Top 10 Fintech API Security Risks and Challenges
Blog

Top 10 Fintech API Security Risks and Challenges

Akanksha
Akanksha Mishra
Posted on August 9, 2022 - 11:21 am

Over the last 5 years, there has been a substantial increase in the digitalization of the world economy and Fintech APIs (application programming interfaces) have a major contribution to this digital upscaling. Financial services are increasingly adopting the use of APIs, which has resulted in a rapid burst of new super fintech apps, business models, and financial services. APIs in the digital payments landscape have been a driving factor for the fintech industry. 49% of respondents said that more than half of the organization's development effort is spent on APIs in 2021—compared to just over 40% in 2020, says Postman’s 2021 State of the API Report. The same report also underscores that it appears organizations will continue investing in APIs: 94% of respondents stated that investment of time and resources into APIs will increase or stay the same even in 2022.

There has also been a significant rise in the deployment of payment touchpoints driven by the implementation of PIDF. The total number of digital payments has also risen by 216% and 10% in terms of volume and value, respectively for the month of March 2022 when compared to March 2019, says Reserve Bank of India (RBI).

RBI data shows an increase of more than 500% in merchants accepting digital modes of payments during the half-year ended September 2021 as compared to the half-year ended March 2019. Looking at the UPI alone, there is an increase of more than 1200% over the same period.

But what does it mean for fintech companies? Let us first understand what fintech APIs are before diving deeper into the subject.

What are Fintech APIs?

Application programming interface or API is a set of codes and protocols which allow different systems to interact with one another. Fintech API or financial technology API is a technology that allows data access across different parties involved in a financial transaction. These parties could be banks, websites or apps, third-party providers, and consumers or end users.

Moreover, fintech API is at the core of seamless customer experience since it renders a seamless checkout experience while also displaying transaction details across the app and on the bank’s website.

There are three types of APIs:

  • Public API- Only used by an organization or internal team (58%)
  • Private API- Shared only with integration partner (27%)
  • Partner API- Openly available on the web (17%)

API Exposure, Open Banking & Digital Payments

In the wake of new regulations for electronic payment services (PSD2), European and the Asia Pacific nations have put pressing importance on the API-driven collaboration between fintech companies and conventional financial services. These regulations make it mandatory for the banks to create and expose APIs which enable third parties to use customer data with their consent.

Three parties that are inherently reliant on API (Fig. 1), viz. banks which need to be a part of an open banking system, merchants which must let customers have a preferred choice for payments, and consumers, who want to be able to perform transactions by transferring funds through apps, share data amongst one another. Hence, the increasing dominance of Application Programming Interfaces or API in the fintech ecosystem is easy to understand.

Connection between banks, customers and merchants

 Despite being popular, API security threat is a critical concern among fintech organizations. In this insight, we aim to comprehensively discuss these challenges of API security posture.

API- Most-Frequent Attack Vector

90% of applications will have more surface area for the attack in the form of exposed API rather than the user interface, suggests Gartner. This has become a huge security concern for financial institutions and fintech companies, both of which must maintain competitiveness and customers’ trust to thrive.

Some of the most critical API security risks include insufficient logging and monitoring, broken object level, excessive data exposure, user- and function-level authorization, and security misconfiguration.

Types of Fintech API Security Incidents

  • Data Exfiltration- Vulnerable APIs can be exposed to gain access to sensitive data of customer accounts and other PII.
  • Account Takeover (ATO)- Attackers can target authenticated APIs to takeover customer accounts. ATOs can appear in the form of brute force attacks and credential stuffing.
  • Service Disruption- DDoS attacks on business logic tend to slow down services.

Critical Challenges of Fintech API Security

By 2025, there will be less than 50% of APIs that could be managed since explosive growth in APIs is surpassing the capabilities of API management tools. This increase in the number of API security threats prompted the Open Web Application Security Project (OWASP) to list the top 10  most serious API security issues, which are discussed below.

  1. Broken Object-Level Authorization- APIs can unintentionally expose endpoints that are delegated to handle object identifiers. This can create an issue of wide attack surface Level Access Control.
  2. Broken User Authentication- Incorrect implementation of authentication mechanism tens to allow authentication token compromise or exploiting implementation flaws. In such scenarios, attackers can steal others’ identities either permanently, or temporarily. API security is hence compromised when a system cannot identify a client or user due to identity theft.
  3. Excessive Data Exposure- When developers expose all object properties during generic implementations without paying attention to individual sensitivity, it can lead to a major API security breach. Clients shouldn’t be left to perform data filtering before it is available to a user.
  4. Lack of Resources & Rate Limiting- A client or user may request certain numbers or sizes of resources. But, APIs do not restrict this number or size. This can in turn impact the performance of the API server, while also causing Denial of Service (DoS); hence leaving an open invitation to authentical flaws like brute force.
  5. Broken Function Level Authorization- Authorization flaws can occur due to complexity in access control policies within an organization. Attackers tend to exploit these issues to gain access to administrative functions or users’ resources.
  6. Mass Assignment- When a client’s data (eg. JSON) is bound to data models without considering proper properties filtering on the basis of allow-list, it can lead to mass assignment. This allows attackers to make amendments in object properties because it opens various vulnerable points like exploring other API endpoints, guessing object properties, providing additional object properties, or reading the documentation.
  7. Security Misconfiguration- This could be a result of ad-hoc configurations, insecure or incomplete default configurations, unnecessary HTTP methods, misconfigured HTTP headers, CORS, or Cross-Origin resource sharing, and verbose error messages that contain sensitive information.
  8. Injection- Some instances of injection flaws include Command Injection, NoSQL, and SQL. These incidents are a result of sending untrusted data to an interpreter in response to a query or command. Malicious data of attackers can con interpreters in executing uncalled-for commands or accessing data without authorization.
  9. Improper Assets Management- APIs can expose several endpoints to attackers more than conventional web applications. There could also be issues like exposed debug endpoints and deprecated API versions. This lays high value on updated documentation and deploying API version inventory.
  10. Insufficient Logging & Monitoring- When this issue is accompanied by ineffective or missing integration alongside incident response, it leaves a door open for attackers to pivot more systems. It allows attackers to tamper with data, which can either be extracted or destroyed- both of which can further attack the system. It could take well over 200 days to detect an API security breach of this kind.

API Security Attacks can be Ruthless and Relentless

Increase in the usage and traffic of APIs has led to more attacks, which leave Fintech companies vulnerable. 34% of the SALT (leading security research firm that identifies API security vulnerabilities) customer accounts have experienced over 100 attacks per month in July 2022, reveals data. And another 15% have experienced 500 or more attempted attacks per month, up from 11% a year ago.

Nearly half (47%) of the respondents indicate that they have identified vulnerabilities in production APIs, 38% have experienced authentication problems, and 31% have seen sensitive data exposure and privacy incidents.

These numbers call for an urgent and immediate need to mitigate API security challenges and risks mentioned above. In the following insight, we are suggesting a technology roadmap for a winning fintech API security platform.

If you need to discuss API security with us, drop us a hello and let us wrap our head around your query to develop a feasible solution.
 

Fintech API Security