Mobile and online banking have already taken their place as conventional banking channels. But banks are constantly looking for new, alternative delivery methods to sell their products and distribute their services. This new channel seems to be application program interface (API) banking. As always, emerging opportunities come with emerging risks.

Transitioning to API Banking

The most common and well-known banking API is online point-of-sale (POS) systems. Banks developed a remarkable amount of experience developing and managing them. However, these APIs are relatively unchanging due to regulations and players in the payment card industry.

Payment System Directive 2 (PSD2) is forcing institutions to enter the API banking environment. Payment initiation service providers and account information service providers will be connected to banks through these APIs. In addition to that payment universe, a vast array of services are waiting to be offered through APIs, such as bill payments, loan applications, insurance sales, locational services and more.

As new actors in the API and cloud landscapes, banks must understand the risks they are carrying and the attack surface they are exposing to the outer world. Compared to pure tech companies and startups, banks must manage massive amounts of financial and reputational risk. Besides the risks, banks must deal with various local and international regulations as well. Taking all this into account, a solid security and risk governance framework is indispensable.

Let’s take a look at some new concepts and challenges banks must deal with as the landscape evolves.

Social Engineering Attacks

As mentioned before, there will soon be an ocean of banking services and products offered through various platforms. For example, a bank can offer a travel insurance policy attached to a holiday tour on an agent’s webpage or a personal loan through a digital equipment store’s site.

These channels will attract customers used to submitting their credentials without proper authentication. Methods other than SSL certificates must be developed for a two-way authentication. By two-way authentication, we mean customers should be able to verify banks just as the banks are verifying customers.

Banks Were Using Client-Side Controls — Now What?

When institutions have full control of their environments, it is easy to implement controls and respond to new vulnerabilities. Input, output and logical controls are working efficiently when they are designed at both the client and server sides.

The first line of defense starts at the border of a bank’s demilitarized zone (DMZ) instead of customers’ mobile devices or browsers. Distributed denial-of-service (DDoS) protection, input controls and logical controls must work more efficiently than ever. Even users are potential attackers in API banking environments.

Keeping Track of APIs and Software Development Kits

Banks cannot enjoy the comfort of providing open APIs to whomever they want like other API providers. Due to local and international regulations such as the Know Your Customer (KYC) principle, internal policies of the bank and international rules such as embargo, they should know with whom they are working.

API providers and users usually communicate through application servers at the user’s side and API gateways at the provider’s side. Banks should develop ways to limit sources of these requests and the number of requests to which they are responding. Of course, a periodic content check of the user side should be in place. A reputable bank would not enjoy having its APIs served in black market.

Change Management

Bug, vulnerability and version management is relatively easy if you are running the platform for your business services; you can handle everything in-house. Utilization of APIs will take this to a whole new level. Banks must have internal and external procedures that answer questions such as:

  • What kinds of environments should banks provide?
  • How can developers submit bug reports?
  • Are users ready for a new version of the API?
  • How much advance notice should banks provide to developers before promoting the API to the production environment?
  • How many versions of the same service should be active simultaneously?

Developing a Governance Framework

It is unfortunate that a Google query of “API Banking Governance” still does not return satisfying results. Taking software-as-a-service (SaaS) governance models and fine-tuning them for the banking industry can be a good starting point.

When developing this governance framework, banks should divide the whole process into two parts — API development and maintenance and API user management — and manage them separately. Here are some key components to look at during the API development and maintenance process:

  • Business line evaluation;
  • Legal evaluation;
  • Anti-money laundering (AML) controls;
  • Logical security controls;
  • Development (e.g., technical security controls must be in place);
  • Going live;
  • Change management;
  • Monitoring; and
  • Decommissioning.

For API user management, banks should start by examining the following areas:

  • Communication methods;
  • Evaluation of API users;
  • Monitoring of API user resources;
  • Monitoring of content; and
  • Legal obligations of parties.

A Shifting Landscape

API banking can benefit both banking customers and financial institutions if implemented, operated and secured properly, but failure to do so could result in social engineering attacks and other forms of fraud. As the landscape shifts toward this rapidly evolving technology, banks must stay abreast of the cyberthreat landscape and the various local and international regulations that affect their customers and business interests.

Read the white paper: The Impact of PSD2 on Authentication and Security in European Financial Institutions

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today