Open Banking Forcing Prioritization of API Protection

PUBLISHED ON July 18, 2022
LAST UPDATED July 26, 2022

Growth of Open Banking 

Open Banking Project is an open-source system that allows financial services providers to more easily manage and access consumer banking and financial data via application programming interfaces (APIs). For larger enterprises, open banking offers commercial licenses, giving teams access to security patches, proprietary connectors, and dedicated support when adopting these third-party APIs into their own banking applications.  

Open banking is expected to stir the power dynamics in the banking industry. Established banks are likely to reduce costs and improve their services because of the competition with smaller banks that can now offer dynamic services with open banking. This may also mean that established banks will find more sophisticated ways to connect to their customers and increase customer retention. 

Open banking empowers flexibility in how money is managed, for example: 

  • Banks can show their customers the best financial products and services for individual needs, offer a savings account that has a higher interest rate or a credit card with a lower interest rate. 
  • Lenders can get a more accurate picture of a candidate’s financial situation and potential risks, which can help offer more suitable loan terms. 
  • Customers can get a better understanding of their own financial situation and control their finances better. 

Open banking creates new opportunities for: 

  • Extensibility when sharing revenue with partners 
  • Reduced data licensing fees 
  • Reduced API call fees 
  • Reduced transaction fees 
  • Expert data analysis and reports 
  • Data-driven products and services for loyalty programs with credit cards, banking accounts, and financial services platforms 

The Trend 

A combination of government regulation and market forces has triggered rapid expansion of open banking among both financial and non-financial institutions. 

  • In the European Union, the United Kingdom, South Korea, Australia, and India, governments have mandated large banks to open their vast troves of customer accounts to other companies, in a bid to stimulate competition.  
  • In the United States and China, it is a market-led movement, with companies establishing open banking relationships among themselves. 
  • In the US, almost one in two consumers now use a fintech solution, primarily peer-to-peer payment solutions and non-bank money transfers. 

With more of our lives managed online, both consumers and small or medium-sized businesses have shifted toward fintech apps. In just the first six months of 2020, the number of users of open banking-enabled apps or products in the UK doubled from 1 million to 2 million and grew to over 3 million as of February 2021. This new wave of open banking has led to global financial enterprises leaning more heavily on API usage than ever before.  

Banking and FinServ Are Top Targets for API Attacks 

Many financial services institutions struggle to keep up with their expanding use of APIs and API-driven microservices like open banking. As the number of APIs expands for financial services organizations, so does their attack surface and risk exposure. This dependence on various APIs complicates an organization’s ability to secure dynamic environments and ensure they meet industry regulations. Using third-party and open-source API services introduces complex vulnerabilities that attackers can use to access customers’ account information, payment information, and personal identifiable data. All in all, this creates the perfect storm for security professionals within financial services, many of whom are already struggling to keep their customers’ sensitive data protected.  

Financial privacy and protection of consumers’ sensitive data remain the primary concerns for financial institutions when looking to adopt open banking. Research shows that 48% of consumers have concerns about data and cybersecurity of open banking. The need for API security is growing fast because attackers’ strategies have evolved to use APIs as a key attack vector to exploit sensitive data. And it’s working. Financial services applications are a top target for attacks because of the type of data they hold, both PII and PCI. Why would an attacker waste their time trying to exploit PII to then sell on the dark web when they could cut a few corners and get paid immediately?  

Prioritize Protection First for Open Banking and Financial APIs 

Protecting APIs is hard – and important. That’s why it’s crucial to know what requirements are at the top of your list when evaluating an API protection solution. Taking a protection-first approach means focusing on finding a solution that can block attacks in real-time, and that can only be done with a solution that’s deployed inline — not out-of-line solutions or side car deployments that require configurations with a WAF, API gateway, cloud providers, code repository, and other technologies that constantly need to be maintained to ensure protection is in place. On top of that, APIs are not the only attack vector that is going to be targeted. Which is why solutions that only provide API protection aren’t enough. Look for providers that cover the full spectrum of visibility into API, web app, and bot attacks. Lastly, getting visibility into your organization’s entire attack surface is just as important because it is constantly changing. Don’t be left in the dark by ensuring your API and web application protection solution can provide that visibility needed to secure your organization’s entire attack surface.  

How ThreatX Is Helping Financial Services Organizations Protect APIs 

Protect APIs From Malicious Bots 

The combination of bot detection techniques and behavior-based analysis means ThreatX can detect and block a wide range of automated attacks, such as account takeover, credential stuffing, DDoS attacks, and more. Attacks will often develop over time as attackers steadily look for the weak endpoints while staying below the thresholds of rate-based rules. ThreatX continuously monitors API behavior over time to produce a unified risk score, used to block attacker behavior with significantly lower false positives and false negatives. 

Detect & Block Attacks in Real-Time 

ThreatX scans all inbound API traffic in real time, identifying and blocking attacks. This real-time monitoring enables ThreatX to execute advanced threat engagement techniques, such as IP fingerprinting, interrogation, and tarpitting. These capabilities allow ThreatX to identify and stop the most complex attacks, including large-scale bots and DDoS-level threats. 

Discover & Visualize API Attack Surface 

Because ThreatX examines all live traffic, the platform can identify APIs you may be unaware of, such as zombie and rogue APIs. In addition, the API discovery capabilities of ThreatX allow customers to visualize the entirety of the API attack surface. ThreatX’s API attack dashboard provides a central view of how and where APIs may be deployed – beyond those known to the organization. 

Take Advantage of Open Banking While Limiting the Risks 

While open banking increases flexibility in how consumers, banks, and lenders manage money, it also introduces new risks to customers’ sensitive data and financial transactions. This is where ThreatX can deliver on the promise of protecting the financial services apps and APIs that run the world from API abuse, SQL injection, and botnet attacks while also providing zero-day coverage with our 24×7 SOC.  

Learn more by talking to a ThreatX team member and request a demo

Tags

About the Author

Sydney Coffaro

Experienced subject-matter expert focused in Cyber Security Automation, Incident Response, APIs, and Application Security with a demonstrated history of working in fast-passed early stage startups. Sydney is a certified Product Manager, Scrum Master, and has led technical sales initiatives for go to customer teams that resulted in the acquisition of hundreds of customers.