Are APIs as secure as they're cracked up to be?

Conventional wisdom has long been that it’s safer to share financial information through application programming interfaces, sending data directly from one company to another, than through screen scraping, or using a customer’s username and password to log in to their accounts and copy and paste their data.

A report published this week challenges that notion. Researchers at Salt Labs, a unit of Salt Security in Palo Alto, California, analyzed the online platform of a large financial institution that provides API services to partner banks and financial advisors. They discovered multiple API vulnerabilities that they exploited to view customers’ financial records, delete customer accounts, perform account takeovers and conduct denial-of-service attacks.

Salt Labs would not name the financial institution but said it told the company what it found.

The exposure of security holes in a large financial institution’s APIs has implications for the entire industry. According to the researchers, these vulnerabilities are widespread. And banks are increasingly using APIs to share customer data with fintechs and data aggregators, both to control the bank account data that aggregators send to fintech apps like Venmo and Robinhood and to comply with Section 1033 of the Dodd-Frank Act, which requires banks to provide consumers with access to their data. The Consumer Financial Protection Bureau is developing rules that will enforce this part of the law.

“The writing's definitely on the wall with the push for data sharing at the federal level,” said Michael Isbitski, technical evangelist at Salt Security. “We see that in banking and in health care.”

Other security groups second the idea that API security is becoming more important.

"Modern web applications are moving to an API-driven model, as opposed to legacy monolithic model, in order to support multiple ways of accessing the same data from user interfaces, mobile devices and partners,” said Uriel Maimon, senior director of emerging technologies at PerimeterX, an application security software company based in San Mateo.

“Unfortunately, this paradigm shift often means that security controls and programming practices that have been developed over years of experience and written in blood are either irrelevant or ineffectual in this environment," he said. "To a great degree, this means that we face a risk of regressing back to the Wild West of early internet days and vulnerabilities, except with greater volume and potential cost.”

Kevin Kohut, API security lead at Accenture, said that APIs are becoming “part of the essential building blocks that help companies reshape how they engage with customers.”

“Banks and other financial services organizations are engaging with internal and external developers who leverage APIs to create new business models, often creating new classes of business entirely,” Kohut said. “But with these emerging business models come new opportunities for hackers to exploit APIs.”

As the number and capabilities of APIs have grown, so has their appeal to attackers, according to an earlier Salt Security report on the state of API security in the first quarter. Among the 200 companies surveyed for that report, 91% said they had experienced a breach, denial-of-service attack or other security incident involving APIs in the past year, and 54% said they had found a vulnerability in an API.

Traditionally, APIs have had the perceived benefit of obscurity, Isbitski said.

“These APIs, who's going to figure them out? How are they going to find them?” he said of a once-common attitude. “You still see some of that, unfortunately.”

Salt Labs researchers were able to access financial records, stored check images and sensitive data including Social Security and bank account numbers at the large financial institution. They were able to lock out other users. They also managed to take over user accounts by compromising the financial institution’s two-factor authentication mechanism and redirecting text messages containing security codes to their own devices.

Some of the researchers’ attacks were authorization attacks, where cybercriminals access an API through the use of stolen credentials, then are able to assume the access level of a user with higher administrative permissions to access a record to which they’re not entitled or perform an unauthorized activity. The Salt researchers say this type of attack is behind 40% of all API compromises.

“Sometimes with an API, you have this concept of a contract,” Isbitski said. “Your API client should only talk to this API server or cloud instance.” In authorization attacks, criminals access data beyond what the contract allows.

In their denial-of-service attacks, Salt Labs researchers manipulated fields in API requests that determine how much data should be served back to the client. To avoid harming the financial institution's customers, the researchers launched a minimal attack. A real hacker likely would show less restraint and could bring an API platform to a complete halt, the researchers said.

API security gets tougher as the scale of data and API requests gets larger, Ibitski pointed out.

“Organizations think they can control access to an API with an API gateway,” Isbitski said. “And then all of a sudden you have thousands of API connections and millions of API consumers, and it's too much information.”

Banks may need to use artificial intelligence to monitor the use of their APIs and catch violations of API contracts, he said. They might want to use two-factor authentication to make APIs harder to access, but also make sure their two-factor authentication system is tamper-proof.

The new Salt Labs report provides detailed advice for blocking the kinds of attacks its researchers conducted.

For instance, to mitigate an authorization weakness that permits any user to read any record, “a well-designed API should verify whether the user requesting a given piece of data is also authorized to access it,” the report says. “Unlike authentication, authorization should be performed continuously throughout a session and on each data access.”

The API and integrated back-end systems should continuously validate whether the authenticated user is authorized to access the given record, the report said.

If an authenticated user tries to access someone else’s records, the server should respond with an error message. The platform should monitor for and invalidate sessions where users are making excessive requests or repeated attempts to access unauthorized data.

“Financial services companies, with their complex heterogeneous and legacy environments, now have to reinvest in the complete life cycle of security for their applications — from reviewing and testing code to delivery to monitoring and visibility in run time and even mitigation,” Maimon said. “The past controls are ineffective for API traffic and need to be revamped."

Assessing the overall security of an organization’s API ecosystem means more than validating API keys and verifying authentication, Kohut said.

“While API hackers still try to compromise these basic API security aspects, they can also leverage bots and other automated approaches to help them search for and exploit as many different API vulnerabilities as they can,” he said.

Artificial intelligence to analyze actual API traffic patterns to detect threats can certainly help, he said.

“But organizations also need to have good API life cycle management, API design standards and an API security model,” Kohut said.

For reprint and licensing requests for this article, click here.
Cyber security APIs
MORE FROM AMERICAN BANKER