Application Programming Interfaces (APIs) are essential for B2B payments as they are able to process these transactions in a fraction of the time it would take to transfer funds via wire or paper check. Eighty percent of U.S. banks were exploring real-time payments as of 2018, providing their FinTech partners with their APIs, enabling them to quickly and easily access the data they need to develop these payment portals.
These implementations have provided customers with unparalleled B2B payment speed and seamlessness, but the increased use of API-powered digital payment channels has opened new doors for fraudsters. APIs present new entry points for bad actors, who often infiltrate them through developer portals or other login paths. Multiple third-party apps, including payments and budgeting apps, leverage bank APIs, which means that when fraudsters gain access it can negatively impact every other app that requires these APIs to function.
Banks are thus deploying various security measures to keep themselves, their customers and their FinTech partners safe. The following Deep Dive explores the threats fraudsters pose to B2B APIs, the techniques they use to exact their schemes and the security methods financial institutions (FIs) are deploying to stop them.
API Security Threats
Fraudsters appear to be targeting APIs more often as banks’ usage of such tools becomes widespread. A recent study found attacks against APIs comprise up to 75 percent of all credential abuse attacks — schemes that see bad actors using compromised passwords to gain access to sensitive systems — against FIs and other financial services players. The study also found that 16.55 billion of the 85.42 billion total credential abuse attacks conducted between December 2017 and November 2019 targeted API endpoint hostnames, for example, and that 473.3 million were against the financial industry.
Credential abuse attacks involve hackers attempting simultaneous logins through bots or other automated tools, using credentials pilfered from bank customers or purchased from dark web marketplaces. The advantage of targeting API endpoints, rather than bank and financial app login portals, is that fraudsters can skip front-end authentication procedures and thus avoid any security features there and speed up their login attempts.
These attacks are just one of the security threats B2B APIs face, however. SQL injections comprised more than 65 percent of all internet application attacks between November 2017 and March 2019. This method sees hackers inserting hidden commands into APIs’ codes that allow them to control the behavior of any app connected to a compromised API. They might order the API to accept invalid app login attempts, for example, or grant them access to personal customer data like account numbers, passwords or stored biometric information. These attacks can be difficult to stop even if identified, though, as API security systems are often unable to detect the unwanted commands’ sources. This allows attackers to try as many times as they wish, even if the first attack was discovered and canceled.
Distributed denial of service (DDoS) is another common API attack vector in which hackers attempt to overwhelm API security systems with a large number of login or data requests. This method is not as widespread as SQL injections but it is still a significant threat to the financial industry as more than 800 incidents were recorded between December 2018 and May 2019. APIs can typically detect and block excessive traffic from a single source, but they are defenseless against overwhelming requests from multiple locations at once. Hackers leveraging DDoS attacks typically conduct these attacks from several systems and devices at the same time while carefully ensuring that no single device submits enough requests to be blocked.
This diverse array of API fraud tactics requires banks to have equally diverse defenses to protect themselves, their customers and their developer partners. Anyone victimized by API fraud at their bank is likely to abandon the FI, making protection critical not only to protecting money and personal data, but also to maintaining customer loyalty.
Protecting APIs
API protection begins with ironclad user verification, such as multifactor authentication (MFA) systems that rely on input from users besides their passwords, like codes sent to their phones via text messages or biometric inputs like fingerprints. These authentication methods can stop credential abuse fraudsters at the point of entry as passwords and other obtainable login data will be insufficient on their own. Studies have found that using MFA can prevent more than 99.9 percent of attacks that rely on stolen credentials, for example, making such solutions an imposing obstacle for hackers armed with pilfered passwords.
Regularly rotating API keys — the unique identifiers that authenticate the users and developers accessing APIs — can also strengthen security efforts. Periodically issuing new keys means any that were stolen will only be useful for short time spans, much like how websites require users to regularly change their passwords to keep their accounts secure.
Both methods only work to secure points of entry, however, so backup security solutions are needed to identify and block hackers who make their way into APIs’ codes. Anomaly detection systems have shown much promise in detecting bad actors at work, especially those that leverage SQL injections. These platforms deploy machine learning (ML) protocols that sort through thousands of daily API transactions to establish baseline behaviors. Unusual commands, login attempts or transactions are then spotted and flagged or blocked, with ML systems detecting up to 65 percent of all fraud attempts.
No single security system is 100 percent effective, however, meaning FIs will need to deploy multilayered defense systems that incorporate many techniques to reduce API fraud. Banks should also stay vigilant once their security systems are deployed as hackers are continually working to find new vulnerabilities and will exploit them as they emerge. Constant updates and innovation will thus be required to maintain fortified systems and keep FIs and their customers safe.