API abuse highlights dangers of unsafe open banking implementation

With banks in Africa lagging their European counterparts in adopting open banking, inroads are still being made as the promise of fairness, competition and innovation, which are the hallmarks of open banking, remain an attractive proposition for those looking to facilitate the secure exchange of individual and business data held by banks, with authorised third parties.

The allure of open banking is that it facilitates secure payments, account switching and other non-bank products and services. It is attractive in a continent where the African Continental Free Trade Area (AfCFTA) states still have over 400 million people who don't have access to financial services.

In South Africa, open banking falls under the radar of the intergovernmental fintech working group (IFWG), established in 2016, with participation from the National Treasury, the Financial Intelligence Centre, the Financial Sector Conduct Authority, the National Credit Regulator, the South African Reserve Bank, the South African Revenue Service and the Competition Commission. In Nigeria, the country has The Open Technology Foundation driving the Open Banking Nigeria initiative, and in 2020 in Kenya, the Central Bank of Kenya issued a five-year digitalisation plan to encourage the development of the payment industry.

The commonality among these plays is defining effective and secure data-sharing practices that open banking achieves through application programming interfaces (APIs). But there is a catch. With innovation and the adoption of new digital services or the addition of third-party providers, financial institutions end up building an expanded attack surface. According to Imperva, this expanding attack surface, coupled with the valuable data held by banks and other financial companies, accounts primarily for why the industry was hit by over a quarter of all cyber attacks (28%) in 2022 – double that of the next most-targeted sector.

How? Imperva Threat Research shows the volume of unmonitored traffic flowing through APIs has skyrocketed by 89% in the last year. With APIs forming the fundamental foundation of open banking and, in fact, every aspect of digital transformation, the financial services sector must get a handle on this traffic urgently.

APIs are crucial to digital services because they enable different applications to share data and 'talk' to each other. Crucially, the data they exchange often comes from backend databases, meaning APIs are a pathway to companies' most valuable asset – their data. Today, open banking is responsible for around 1 billion API calls in the UK per month, much of which contains sensitive customer information – each one made possible by APIs – and it is not difficult to see how similar numbers could be achieved across Africa in the coming years.

The security threat here is that about a third of traffic within the digital world goes through shadow APIs. Imperva’s Threat Research identifies shadow APIs as third-party APIs that are used but not tracked by a business or those that are used internally but are no longer supervised or supported, lie outside of the security team's visibility or have been forgotten about.

It's not just the security threat of these APIs that are a problem. They are a genuine threat to governance frameworks that can severely compromise a bank's need to maintain regulatory compliance. And if they are discovered, the problems can be far more severe. Remember, APIs can connect to backend databases, making them a target for hackers looking to exfiltrate sensitive information or compromise enterprise applications. Shadow API is a big back door that can, and is, being left wide open, as one in every 13 cyber incidents is estimated to be related to API insecurity.

1. Full visibility over every API within the organisation: APIs allow developers to deploy apps and services quickly and can just as quickly be produced and modified, which makes manual discovery and classification virtually impossible. A financial institution must automate this process and develop a complete API inventory that is continuously updated whenever a change is made in production, providing security teams visibility without slowing down developers.
2. Establishing good governance for all APIs: Start with creating and applying common rules and security policies for using APIs. Good API governance ensures better decision-making regarding API programs, improves processes around building, deploying and consuming APIs, saves costs and ensures consistency. It also ensures that compliance with regulatory bodies is always adhered to.
3. Visibility over the full schema of every API: It is essential to know where your APIs are and the data that they touch or traffic. Visibility into schemas affords businesses the opportunity to define what an API endpoint uses and the data it touches and compares it with a baseline of normal behaviour, which allows your security teams to track better and identify anomalies. By understanding the underlying payload, it is easier to ensure they are protected.

For this to be effective, security teams must apply this approach across legacy, hybrid and cloud-native environments. If only one area is monitored, API protection will remain fragmented, and if an API is left unguarded, it's a given that potentially sensitive traffic is also not monitored.

Financial institutions have always been the first door attackers knock on, not just for the financial payload but also for the data they can access. As a result, they are often early adopters of technologies that ensure they can meet regulatory compliance, enhance data protection and enforce application security. Unfortunately, open banking and other digital transformation initiatives have now opened a new dam hole for them to plug by way of shadow APIs.

Strong API protection is complicated. There is, unfortunately, no quick fix. But what we have seen at Blue Turtle is that when you focus on creating complete visibility of every API across all environments, map out the schema and underlying payload for each, use technology like Imperva to help and implement good governance practices, you can still benefit from open banking while protecting your business and your customers.