Australia’s banking and financial services sector is undergoing a rapid digital transformation amidst a growing consumer appetite for convenient, fast and secure interactions and the emergence of open banking. A report by the Australian Banking Association revealed that 98.9% of bank transactions now take place digitally.
This shift to digitisation has exposed new risks for the current cybersecurity landscape in the financial services industry. Recently, National Australia Bank’s general manager of group investigations, Chris Sheehan, revealed in an interview that Australia’s major banks are under constant attack as cyber criminals look for ways to infiltrate the banks’ computer systems and compromise customer data by breaching security logins.
Rise of APIs in digital banking
The rise of digital banking has seen Application Programming Interact (API) usage skyrocket, with the technology delivering benefits in business automation, scalability and acceleration.
APIs are a set of protocols and definitions that allow different software components or programs to communicate with each other and share data. APIs determine how one application can access the data or functions offered by another software program. APIs are prevalent and involved in almost every action users make including taking and making transactions online, such as making a mobile payment or browsing an ecommerce site.
There is no denying that APIs play a pivotal role in digital banking, offering unparalleled convenience, speed, and security for customers who access banking products. They allow third-party applications to connect with a bank’s tools, services, and valuable assets, streamlining connections for both parties. Many fintech companies have also turned to APIs to securely and efficiently exchange consumer-permissioned data.
But even as APIs have transformed the customer experience and propelled the financial industry into the digital age, their growth has brought several challenges.
Akamai’s latest report “Navigating the Rising Tide: Attack Trends in Financial Services” notes sharp increases in the number of attacks that specifically target APIs in the financial services industry compared to other sectors. This is attributed to attackers continually searching for new vulnerabilities to exploit with the discovery of such weaknesses or misconfigurations that can lead to sudden increases in attack frequency.
Organisations in Australia have experienced numerous high-profile cyber attacks. One such example is an Australian personal loan and financial service provider who was affected by a data breach that impacted over 14 million people from across Australia and New Zealand.
API attack types
A significant concern in the financial services sector is the lack of visibility into API ecosystems and the absence of an enterprise-wide API inventory.
Traditional API attacks can often be detected by signature-based analysis, which largely exists in webs, or web application firewalls.
However, there is a new attack method known as business logic abuse which specifically exploits flaws in how the application was designed. By trying to find gaps and weaknesses in the APIs, attackers aim to manipulate that API to do whatever they want it to do. However, business logic abuse requires attackers to perform deeper analysis and understanding of the API’s role in the business process so as to understand exactly where and how to manipulate it.
In the banking and financial services industry, disruptions in the availability of web applications and APIs can significantly impact customer satisfaction and brand loyalty. With the increasing adoption of a digital-first approach in Australia, APIs have become even more critical for the success of financial institutions, especially in the context of open banking.
The abuse of new account credentials may lead to fraudulent account creation or unauthorised access to free credits. API scraping, a new method of expediting data retrieval and interpretation, is fast growing in popularity. The technology is a data extraction tool designed for specific websites, databases, or programs with an aim to provide important and structured data to people and removes the need for bespoke research and data scraping which can be time consuming.
While there are benefits to API scraping, there is also a substantial risk for financial institutions using this technology as the process poses challenges in detecting excessive data being leaked and calls for significant API behaviour monitoring.
There have also been instances of cyber criminals harvesting stolen credit card numbers through phishing attacks and abusing bank APIs for card validation, then reselling those numbers to criminals to commit financial fraud. Even though the API itself isn’t technically attacked, it is being abused as an accessory to commit fraud against customers.
Steps to strengthen API security
As Australian banks and financial institutions accelerate their digital transformation efforts, safeguarding APIs will be paramount, especially as threat actors continuously evolve and adapt their methods of attack. It is imperative that API security shifts toward the edge, moving away from infrastructure and closer to the digital touchpoints where customers engage with data and applications. This strategic adjustment is crucial to ensure robust protection for digital assets.
The first step in securing APIs is discovering and cataloguing them across the organisation. This process allows security engineers to understand the scope of the attack surface, identify shadow APIs and the potential exposure of sensitive information from APIs that do not have the required safeguards. The API must also be actively tested for vulnerabilities during development and continuously monitored for misconfigurations and logic abuse during runtime.
Also, as conventional security tools are unlikely to detect and stop API abuses, banks will need to consider implementing specialised API security platforms that can test for gaps, as well as probe the security posture of the APIs, detect runtime abusers and mitigate those as they happen. Once APIs are discovered, financial institutions must conduct vulnerability tests and risk assessments to identify and address vulnerabilities in a timely manner. This process should be integrated into API development and upgrade cycles to ensure ongoing security.
Australian banks and financial institutions understand that neglecting API security can lead to severe consequences, including cyberattacks, data breaches, regulatory violations, financial losses, and reputational damage. However, to strengthen their defences against these risks moving forward, they will need to include API security as an important part of their overall security strategy where APIs are secured from code to runtime.
