The Financial Services industry (FinServ) has left its mark on the API landscape and continues to provide new reasons for innovation. From the first UK bank that pioneered Open Banking to the booming mobile payment industry, FinServ has prompted – and supported – the growth of APIs and their ongoing evolution as everyday artifacts.
While that serves both the FinServ sector and the API industry, it presents some security challenges. Now that APIs are everywhere the money is, securing financial transactions is no longer the sole purview of the financial institution – it belongs to anyone, anywhere, developing any app that integrates with a financial API.
FinServ may have led us into the API revolution, but it is everyone’s job to play safe once inside.
FinServ leads the way in API adoption
FinServ leads the pack in API usage, according to recent research. The State of APIs survey noted that those who made API usage a priority belonged to the following industries:
- Financial Services (67.1%)
- Software Development (61.2%)
- Manufacturing (60.0%)
- Telecommunications (59.2%)
- Healthcare (55.6%)
Even in 2020, FinServ was the main proprietor of APIs. Per the second annual RapidAPI Developer survey, the industry with the highest API usage was Financial Services (68.8%), beating out even Technology (64.7%).
How do I use thee? Let me count the ways
Here are some of the (innumerable) uses for APIs within the FinServ sector.
- Payment processing
- Open Banking
- Banking as-a-Service (BaaS)
- RegTech
- Authentication over FinServ apps
- Investment apps
- Budgeting apps
- Mobile Banking
- Mobile Payments (Venmo, PayPal, CashApp)
- Online shopping apps (Rakuten to Amazon – all of it)
- Digital subscriptions (Spotify, Wix, Hulu – again, all of it)
Essentially, if you are taking money online and you are not a bank – you’re most likely using an API. If you’re exchanging money online and you are a bank – chances are you’re still using an API (to integrate with your mobile features, mobile payment apps, online bill pay, etc.).
There are countless uses for API technology within the financial industry, and you could say the two have built each other up. The upside is incredible agility, growth, scalability, and simplicity when it comes to doing anything remotely related to money online. APIs extend their reach across nearly every – most likely, every – financial corner of the internet and in any app where funds are exchanged. Uber. DoorDash. Candy Crush. Groupon, Google, grocery apps, and Netflix. You can’t get away from them.
Is it any wonder cybercriminals want to get in?
FinServ APIs are everywhere: Is there a downside?
Most major enterprises spend an average of 9.9% of their IT budgets on cybersecurity. According to Deloitte, businesses spend anywhere from 2.15 to 10.14% of their overall budget on IT, and per Gartner, total IT spending is set to rise by 2.4% this year. The short story is that a lot is being spent on enterprise security, and cybercriminals know that. So why try the most heavily guarded door?
APIs, on the other hand, are all-too-often a different story. Spun up with ease, often using Open-Source software, they’re easy to use and a simple plug-and-play when you don’t want to re-invent the coding (and who does?). Much easier to integrate with a financial API that connects you right to the bank, or mom-and-pop credit union, or crypto bank, or title loan company, or whatever. And so, we do.
The problem rests in understanding who owns API security at that point and what said party is going to do about it. In most cases, said party is the app owner who leverages FinServ APIs in the first place.
It appears there might be confusion on this point, though. According to EMA research,
- 53% believe management understands the importance of API security
- 97% have a plan to protect APIs
- Less than half (46%) believe their APIs are adequately protected
Something doesn’t add up, and that’s just the point. At this stage of the game, we’re still in the API honeymoon phase (maybe just on the flight home) and have yet to get a handle on their inherent risks.
Bad actors, however, haven’t.
Securing FinServ APIs
According to research by API security vendor Salt,
- 78% of attacks come from seemingly legitimate users who have maliciously achieved the proper authentication
- 59% of respondents had to delay production due to API security concerns
- Nearly one-third have experienced a privacy incident with their production APIs in the past year
It’s no secret that APIs are the target of many malicious attempts, and part of the challenge the FinServ sector faces is tempering growth with security.
For example, in a rapid dev environment, ‘zombie APIs’ may be left behind as testers get forgotten, and new APIs are spun up. These latent APIs present a threat – nobody’s watching them, no one is aware of them, and yet they’re still connected to critical systems and data. If a hacker should happen along, they could exploit an unpatched vulnerability and compromise the API and all that’s connected to it.
Exponential growth
Once only a novel idea, Open Banking is now mandated in the UK and across Europe to drive innovation and competition within the banking industry. Open Banking, underpinned by APIs, has continued its precipitous climb over the past few years and shows no signs of stopping. Where it goes, APIs go; the same can be said for every financial app anywhere.
With FinServ leading the pack in API usage, it maintains that the banks and apps that use them keep in mind the risks and secure the APIs like they’re securing the financial data itself – because they are.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.