Open banking promises streamlined efficiencies and customer convenience by enabling the immediate exchange of a consumer's financial information. By opening their application programming interfaces (APIs), banks can partner with other financial institutions and emerging fintech companies to offer compelling new services and applications and drive new revenue streams.
Leveraging digitalization, open banking also increases competition across the financial services sector, gives consumers more choices to meet their financial needs and consolidates and centralizes financial insights. Research from Simon Torrance and Bain Capital Ventures projects that new markets enabled by open banking will comprise a $3.6 trillion market share by 2030.
However, as with all digital innovations, open banking also increases the attack surface. Banks and financial organizations have always presented one of the most attractive targets for criminals and other bad actors, as evidenced by a higher frequency of security incidents compared to other industries. From stagecoach robberies in the Wild West to international bank heists, attackers always follow the money, and it's no different in the cyber world.
To adopt open banking fully, consumers must trust the safety and security of their data, and to woo customers, banks must apply new security measures in this new digital banking world.
Open banking runs on APIs, with all of these financial transactions triggering millions of API calls to operate. APIs authenticate customers to access a bank's system. APIs also authenticate a consumer's account data and the sharing of that data with multiple mortgage brokers—each with its own customized APIs—to determine the best loan rate. APIs authenticate users to obtain bank balances, transfer funds and tell Venmo or Apple Pay whether it's OK to send funds.
Any organization that leverages open banking must complete transactions and exchange data with a large number of suppliers, partners and customers. APIs are the conduits for sharing this increasing scope of data.
Given the pace of API development spurred by the need for this data delivery, many organizations now find it impossible to manually inventory their APIs. Without a full picture of all open banking APIs, continuously and automatically updated, organizations cannot effectively manage security risks.
Instead, these open banking institutions need automated API discovery to know their full API landscape, especially since organizations are constantly creating and updating their APIs. Developer documentation, always a weak spot, simply can't keep pace in this world. Automation and continuous discovery also ensure that an organization doesn't miss any APIs whose vulnerabilities might present a security risk. As the adage goes, you cannot protect what you cannot see.
In addition to the abounding number of APIs, APIs themselves—by their nature—introduce brand new threats for open banking providers. With custom interfaces, unique logic and layers of integration, API environments are highly complex.
To standardize initiatives, open banking APIs have been designed and documented to support open banking regulations. Authentication and authorization protocols, such as OpenID Connect (OIDC) and OAuth 2.0, define how APIs must be structured to enable predictable integrations in open banking.
However, because each API represents unique business logic, and each attack on APIs is therefore unique, protections depend on uniquely fingerprinting each API environment to pinpoint bad actors. Moreover, today's typical application security solutions, such as web application firewalls (WAFs), can identify known attack patterns, but they lack the ability to protect an API's unique logic.
To protect APIs requires rich context—APIs are not just straight code. Security teams need more context about everything in the API environment to have the depth of understanding required to provide adequate protection. To identify logic flaws that may be under attack by bad actors, organizations need to monitor APIs as they are being used within open banking systems—that is, during runtime. And this monitoring depends on the ability to understand what's "normal" across millions of users and millions and APIs' calls to detect anomalies.
Only cloud-scale big data, with the application of artificial intelligence and machine learning, has the power to capture and analyze this much data, correlating activities over time. With cloud-scale big data, combined with learning over time, security algorithms get smarter, improving their ability to identify and stop bad actors.
Open banking has already enabled hundreds of new applications and use cases with its potential to facilitate innovative business models and services. Financial services institutions of all sizes have recognized that open banking is essential to their ability to compete, providing a key component for their digital transformation initiatives and enabling them to create a competitive advantage.
Yet, because all open banking services are built on APIs, new security risks have emerged that must be addressed to fully protect open banking's valuable and lucrative attack targets. Authentication, authorization and encryption are the primary security defenses used in open banking, but they do little to address the complex security challenges that APIs create.
To supplement existing defenses and adequately secure the expanding API attack surface generated by open banking demands dedicated API security. Organizations need solutions that include the following capabilities as a baseline for API security.
Finally, open banking providers need to understand that API attacks occur over time—over days, weeks and even months. Organizations need comprehensive context into API behaviors to spot threats, including continuous analysis of hundreds of API attributes across millions of users and API calls. Obtaining that level of detail requires AI, ML and automation capabilities that can only be powered today by cloud-scale big data.
This article first appeared in Forbes as a Forbes Technology Council contribution.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.