APIs: The silent fintech security concern

A quarterly report published by integrated app and security platform Wallarm gives granular attention to a little-discussed but critical security concern for fintechs – their APIs. The reports are developed from publicly available sources.

Wallarm co-founder and CEO Ivan Novikov said his goal for the reports is to estimate the scope of the threats and to group them into sensible sections. This helps CISOs and cybersecurity managers measure the dangers and build risk models. Each quarter, the Wallarm team analyzes every available incident, combines it with additional information and enriches it.

Novikov said that focus produces real-time analysis with better insights than other reports published less frequently. It also identifies some new threat groups that can likely be attributed to the proliferation of API use.

Leaks from APIs are an emerging threat

Injections were by far the top issue in the quarter. Their 59 known occurrences represent 25% of the 239 traced actions. Injections occur when someone sends dangerous API commands via a user input field. Authentication flaws rank second with 37. This involves identity verification failures. Cross-site issues are third with 30.

Ivan Novikov said API leaks make up more than 10% of all threats.

API leaks make up more than 10% of incidents. They’ve hit Netflix, open-source software providers and enterprise software firms. Novikov said API leaks are a recently discovered issue.

There are two types of APIs, and one specifically affects fintechs: open APIs for banking. Novikov said institutions are interested in two things, the first being tracking where their financial data travels. This includes personally identifiable information and internal bank account information. They need to know if it gets siphoned off somewhere it shouldn’t.

“If you notice that the internal banking account numbers are connected as a routing number, (criminals) can do many things,” Novikov said. “They can run completely different fraud schema. If you remember the movies with James Bond, they say, ‘I know your account number in Switzerland’, it’s exactly the same thing.”

These data pieces could be private access talking to your API. They could be certificates you issued to a partner bank that were compromised. Every party you share a key with is responsible for it, but you are responsible for the open data.

While banks have many paths of recourse to protect themselves if passwords and login credentials are compromised, Novikov said APIs have one key, and that’s it. A bank accepts it, and you’re a partner.

“That’s why we’re building solutions to solve this problem because the problem is huge.”

Aging infrastructure worsens the problem

The age of many bank APIs adds to the challenge. With older ones, it is harder to find who defined the key. It’s somewhere in the code. Novikov has seen examples in COBOL dating back to 1998.

“It’s somewhere in the code, and you can extract it from there,” Novikov said. “It’s a hard-coded key that somebody put in there. Connect with XML, and you’re good to go. And now we put a fancy API gateway on top of that and name it open banking. It’s open, but it’s open from a different perspective. It’s very, very drilled by holes.”

Monitor your partners

Given the sizeable risk, it’s incumbent on financial institutions to ensure they can trust their partners. Novikov said there is more comfort for banks, who can define standards their data providers must follow.

It’s a bit looser for fintechs. Novikov encourages them to set their standards. Share a key with a fintech facilitator, and they’re responsible for it.

“As a fintech, they’re not regulated like a bank,” Novikov said. “They should do that for themselves. In this case, they rely on (banks) and should rely on themselves. That’s a big problem because if I want to connect my Robinhood with my bank, I have no other option.”

With no industry standard, fintechs can decide how much security to employ. And when your whole business boils down to APIs, that security better be good.

VP of Marketing Girish Bhat said Wallarm is building a cloud-native platform that can also be used on-prem. It can detect attacks in near-real-time. It can provide repair recommendations and remediation capability by working with the other tools in a fintech ecosystem.

“There are billions of API calls happening,” Bhat said. “We can analyze that in real-time and provide the proactive capability to mitigate them.”

Weak credentials and cryptography issues are a surprising entrant on the Top 10 issues list. Novikov said many firms use standard and default keys.

“It’s obvious to everyone that you should not use standard or default keys, but it’s still happening more and more,” he said. “Unfortunately, we still can’t get rid of this as an industry for some reason.”

How ChatGPT helped develop Wallarm’s AAA system

Wallarm used ChatGPT to help sort threats into a AAA system (authentication, authorization and access control). Authentication is the first line of defence. By isolating it, Wallarm can focus on vulnerabilities that specifically exploit authentication loopholes.

When authorization is separated from authentication, it helps identify when systems grant unnecessary permissions. Access control considers factors like device, IP address and time of day. It helps zero in on flaws in enforcement mechanisms.

“We can focus the bank APIs or banking app to specifically check if a manager can do something outside the design privileges,” Novikov said. “And we’re seeing with enterprise apps that it’s hard to bypass security controls, scanners, and whatever they have.

“However, it’s relatively easy to make some mistakes in access controls because access control is often just managed; it’s not a part of code. It will allow us not just to click the checkbox while we run in some compliance apps or APIs and check. Bad access control is different- you must check it separately.”

Also read:

  • Tony Zerucha

    Tony is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.