Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

What Sutton’s Law Means For Open Banking

Adam FisherAdam Fisher
Feb 12, 2020

Bank robber Willie Sutton (1901-1980) did reasonably well making off with an estimated $2 million in illegal earnings throughout his career. He was a rash and resourceful robber who used disguises and trickery to achieve his ends. This included dressing as a policeman, window washer, maintenance man, bank guard, mover, Western Union messenger, and striped-pants diplomat.

It was reported in 1952 that Willie Sutton replied to a reporter’s inquiry as to why he robbed banks by saying, “Because that’s where the money is.” Today, using that phrase is so commonplace that a handful of social scientists have dubbed the process of considering the obvious first as “Sutton’s Law.”

“Because that’s where the money is” has resulted in financial organizations increasingly being a fruitful target even in our modern age. With the ability to provide a high payout to cybercriminals, financial services firms are reportedly hit by security incidents an unbelievable 300 times more frequently than businesses in other industries. This shocking statistic emphasizes the importance of financial service organizations staying current with the latest vulnerabilities and attack strategies.

As our society continues to increasingly operate online with banking, shopping, food delivery, ride-sharing, and the many cloud services, cybercriminals have a never-ending route to breach the defenses of financial companies.

Learn how app architecture and attack surfaces are changing, how app security needs to evolve, and how to empower security.

Increasing Openness

Open Banking was first introduced on 13 January 2018. At its core, it’s all about the consumer, giving them control over their data, and putting their banking and financial records back into their hands. Open banking provides up and coming FinTech companies, access to consumer banking, transaction, and other business data through the use of application programming interfaces (APIs). In theory, this allows the sharing of data between financial institutions and third-party service providers, ultimately giving consumers more control over their data and more choice when it comes to services.

Now that third parties have access to consumer banking information through the open banking initiative, it is becoming a significant source of innovation that is poised to reshape the banking industry.

Importance Of APIs

From a technology perspective, open banking makes use of APIs to allow for the standardized and secure exchange of a consumer’s financial information. Before open banking aggregation, sites like Mint struggled to keep up by trying to pull data exposed in various non-standard ways while using a handful of different authentication methods. Commonly such financial aggregation services require users to hand over their usernames and passwords for each account and then would scrape the data off the screens of those accounts.

Needless to say, this didn’t work well and often broke when data formats or authentication methods changed. This left consumers with services that weren’t 100% accurate and some financial statements that were never compatible with those services.

APIs are considered a more secure option because they enable applications to share data directly without sharing account credentials. This, in turn, has enabled banks to connect with banks more efficiently and new services like Venmo and Zelle that offer peer to peer payment services.

New Risks With Open Banking

The convenience of open banking is not only realized by banks and consumers, but it’s also something that cybercriminals have taken notice of as well. This also includes white hat hackers and researchers.

In June of 2019, a computer science student with 20 lines of Python code was able to download more than 200 million Venmo transactions. This wasn’t a case of a company accidentally leaving a database open. Venmo made the data accessible by offering an API that not only enabled a feature of their service but also allowed anyone with enough curiosity and know-how to download a massive amount of data. The researcher was able to download the name and transaction descriptions, which included, among other things, details of illegal drug sales and activity. The possibility of using this data in a nefarious way, if in the wrong hands, is endless.

Are You Ready For The Next Chapter?

Banks and other financial institutions that view open banking as a vital part of their digital evolution strategies are measuring the health of their ecosystems and assessing the next wave of security solutions to be deployed. Many are finding that current technologies in security stacks are being pushed beyond their limits and lack the functionality to protect the new attack surface of APIs adequately.

Organizations are struggling to cope with the demand of changing interfaces, unique API logic, layers of integration, and other facets of these new environments. Gatekeeper solutions that provide authentication and authorization aren’t enough, and neither are the more advanced application security solutions that look for known attack patterns but lack insight into unique API logic.

Rethinking Security For Open Banking

As new APIs are pushed out, new services are built, and ultimately new attack surfaces are exposed, consider the following as you assess risk and rethink the requirements for open banking security.

Cataloging Your APIs

As with anything, security visibility is step 1. Many security departments today have a narrow view of their API landscape. When it comes to APIs, having a central, comprehensive, up to date catalog of all APIs is critical. While this is traditionally a manual process, automated solutions can help to streamline the process, find unknown (shadow) APIs, and ensure the catalog is kept up to date even in fast-moving DevOps environments.

Leveraging The Right Architecture

API attacks are not like traditional application attacks. Attackers target the unique logic of your APIs with unique attack methods and use subtle methods to look for ways to manipulate that unique logic. This means solutions need to look at a lot of detailed manipulation attempts over time and put together the pieces to stop attacks before they’re successful. Using signatures to detect these attacks won’t help as each API is unique.

This is a perfect scenario for the utilization of big data and artificial intelligence, which, when combined, can gather and analyze large amounts of data to look for complex attack activity. Putting together these pieces of an attack can help you identify attackers early in the process and stop them before they’re successful.

Closing The Gaps

The best way to prevent attackers from taking advantage of vulnerabilities is by eliminating those vulnerabilities. Countless methods attempt to accomplish this, ranging from security training for developers to penetration testing and bug bounty programs to scanning solutions that look for vulnerabilities early in the development cycle. While all of these are important, they can be cumbersome, create prioritization challenges, and, in the end, provide incomplete coverage.

You need a solution that will not only identify but also prioritize development resources so that most sensitive and high-risk vulnerabilities are eliminated first. That solution should also enable security teams and development teams to work together closely to manage and eliminate risk.

What Does The Next Chapter Look Like For Banks?

Banks will always be a target for cybercriminals “Because that’s where the money is.” While the openness of open banking is changing the game with new opportunities for banks and consumers, it’s also changing the game with new opportunities for attackers. Because of this, open banking, innovation, and the evolution of new services should go hand in hand with the evolution of your security.

At Salt Security, our mission is to make it safe for you to innovate by protecting the APIs at the core of your open banking initiatives. We’re working with financial institutions across the globe to help them do precisely that. Learn more at And, if you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection


Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

June 7, 2024

Eric Schwake
Head of Product Marketing

A Salt Security Perspective on the 2024 Gartner® Market Guide for API Protection

Salt Security's API Protection Platform is AI-infused and designed to address the challenges outlined in the Gartner report.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide