Open banking and API security: Best practices

Adopters of open banking can more effectively harden their security stance against future attacks, protect their data and customers with a holistic approach to API.

By Yaniv Balmas

Open banking is here to stay. Since its inception in 2018, usage has skyrocketed. Research from Simon Torrance and Bain Capital projects that new markets enabled by open banking will comprise $3.6 trillion market share by 2030. Open banking provides a multitude of opportunities for financial institutions to innovate while simultaneously providing customers with improved access to their money and financial data. Its rapid adoption shines a light on consumers’ desire for better control over their finances and an improved digital customer experience through differentiated service offerings.

Through open banking, consumers have the ability to evaluate competing banking services at their fingertips and ultimately, more control over their financial lives. At the core of this new way of banking are application programming interfaces (APIs), which connect, enable and streamline the flow of financial data between financial institutions.

APIs: the core of open banking’s functionality

APIs enable financial institutions to standardize how they create and connect to an ecosystem of providers to exchange financial data, making them critical to open banking. In open banking systems, banks provide access to their proprietary APIs so that fintech providers and third-party developers have access to their financial data. The data is then in turn used to build and refine additional applications and services, creating partnerships rather than competition between these stakeholders. However, this is not without its challenges. Open banking still enables a relatively low bar when it comes to security requirements.

Encryption, authentication and authorization are the main parameters addressed in open banking. To standardize initiatives, all open banking APIs have been designed and documented to support open banking regulations. Authentication and authorization protocols like OpenID Connect (OIDC) and OAuth 2.0 help drive a more collaborative and connected approach to the exchange of data between financial institutions.

However, they only scratch the surface when it comes to the complex security challenges created by APIs. With the combination of different services under the open banking umbrella, numerous APIs must interact together. All of these APIs have their own unique logic. A single financial institution could have hundreds, if not thousands, of APIs—all unique—making it nearly impossible to standardize parameters for the implementation of authorization.

Increasing API attacks and heightened risk

Open banking’s reliance on APIs has made APIs prime targets for cyberattacks. Gartner has predicted that it expects API attacks and related breaches to double by 2024; meanwhile, API security threats have increased in frequency and complexity. The Salt Labs State of API Security Report Q1 2022 found that API attack traffic has increased 681 percent in the past 12 months—more than double the amount of overall API traffic. Because of the tremendous amount of valuable data held by financial institutions and fintech firms, they are the perfect prey for criminal actors.

Additionally, APIs often implement complex business logic. This, combined with multiple external and internal APIs, often developed by different teams with different design approaches, creates a complex and vulnerable environment.

Best practices for protecting banking APIs

Adopters of open banking can more effectively harden their security stance against future attacks, protect their data and customers with a holistic approach to API security that is better suited to protect modern architectures. Financial services providers must consider newer architectures that emphasize big data, artificial intelligence and machine learning ML approaches to capture and analyze large amounts of API traffic in order to detect and stop API attacks throughout the entire lifecycle.

These enhanced security capabilities will continuously work towards uncovering various threats and can enable security teams to have tailored feedback and visibility into all APIs, including shadow and zombie APIs that run without their knowledge and can be susceptible to overlooked vulnerabilities and flaws. This would ultimately allow API teams to have the necessary guidance on how to remediate any detected API issues.

Organizations can’t afford to look at transactions in isolation with traditional technologies like API gateways or WAFs, nor can they rely on authentication, authorization, and encryption alone. Gaps in API security posture leave customer credentials exposed and potentially enable fraudulent activity.

Closing the security gaps in open banking

The safety of critical information should be front of mind when it comes to open banking. Until requirements can be standardized, organizations must be conscientious of best practices to address the unique security needs of APIs.

With a dedicated API security solution leveraging AI and ML, institutions can begin to close security gaps, correctly identify attacks and safeguard the new opportunities being driven by open banking. A purpose-built API security solution gives instant insights into what normal API usage looks like versus abnormal behaviors. Organizations can quickly spot vulnerabilities before an attacker has the opportunity to find, exploit and abuse them, ultimately providing a more protected approach to open banking.

Yaniv Balmas is the VP for research at Salt Security, leading the company’s research division, Salt Labs.