Hackers sniff opportunity as banks permit more data sharing

As consumers gain greater access to their financial data through third-party applications, hackers are also increasingly gaining access to the data and the banks that grant apps access to it.

Though not a new problem, the security vulnerabilities of application programming interfaces (APIs) — automated portals to user data — grew substantially in the last year, according to research from cloud services and security company Akamai. Attacks on financial service APIs and web applications (which are closely related to APIs) more than tripled globally (257% growth), and in North America, they more than quintupled (449% growth).

The data comes from Akamai’s 2022 State of the Internet report, which also covers other types of cyberattacks. Hackers’ use of botnets, which are groups of computers infected with and connected via malware, increased by 81%, according to the report. The number of distributed denial-of-service (DDoS) attack targets also grew by 22%.

The botnet figures Akamai reported include all botnet attacks, not just those against APIs. Likewise, the DDoS figures include attacks originating from botnets, but also coming from other sources. DDoS attacks often come from botnets, but not exclusively.

Some of the staggering growth in API and web application attacks could be attributed to broader trends in the cybersecurity posture of financial institutions. For example, this year alone, hackers have exposed millions of consumers’ records by breaching banks. But APIs also have their own unique vulnerabilities.

Banks adopt APIs to serve a number of purposes, including to support financial data aggregation — what many aspirationally call open banking. These APIs provide third parties access to customer data, but only with the customer’s consent.

In the European Union, regulators require banks to use APIs to give users greater access to their account data. In the U.S., no such regulations exist (they are on the way), but data aggregators and fintechs have nonetheless influenced banks to adopt APIs as a means of giving their customers the ability to share their account and transaction information with financial apps and services. APIs are also considered by banks, fintechs and data aggregators to be more secure than the alternative, screen scraping.

These APIs also support a range of functions, according to Steve Winterfeld, an advisory chief information security officer for Akamai. Whereas web applications are built for humans to use, APIs are built for machines to use. They provide a connection between banks providing customer data and the fintechs ingesting that data.

“You can have an API that’s built to allow somebody just to come in and look at their account from another app, or you can have an API that’s allowing somebody to come in to manage their account from another app,” Winterfeld. “So anything you used to be able to do through a traditional login,” APIs now enable computers to do automatically, he said.

However, these APIs also expose a new, automated entry point that hackers can use to access customer data or banks themselves.

A vulnerable API can give hackers inroads to a financial institution in a multitude of ways. For example, a misconfigured API could allow a hacker to retrieve user data without the need to steal users’ passwords or login information.

This is known straightforwardly as a misconfiguration attack, one of the top 10 kinds of attacks on web applications according to the Open Web Application Security Project, a nonprofit organization that provides public information about securing web applications and APIs.

Far more often, though, a web application that uses APIs to provide the customer access to their financial data will allow hackers to access files on a bank or vendor server. These files in turn allow hackers to glean additional information they can use to infiltrate the bank, according to the Akamai report. This kind of attack is known as a local file inclusion attack, which Akamai ranked as the most common vector hackers use to attack web applications and APIs.

The APIs that hackers attack do not always belong to banks, though. Multiple API layers may exist to pass along a customer’s account information from the bank to a data aggregator, then finally to the application the customer is using to access their account information. At times, these middlemen are the source of vulnerabilities. Oftentimes, the bank’s own API is maintained by a vendor.

Teresa Walsh, who heads the global intelligence office of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a consortium of financial institutions that share information about cybersecurity threats and incidents, said these dynamics raise the need for banks to coordinate when they discover an API attack, and FS-ISAC exists to help them do that.

“We recognize that a lot of us use the same vendors” to build and maintain APIs, Walsh said. “The sector has been keenly aware of that potential for concentration risk, or whatever you might want to call it. That’s why FS-ISAC communities try to enhance that culture of mutual defense — that one person’s incident invokes the entire sector’s defense against the same type of attack.”

FS-ISAC’s subsidiary Financial Data Exchange (FDX) has been working on standardizing financial data APIs since 2017, and Walsh said part of that mission has been to establish security standards.

“The entire intent is to have that communication between the banks and the company on the other side of the API and to try to make sure that it’s as secure as possible,” Walsh said of FDX.

As attacks against banking APIs continue to rise, Walsh said that financial institutions need to remain aware that any vulnerability in these interfaces can become an entryway for hackers to do further damage, which she said emphasizes the importance of testing the security of these APIs.

“These attackers are opportunistic, and they will try everything under the sun,” Walsh said. “If there is even a little bit of an open hole, they’ll go after it. That’s why we always talk about testing. That’s why red teams exist. That’s why you have penetration tests. You’re always trying to test out the API.”

For more updates check below links and stay updated with News AKMI.
Life and Style || Lifetime Fitness || Automotive News || Tech News || Giant Bikes || Cool Cars || Food and Drinks


Show More

Related Articles

Back to top button

usa news wall today prime news newso time news post wall