequent cyber-attack vector. Add in rapid cloud migration, and all industries are using dangerous levels of vulnerable apps and APIs.
Seventy percent of respondents in Radware’s 2020-2021 “State of Web Application Security Report” reported ensuring the security and integrity of data and applications as becoming more challenging, particularly in a multi-cloud situation. Nearly 40% of organizations surveyed also reported the exposure of more than half of their applications to the internet or third-party services via APIs.
API’s At the Vanguard in Cybercrime
Securing APIs against attacks is critical for financial service organizations as API use increases and the attack surface expands. Common attacks against web APIs include credential stuffing attacks, account takeover attacks, API call request manipulation, distributed denial-of-service (DDoS) attacks, and man-in-the-middle attacks.
Having APIs hacked or abused may have far-reaching consequences such as data breaches, data exfiltration, or slow and even fully disrupted service. In fact, 91% of organizations experienced an API security incident last year, according to a recent Salt Security report. Gartner predicts API abuses by 2022 to become the most frequent attack vector.
Some notable API penetrations already made headlines such as the Equifax breach, an attack that exposed almost 148 million accounts in 2017. In 2021, API breaches and major vulnerabilities led to the exposure of billions of American credit scores at Experian; and the personal data of 533 million Facebook users from 106 countries.
Nevertheless, there is an overall absence of API security focus leaving many incident paths for cybercriminals to exploit and it is growing exponentially.
The Open Web Application Security Project (OWASP). a nonprofit foundation that works to improve the security of software warned, “By nature, APIs expose application logic and
sensitive data such as personally identifiable information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”
Among the vulnerabilities and security API risks, OWASP indicated:
· APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface level access control issue.
· Incorrectly implemented authentication mechanisms allow attackers to compromise authentication tokens or to exploit implementation flaws.
· Quite often, APIs do not impose any restrictions on the size or number of resources requested by the client/user.
· Security misconfiguration, commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and verbose error messages containing sensitive information.
· Attackers counting on complex systems having more places for failure. Many organizations make their systems available for anonymous connections and tend to leak data the average user does not need.
Providing APIs with RESTful Security
Other FI weaknesses may emanate from core processing, loan origination, account opening and other systems, as well as other fintech solutions, going from Simple Object Access Protocol (SOAP), the longtime standard method for web service interfaces, to Representational State Transfer (REST), which in recent years represents more than 80% of openly available, public APIs currently in circulation. (Public APIs enable popular apps such as Twitter, Facebook, Google Maps.).
Both SOAP APIs and RESTful APIs expose data over HTTP requests and responses, but each employ dissimilar formats, and therefore require distinctive security concerns.
RESTful APIs allow financial institutions to simply integrate their prevailing legacy technology as well as to API gateways, identity and security management solutions such as NXTsoft’s OmniConnect Platform.
Some enterprises continue to integrate SOAP APIs for certain use cases. So, it is important to align with integration companies that can identify the different needs especially in terms of security.
Providing App Security
Bundled API solutions, complete with RESTFUL APIs, serve as easy on and off ramps for financial information. They also deliver to financial institutions and fintechs a faster time-to-market for open banking solutions.
NXTsoft’s OmniConnect Platform provides secure open APIs for the digital infrastructure needed to build and scale any fintech application in banking, savings, wealth, financial wellness, and insurance. The business functionality offered by NXTsoft in tandem with the enterprise capabilities allow financial institutions to securely accelerate their API banking transformation from almost a year to a few days.
The OmniConnect Platform provides a ready to go API Framework, letting financial institutions engage with fintech innovators, shape banking-as-a-service proficiencies and collect a fintech products and services, especially in the digital environment.
The platform includes the base functionality to authenticate, onboard clients and accounts, and store and process data, which all other APIs in the OmniPlatform can utilize. OmniConnect APIs use REST principles as a foundation, along with resource-oriented URLs and HTTP response codes. All API responses return in JSON formats.