Consumers are preparing to inject the digital economy with an estimated “$843-859 billion this year, more than double what they were in 2002, when total holiday sales hit just $416.4 billion.”
Ultimately this will all pass through financial service institutions. Whether payments are processed through Apple Pay or Venmo, PayPal or a debit card, there is always involvement with an account at a financial services institution.
This, naturally, leads to attempts by malicious actors to gain access to those accounts, especially through FinTechs. Whether via scams, such as those experienced by Zelle users or Robinhood customer service employees, or directly via credential stuffing or brute force, attacks can produce windfalls for those who persist in their efforts.
Most successful breaches we hear about today are executed directly against the user interfaces of a financial services institution: a web app, text message, or email. It is troubling, then, to consider the potential impact of explosive API growth that fuels the digital financial ecosystem—and the implications of associated third-party risks, which criminal organizations are quickly recognizing as a lucrative attack vector.
APIs are Increasingly Attractive to Criminal Organizations
Consumers today are presented with an increasingly diverse payment ecosystem from which to fund their holiday spending splurge:
- More than 2 out of every 3 Gen Z shoppers plan to shop via nontraditional channels such as Instagram, WhatsApp, and livestreams this holiday season.
- According to an NPD survey from June 2021, more than 50% of consumers say they have made purchases via Instagram or Facebook. 15% of those consumers named TikTok as a social media platform where they discover and learn about products. (Source: 2021 Holiday Shopping Ecommerce Stats & Trends)
A thriving payment ecosystem relies on the use of APIs to facilitate digital financial transactions. Standardization supports the need for fast, secure transactions to address the impatient nature of consumers and the ability of a digital business to adapt and grow. The leading standard today is FDX (Financial Data Exchange), and as of September 2021 boasts 22 million consumer accounts using the FDX API for open finance data sharing. Notably this has resulted in a significant increase in the volume of API calls, which have surged to just shy of 2 billion per month. (Source: FinExtra)
A recently published report from F5's Office of the CTO, “Continuous API Sprawl: Challenges and Opportunities in an API-Driven Economy,” notes the rapid proliferation of APIs and the governance and security risks this poses.
It found that APIs, which power everything from digital payments to entertainment services and enable robust marketplaces, currently number around 200 million. By 2030, that figure could reach 1.7 billion.
Coupled with findings from F5 Labs research that shows the number of API security incidents, many of which are related to third-parties like FinTechs, is growing every year, financial institutions have a lot more to worry about than the potential for imminent regulatory action and competitive forces.
Defending the Digital Economy
Securing APIs and protecting consumers and business against fraud is an increasingly important focus for digital firms in all industries, but especially those in the financial services industry.
Furthermore: “Different development teams working on multiple applications often use disparate toolsets. That means traditional security teams may not own a centralized point of control to enforce security. This requires a standard set of tools to embed the right controls into the API development and management processes.” (Source: F5 CTO Security Renuka Nadkarni, Secure the FDX API to Defend Data in Open Banking)
The F5 open banking solutions guide provides a comprehensive approach to F5 solutions for open banking. Additionally, Nadkarni notes that "FDX has published comprehensive advice regarding the controls that should be implemented in order to protect from threats and risks to consumer accounts information and service integrity." These controls include:
- Software security—control for the OWASP top 10 and other software vulnerabilities—including deploying a web application firewall (WAF)
- Network and systems security
- Operational security
- Physical security
- Business continuity and disaster recovery
- Supplier security
- Design patterns for authN/authZ including controls for credential stuffing
- Patterns for a secure gateway architecture (SGA), including API security controls baked into the API gateway
Finally, it is important to note that defending financial data—whether in flight or at rest—is increasingly important in a digital as default economy. While certainly the risk of fraud to business is considerable, the risk to consumers is even greater.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.