In the digital evolution of financial services, Application Programming Interfaces (APIs) have become a significant component. Improving customer experience and the flexibility of fintech solutions, they provide a core area of developing successful fintech applications.
Salt Security has, however, recently released surprising results regarding the security of APIs.
The results found that API attackers targeting financial services APIs have become increasingly active, with a 244% increase in unique attackers between the first and second halves of last year.
“APIs are essential for the innovative digital services being delivered today by financial and insurance organizations,” said Roey Eliyahu, CEO and co-founder of Salt Security. “However, because these APIs transport sensitive customer and financial information, cybercriminals also know they share a wealth of data that can be leveraged for theft or fraud.”
“The findings show these companies are suffering significant increases in attackers and other security issues, increasing their vulnerability to API-related incidents.”
Security issues abound
Respondents to the survey indicated that despite the rise in attacks, they were not adequately protected.
More than a quarter indicated that they currently had no API strategy, while 71% said their existing tools had proved relatively ineffective against API attacks.
Issues with API security had also delayed the product rollout for 69% of respondents, 11% higher than average. This has incurred added costs and business disruption, meaning that it has recently become a growing concern for the C-Suite of businesses.
The majority of API security is currently addressed in the testing stage of API development. Many teams manage over 100 APIs, with 37% managing over 500, meaning that anticipation of all potential security breaches can be challenging. The majority of respondents had doubled their numbers of APIs in the past year, compounding the issue.
Less than half of the responding institutions continued testing for security issues during the runtime and production of the APIs, which Salt identifies as the opportune time for attack activity and unveiling possible weaknesses.
As a result of the focus on API security in the development and testing stages, financial institutions’ security teams were often out of touch with possible breaches. Documentation of APIs forms a key part of identifying security weaknesses and attacks. However, only 10% of respondents indicated that logs are updated at the same rate as the APIs themselves. This approach could leave them wide open to a security breach.
The Salt Labs team stated that in 90% of their assessments of institutions’ APIs, there were security vulnerabilities. Fifty percent of these were critical.
Securing APIs has become a priority.
“Given the growing importance of APIs over the last several years for enabling modern businesses, it is surprising that API security has become mainstream only recently,” said Jeff Farinich, SVP of technology and CISO at New American Funding. “The fact that security frameworks and regulations are slow to evolve is partly to blame.”
However, regulators are now stepping in to drive changes in institutions’ approach.
“I see hope on the horizon,” continued Farinich. “The Federal Financial Institutions Examination Council (FFIEC), which usually takes years to issue a new mandate, in just one year explicitly called out APIs as a separate attack surface, requiring financial institutions to inventory, remediate, and secure API connections.”
Compliance with the new rules involves employing a risk-based approach to APIs, with controls strengthening as risk levels increase. An API inventory was also deemed important, avoiding the prevalence of “zombie APIs,” which Salt identified as one of their survey respondents’ greatest security concerns.
For institutions, Salt recommended addressing the security of APIs at all stages of the lifecycle, formulating a robust strategy to address possible weaknesses.
RELATED : Financial institutions’ boards unprepared for cyberattacks despite prioritizing security
