The Top Five Myths in API Security

Learn more

4 Reasons Why Financial Services Companies Need Better API Security Now

Jennifer Dignum
May 12, 2022

The global API ecosystem is exploding. As the fuel for today’s digital services, organizations are building more APIs than ever, and they’re building them much more rapidly and changing much more frequently than in the past.

More than three-fourths of software developers say participating in the API economy is or will be a top business priority for their organization. However, in financial services, that number is even higher, at more than 80% – topping all other industries. Nowhere has API delivery accelerated as much or as fast as in financial services. Leveraging APIs, financial services organizations can innovate and quickly bring to market unique customer experiences and services.

However, the rapid growth of APIs has also expanded the attack surface and introduced new security risks. Financial institutions have always been a top target for attackers, because successful attacks are so lucrative, so minimizing security risks has always been a top priority. In today’s digitalized financial services landscape, the risk has never been greater – these four realities are propelling an urgent need for better API security:

  • API usage in financial services is increasing
  • API attacks threaten key financial services initiatives
  • API security incidents damage consumer trust
  • Traditional security solutions don’t protect APIs

API Usage Will Increase Even More

In financial services, the high-growth trajectory of APIs will continue to rise. With each use case and new service, the number of APIs in a typical financial services company grows ever higher.

APIs provide the required data connection to support today’s mobile financial applications and peer-to-peer payment systems. APIs are at the center of open banking. APIs enable financial services companies to standardize how they connect and exchange data, allowing consumer financial information to be instantly shared across organizations and third-party service providers. With different partners and technology suppliers, API connections are being continuously added to the financial ecosystem.

Moreover, the growth of open banking has just begun. According to Simon Torrance and Bain Capital, new embedded finance markets enabled by open banking will reach $3.6 trillion market share by 2030, and that figure only accounts for the U.S. The Simon Torrance and Bain Capital report goes on to add:

“To put this in perspective, embedded finance could potentially create businesses worth more than the total pre-Covid value of America’s Top 30 financial institutions.”

For financial services, that means even more APIs and a continuously growing attack surface that must be adequately protected.

Get the comprehensive list of best practices to guide your API security journey.

API Attacks Threaten Key Business Initiatives

Open banking gives consumers more choices and convenience to address their financial needs. Also significant, it increases competition across the financial services industry and generates new revenue avenues. Open banking also provides more traditional financial institutions the opportunity to compete with faster-moving fintech companies.

Covid has sped up digital transformation across multiple industries. In financial services, it hastened the adoption of mobile and remote banking; consumers want integrated services and the ability to connect their financial lives when and where they want. This requires banks and other finance companies to roll out new capabilities or risk becoming obsolete and losing customers and, along with them, revenue.

Digitalization has become a critical business initiative and is increasingly important in financial services. However, without the ability to protect the data being used within these services, financial organizations lose that opportunity entirely. Harnessing the value of those business opportunities mandates the protection of those APIs.

Just a single API attack has the potential to wipe out all the gains made from an organization’s digital transformation.

API Security Incidents Damage Consumer Trust

Have you ever had an experience with a company and vowed never to do business with them again? Have you ever switched from a provider due to poor customer service? Once trust is lost, it’s very difficult to get it back.

In financial services, the costs can be high. Salt Labs, the research arm of Salt Security, provides ongoing API vulnerability research. In its latest report, Salt Labs uncovered a server-side request forgery (SSRF) flaw on a large fintech platform that provides a wide range of digital banking services to hundreds of banks and millions of customers.

The vulnerability had the potential to compromise every user account and transaction data served by its customer banks. Imagine the leaking of customers’ banking details and financial transactions and users’ personal data or, worse, unauthorized funds transfers into the attackers’ bank accounts.

None of these nightmares came to be, because Salt Labs found the problem before a bad actor did, and all issues have been remediated. But this type of exploit, had it occurred, would have likely caused irreparable reputational damage – not to mention financial losses, theft, and fraud.

The nature of financial services applications is to exchange sensitive financial and customer data, making APIs a high-stakes asset requiring protection.

Traditional Solutions Don’t Deliver Adequate API Protection

Most financial services companies have sophisticated runtime security stacks with multiple layers of security tools, such as bot mitigation, WAFs, and API gateways. These traditional tools provide foundational security capabilities and protection for traditional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

Attacker activity looks like normal API traffic to traditional tools, such as WAFs, API gateways and other proxy-based solutions. The architecture limits them to inspecting transactions one at a time, in isolation, and beyond rate-limiting. They also depend on signatures to detect well-known attack patterns. If the transaction does not match a known attack signature, the WAF will send it through. Since each API is unique with unique vulnerabilities, signatures cannot help prevent API attacks.

API security requires big data to capture all API traffic and artificial intelligence (AI) and machine learning (ML) to continuously analyze the large volumes of API traffic. Without continuous analysis of API traffic, you cannot understand normal behavior for each unique API and gain the context required to pinpoint attackers.

In addition, while open banking defines standards around how APIs should be structured to enable predictable integrations and communications, open banking provides no standard to meet the majority of API security requirements. Moreover, basic controls, such as authentication, authorization, and encryption, fall short of meeting API security challenges.

API Security Must be at the Forefront for Financial Services

API usage is on the rise. In financial services, APIs have become essential to meet changing consumer expectations and innovate to remain competitive. At the same time, APIs are now the most frequent attack vector. In the past 12 months, 95% of organizations experienced an API security incident, and API attack traffic grew 681% – more than twice as fast as overall API usage traffic.

Financial data breaches cost the business in compliance and regulatory fines and lost revenue and cause irreparable harm to an organization’s brand. Reputation is everything in the highly competitive financial services market.

Financial services organizations must put API security at the forefront to protect this growing attack surface. To do so requires dedicated API security tooling for the entire API lifecycle that provides continuous attack surface visibility, early attack prevention, and automated insights for continuous API improvement.

Go back to blog

Learn everything you need to know to keep your APIs secure

Sign up for blog digest