As consumers gain greater access to their financial data through third-party applications, hackers are also increasingly gaining access to the data and the banks that grant apps access to it.
Though
The data comes from Akamai's 2022
The botnet figures Akamai reported include all botnet attacks, not just those against APIs. Likewise, the DDoS figures include attacks originating from botnets, but also coming from other sources. DDoS attacks often come from botnets, but not exclusively.
The growth in API and web application attacks adds to an already pervasive problem. Salt Security, which is an API security company, said in
Some of the staggering growth in API and web application attacks could be attributed to broader trends in the cybersecurity posture of financial institutions. For example,
Banks adopt APIs to serve a number of purposes, including to support financial data aggregation — what many aspirationally call open banking. These APIs provide third parties access to customer data, but only with the customer's consent.
In the European Union, regulators require banks to use APIs to give users greater access to their account data. In the U.S., no such regulations exist (they are
These APIs also support a range of functions, according to Steve Winterfeld, an advisory chief information security officer for Akamai. Whereas web applications are built for humans to use, APIs are built for machines to use. They provide a connection between banks providing customer data and the fintechs ingesting that data.
"You can have an API that's built to allow somebody just to come in and look at their account from another app, or you can have an API that's allowing somebody to come in to manage their account from another app," Winterfeld said. "So anything you used to be able to do through a traditional login," APIs now enable computers to do automatically, he said.
However, these APIs also expose a new, automated entry point that hackers can use to access customer data or banks themselves.
Salt Labs researchers exploited four types of vulnerabilities in the application programming interfaces of a large financial company. Their findings contradict conventional wisdom about the safety of APIs in the sharing of consumer data.
A vulnerable API can give hackers inroads to a financial institution in a multitude of ways. For example, a misconfigured API could allow a hacker to retrieve user data without the need to steal users' passwords or login information.
This is known straightforwardly as a
Far more often, though, a web application that uses APIs to provide the customer access to their financial data will allow hackers to access files on a bank or vendor server. These files in turn allow hackers to glean additional information they can use to infiltrate the bank, according to the Akamai report. This kind of attack is known as
The APIs that hackers attack do not always belong to banks, though. Multiple API layers may exist to pass along a customer's account information from the bank to a data aggregator, then finally to the application the customer is using to access their account information. At times, these middlemen are the source of vulnerabilities. Oftentimes, the bank's own API is maintained by a vendor.
Teresa Walsh, who heads the global intelligence office of the Financial Services Information Sharing and Analysis Center, a consortium of financial institutions that
"We recognize that a lot of us use the same vendors" to build and maintain APIs, Walsh said. "The sector has been keenly aware of that potential for concentration risk, or whatever you might want to call it. That's why FS-ISAC communities try to enhance that culture of mutual defense — that one person's incident invokes the entire sector's defense against the same type of attack."
FS-ISAC's subsidiary Financial Data Exchange (FDX) has been working on standardizing financial data APIs since 2017, and Walsh said part of that mission has been to establish security standards.
"The entire intent is to have that communication between the banks and the company on the other side of the API and to try to make sure that it's as secure as possible," Walsh said of FDX.
As attacks against banking APIs continue to rise, Walsh said, financial institutions need to remain aware that any vulnerability in these interfaces can become an entryway for hackers to do further damage, which she said emphasizes the importance of testing the security of these APIs.
"These attackers are opportunistic, and they will try everything under the sun," Walsh said. "If there is even a little bit of an open hole, they'll go after it. That's why we always talk about testing. That's why red teams exist. That's why you have penetration tests. You're always trying to test out the API."
