Lax open API development could invite fraud through backdoor channels
Because big banks adapt slowly to new payments and financial technology, it means many modern APIs to better enable third parties don't exist yet.
APIs need to be designed with features such as defenses, proper authentication, batching, and throttling in mind. Without APIs designed for third parties such as aggregators, these third parties resort to using whatever does exist. Often this is a combination of automating web pages and using mobile APIs – the same ones consumers use.
But there’s a class of attack that exploits companies by interacting with these web pages the same way as customers. Attacks like credential stuffing and card cracking use existing web endpoints and APIs to facilitate fraud. Banks now need to segment their defenses into two more buckets: those for malicious actors and those from third parties..
Automating websites is nothing new. Dozens of such tools exist to simplify the process, but some third parties use these tools the same way attackers do and produce identical-looking traffic. When a defender can't discern between good and bad traffic, it has to give the good traffic a secret key past defenses.
This leads to backdoor access for third parties such as aggregators to automate logins, transactions, payments and reporting. The backdoor often disables major defenses like multi-factor authentication, bot mitigation, and rate limits. Third parties such as aggregators already attract the most sophisticated attackers for the credentials they store. Now, these same sophisticated attackers target aggregators to gain access to these backdoors.
Financial institutions need to move aggregators toward protected APIs to safeguard themselves and their users. Financial institutions need to interoperate with third parties like aggregators. However, it can't be at the expense of security, and financial institutions need to take action to provide modern APIs for aggregators.