INDUSTRY WATCH
The security implications
Clearly , open banking offers valuable service benefits and conveniences . There are , however , perils for the unwary , and the technology is considered by some to be a significant threat .
So what are the security implications of open banking ?
As mentioned earlier , the process opens customers ’ data to external third-party providers via published open APIs . Easy-to-build and easy-to-consume , APIs speed-up application development while enabling the sharing of sensitive data between systems .
THE CHALLENGE IS A HIGH PERCENTAGE OF ORGANIZATIONS FAIL TO MAINTAIN THE SAME SECURITY PRACTICES FOR MOBILE APPLICATIONS AS THEY DO FOR WEB APPLICATIONS .
According to a survey by my company , more than half of applications in nearly two-in-five organizations are exposed to the Internet or third-party services via APIs .
The challenge is a high percentage of organizations fail to maintain the same security practices for mobile applications as they do for web applications . So , while APIs bring tremendous benefits , they also introduce availability and security concerns that consumers and financial institutions alike must be aware of . They include :
Service disruption : Dependence on third party APIs and components may lead to unintended service disruptions if API services are unavailable due to security , network and application configuration errors , API denial of service attacks , or application or authentication infrastructure outages .
Trust issues : Many solutions for open banking are built on cloud-only or hybrid infrastructures . However , according to the company report , migration to public clouds creates trust issues . These include incompatibility of security solutions , configuration challenges across different environments , misconfigurations , and issues around application security policies and profiles .
Increased attack surface : API attacks are not uncommon . A survey by my company revealed that 55 % of organizations experience a DoS attack against their APIs at least monthly , 48 % receive some form of injection attack at least monthly , and 42 % experience an element / attribute manipulation at least monthly .
Other attacks include API authentication and authorization attacks , embedded attacks such as SQL injection , cross-site scripting ( XSS ) and bot attacks .
Bot attacks on APIs : Bot attacks are human-like automated programs scripted to break into user accounts , stealing identities , initiating payment fraud , scraping content such as pricing or data , spreading spam and impacting legitimate business activities .
Data theft : Many APIs process sensitive personally identifiable information ( PII ). The combination of sensitive and confidential information coupled with the lack of visibility into how these APIs and third-party applications operate are a security nightmare in the case of a breach Undocumented but published APIs : Undocumented APIs may accidently expose sensitive information if not tested and may be open to API manipulations and vulnerability exploits .
Because threats vary , API security requires a combination of security controls . This includes API access controls for authentication , authorization and access management . It also includes detecting and preventing :
• Bot attacks on APIs
• API manipulations
• DDoS and availability attacks
• Embedded attacks
• API vulnerabilities
• Leakage of PII data and excessive data exposure
• Fraud and phishing scams
How to secure open banking : The basics are not enough
When it comes to building a comprehensive and effective security solution for open banking , the ‘ basics ’ are no longer enough . Gartner predicts that by 2022 , API attacks will become the most-frequent attack vector , causing data breaches for enterprise web applications .
www . intelligentcio . com INTELLIGENTCIO APAC 73