Bank robber Willie Sutton (1901-1980) did reasonably well making off with an estimated $2 million in illegal earnings throughout his career. He was a rash and resourceful robber who used disguises and trickery to achieve his ends. This included dressing as a policeman, window washer, maintenance man, bank guard, mover, Western Union messenger, and striped-pants diplomat.
It was reported in 1952 that Willie Sutton replied to a reporter’s inquiry as to why he robbed banks by saying, “Because that’s where the money is.” Today, using that phrase is so commonplace that a handful of social scientists have dubbed the process of considering the obvious first as “Sutton’s Law.”
“Because that’s where the money is” has resulted in financial organizations increasingly being a fruitful target even in our modern age. With the ability to provide a high payout to cybercriminals, financial services firms are reportedly hit by security incidents an unbelievable 300 times more frequently than businesses in other industries. This shocking statistic emphasizes the importance of financial service organizations staying current with the latest vulnerabilities and attack strategies.
As our society continues to increasingly operate online with banking, shopping, food delivery, ride-sharing, and the many cloud services, cybercriminals have a never-ending route to breach the defenses of financial companies.
Open Banking was first introduced on 13 January 2018. At its core, it’s all about the consumer, giving them control over their data, and putting their banking and financial records back into their hands. Open banking provides up and coming FinTech companies, access to consumer banking, transaction, and other business data through the use of application programming interfaces (APIs). In theory, this allows the sharing of data between financial institutions and third-party service providers, ultimately giving consumers more control over their data and more choice when it comes to services.
Now that third parties have access to consumer banking information through the open banking initiative, it is becoming a significant source of innovation that is poised to reshape the banking industry.
From a technology perspective, open banking makes use of APIs to allow for the standardized and secure exchange of a consumer’s financial information. Before open banking aggregation, sites like Mint struggled to keep up by trying to pull data exposed in various non-standard ways while using a handful of different authentication methods. Commonly such financial aggregation services require users to hand over their usernames and passwords for each account and then would scrape the data off the screens of those accounts.
Needless to say, this didn’t work well and often broke when data formats or authentication methods changed. This left consumers with services that weren’t 100% accurate and some financial statements that were never compatible with those services.
APIs are considered a more secure option because they enable applications to share data directly without sharing account credentials. This, in turn, has enabled banks to connect with banks more efficiently and new services like Venmo and Zelle that offer peer to peer payment services.
The convenience of open banking is not only realized by banks and consumers, but it’s also something that cybercriminals have taken notice of as well. This also includes white hat hackers and researchers.
In June of 2019, a computer science student with 20 lines of Python code was able to download more than 200 million Venmo transactions. This wasn’t a case of a company accidentally leaving a database open. Venmo made the data accessible by offering an API that not only enabled a feature of their service but also allowed anyone with enough curiosity and know-how to download a massive amount of data. The researcher was able to download the name and transaction descriptions, which included, among other things, details of illegal drug sales and activity. The possibility of using this data in a nefarious way, if in the wrong hands, is endless.
Banks and other financial institutions that view open banking as a vital part of their digital evolution strategies are measuring the health of their ecosystems and assessing the next wave of security solutions to be deployed. Many are finding that current technologies in security stacks are being pushed beyond their limits and lack the functionality to protect the new attack surface of APIs adequately.
Organizations are struggling to cope with the demand of changing interfaces, unique API logic, layers of integration, and other facets of these new environments. Gatekeeper solutions that provide authentication and authorization aren’t enough, and neither are the more advanced application security solutions that look for known attack patterns but lack insight into unique API logic.
As new APIs are pushed out, new services are built, and ultimately new attack surfaces are exposed, consider the following as you assess risk and rethink the requirements for open banking security.
As with anything, security visibility is step 1. Many security departments today have a narrow view of their API landscape. When it comes to APIs, having a central, comprehensive, up to date catalog of all APIs is critical. While this is traditionally a manual process, automated solutions can help to streamline the process, find unknown (shadow) APIs, and ensure the catalog is kept up to date even in fast-moving DevOps environments.
API attacks are not like traditional application attacks. Attackers target the unique logic of your APIs with unique attack methods and use subtle methods to look for ways to manipulate that unique logic. This means solutions need to look at a lot of detailed manipulation attempts over time and put together the pieces to stop attacks before they’re successful. Using signatures to detect these attacks won’t help as each API is unique.
This is a perfect scenario for the utilization of big data and artificial intelligence, which, when combined, can gather and analyze large amounts of data to look for complex attack activity. Putting together these pieces of an attack can help you identify attackers early in the process and stop them before they’re successful.
The best way to prevent attackers from taking advantage of vulnerabilities is by eliminating those vulnerabilities. Countless methods attempt to accomplish this, ranging from security training for developers to penetration testing and bug bounty programs to scanning solutions that look for vulnerabilities early in the development cycle. While all of these are important, they can be cumbersome, create prioritization challenges, and, in the end, provide incomplete coverage.
You need a solution that will not only identify but also prioritize development resources so that most sensitive and high-risk vulnerabilities are eliminated first. That solution should also enable security teams and development teams to work together closely to manage and eliminate risk.
Banks will always be a target for cybercriminals “Because that’s where the money is.” While the openness of open banking is changing the game with new opportunities for banks and consumers, it’s also changing the game with new opportunities for attackers. Because of this, open banking, innovation, and the evolution of new services should go hand in hand with the evolution of your security.
At Salt Security, our mission is to make it safe for you to innovate by protecting the APIs at the core of your open banking initiatives. We’re working with financial institutions across the globe to help them do precisely that. Learn more at https://salt.security/customers.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.