International. Application Programming Interfaces are the bridge that connects banks with a digital ecosystem, allowing the integration of services and the creation of user experiences that make banking more efficient and customizable.
Without APIs, each company would have to build its own communication system with each bank, which would be expensive, time-consuming, and complex. Thanks to banking APIs, this process is simplified, however, they also become one of the most attractive vectors for cyber attackers.
The number of Open Banking API calls is projected to grow from 102 billion in 2023 to 580 billion in 2027, highlighting the critical importance of APIs in the banking infrastructure of the future. On the other hand, the value of open banking transactions is also expected to rise considerably and reach $330 billion by 2027.
Oswaldo Palacios, Latam Senior Account Executive at Akamai, explained that a banking API acts as a bridge between different software and applications. When a user makes, for example, a bank transfer in an application, the API is responsible for transmitting the request to the bank and then transmitting the response back to the application. "A banking API is capable of offering a series of benefits in terms of adaptability and speed in a business context determined by immediacy," said the executive.
APIs are pillars of digital transformation, allowing banks to evolve and stay competitive in the face of the emergence of Fintech and Techfins. As with any aspect of computing, API security is a critical concern for businesses and organizations that rely on APIs to provide access to their services and data. "APIs can be vulnerable to a wide range of security risks, which can lead to data breaches, unauthorized access, and other forms of abuse," he said.
Akamai's study Digital Fortresses Under Siege: Threats to Modern Application Architectures, highlights that the main vertical sectors affected by attacks on web applications and APIs from January 2023 to June 2024 were: Commerce, High Tech, and Financial Services. The latter sector recorded 55 billion attacks, which were particularly problematic for both organizations and customers because they can compromise user account information. This opens up opportunities for credential theft and other forms of abuse across an organization's application landscape.
APIs that lack an effective security posture could be more exposed to attackers who have a keen eye for weaknesses and are quick to exploit them. In this regard, Oswaldo Palacios mentioned the five reasons why banking APIs are an attraction for cybercrime, and also alerted the financial sector to take appropriate security measures:
1) Cybercriminals love APIs because they usually contain the keys to a large amount of valuable information. If not properly secured, APIs can expose sensitive data.
2) Hackers look for APIs created and implemented without sufficient security measures, which offer an easy entry point. While legacy APIs, if not updated regularly, also become the target of attackers, as they often offer several entry points that have been ignored or overlooked.
3) An attacker can inject malicious code or commands into an API request to exploit a vulnerability and gain unauthorized access to sensitive data. Behavioral analysis can help detect these types of attacks by identifying anomalous patterns that could indicate that someone is trying to exploit an API weakness.
4) Unauthorized users can exploit vulnerabilities in an API to disrupt services or hijack the system for use. Common threats include injection attacks, intermediary machine attacks (MITMs), and DDoS attacks aimed at overwhelming an API with traffic.
5) Security teams face unique challenges given the volume, speed, and complexity of the API environment in many organizations. A significant number of companies lack visibility into their API footprint, leading to an incomplete picture of the overall security landscape. Knowing both the full inventory of an attack surface and having security controls in place to protect that surface is crucial to keeping intruders out of a network.
That is why Oswaldo Palacios advised implementing strong authentication and authorization protocols, using encryption to protect data during transit, limiting the exposure of API terminals to reduce potential attack vectors, carrying out security audits and periodic vulnerability assessments, and following a Zero Trust model: Do not trust any requests by default.
"Securing APIs can be a difficult task that goes beyond access restrictions. The goal is to create a security environment around APIs that can resist intrusion or misuse attempts. Organizations must invest time, resources and maintain a continuous strategy to protect their APIs against the numerous security risks they face," concluded Oswaldo Palacios.
Leave your comment