FinTechTalk: Optimise APIs for sensitive financial data 

On 19 2024, FinTechTalk host Charles Orton-Jones was joined by John Heaton-Armstrong, Consultant, ex-Thredd, ex-Account Technologies; Dr Ritesh Jain, Founder, Infynit’ and Barry O’Donohoe, CEO and Co-Founder, Raidiam. 

  

Views on news 

Finance businesses, from banking and insurance to fintech, present a particularly attractive target for criminals. While there are many attack methods, cybercriminals have been homing in on a specific threat vector more frequently—application programming interfaces (APIs), web services that enable software applications to communicate with each other. In a study of finance and insurance cybersecurity practitioners, 1 out of 5 respondents have suffered an API security breach. It must be pointed out, however, that private APIs are a much bigger cause for concern than regulated ones are.

 

APIs actually range from the unprotected ones to the ones that are behind extremely strong protections. Ideally, the level of security should be set in line with the criticality of the information being protected and a fine balance should be struck between protection and accessibility. FAPI is a standard built on OAuth 2.0 and major organisations in the financial sector must be compliant with it.  

 

How can APIs go wrong and what can be done to prevent that  

APIs are fuelling innovation by enabling enterprises to distribute their services with developers and partners to create value. Developers who use APIs need seamless self-service interfaces that they can use when developing their apps or obtain authentication credentials. The speed of APIs is also an important factor as it’s key that the app connects quickly to data providers.

 

Credential theft is probably the biggest attack vector for APIs. In banking, you have MFA, but in other sectors that level of security would make accessing the service cumbersome. FAPI as a model prevents and bans the use of API keys and secrets (equivalents of username and passwords) and mandates the use of asymmetric keys and cryptography. With FAPI, you never send a key over the wire but retain it locally and use it to compute a one-time code that is used to authorise your access.

 

APIs today use access tokens, which are accepted without verifying whether the tokens are being used legitimately. With FAPI, you talk about bearers of access tokens. So, if someone just comes across it or steals it, they won’t get authorisation.  

 

Financial institutions can get a competitive advantage if they can demonstrate compliance with FAPI standards. If a business communicates to clients, regulators or insurers that it complies with the industry standard, they will immediately tick the box for security without asking any more questions. Challenges to security are bound to come where there is a transition to a new system. While off-the-shelf API products have upgrading capabilities, the two most frequently used APIs. i.e., the authorisation and the resource API – despite having the capability to operate in a secure fashion –tend to be configured for a low level of security.

 

This makes reviewing a company’s API security posture a key initial step. The FAPI security profile, the threat analysis and BCP (best current practice), which is an open standard and is kept constantly up to date, serve as a blueprint for secure API implementation.

 

This is something that you can set as a requirement for your suppliers as well. The job of mitigating risks related to APIs is a relatively straightforward job for CISOs. The standards and the tools are there on the market and it doesn’t involve any level of customisation. To manage the risk that comes with APIs, a business can take out insurance too, where, of course, the poorer the controls are, the higher the premium will be. In regulated markets, one trend is to apply the best practice standard across the whole API estate, i.e., to commercial APIs too.  

 

The panellists’ insights 

• You can go to the OPEN ID website and check if a provider’s products conform to the FAPI standard.  
• The longer you put off change, the more painful it will become.  
• Always be aware of the configurable options that are available in commercial products. 
• To learn more about API security, read Best Current Practices (BCP).