APIs in Banking
Carlo De Micheli, Zoran Gorgiev
Despite us imagining them as impregnable fortresses on par with the Walls of Constantinople, banks and finance organizations are as susceptible to malicious exploits as any other business entity.
As an illustration, in 2022, a security researcher wrote a relatively simple Python script that targeted a banking API. The researcher relied only on a user’s phone number—a piece of information you can find online on LinkedIn—to call a banking API endpoint and get all the available user information, such as full name, balance, and email address.
APIs can be treasure troves of banking data. If you don’t secure them properly, someone with malicious intent will find a way to steal money or sensitive data. As said so often in cybersecurity, when it comes to cyberattacks, it’s no longer a question of whether but only of when they happen.
Here, you’ll read about modern banking, what role APIs play in it, how insecure they’ve been found to be, and how to start changing that.
Banking, Fintech, and Open Banking
When we hear of traditional banking, we think of brick-and-mortar objects, long and cumbersome procedures, and a bit of an uncomfortable experience at the bank counter. But as with everything else, modern technology and computers have changed the banking industry, too. Two major changes that have heavily influenced and transformed traditional banking are fintech and open banking.
Fintech (Financial Technology)
Fintech refers simply to the comprehensive use of computers and modern technology in finance and banking. The benefit of widespread accessibility of financial services is one crucial reason for fintech’s rapid adoption.
What’s the difference between fintech and traditional banking?
Unlike traditional banking, fintech relies on Big Data, AI, and cloud computing to create a streamlined user experience. However, traditional banking is much more regulated, which is good since it guarantees higher client financial and data security.
Since banks have been adopting new financial technologies for some time now to make their clients’ lives easier, today, we have the best of both worlds in the same entity—the modern bank.
Fintech services include:
- Cryptocurrency (blockchain)
- Online payment
- Mobile banking
- Crowdfunding
- Digital wallets
- Stock trading
- Insurance
Some examples of famous fintech companies are the following:
- Stripe
- PayPal
- Square
- Venmo
- Revolut
- Coinbase
- Western Union
- Wise (TransferWise)
Open Banking
Open banking means third-party service providers and apps can access banks’ customer data through APIs. By third-party service providers, we mean entities such as fintech firms, other banks, and payment providers.
Open banking became mandatory in Europe in 2019. That meant all banks have had to expose APIs in the past four years, even those using them privately.
Some of the benefits of open banking for traditional banks are the following:
- Expanded client base due to new ways and channels of reaching people
- Personalized banking user experience, thanks to the possibility of gaining insight into user behavior and preferences through different technologies
The Role of APIs in Today’s Banking
What function do APIs perform in today’s banking? How important and widespread are they in this industry?
Whenever someone mentions digital transformation and apps in the banking context, we hear APIs. APIs are critical to banking digitalization and are what made the rise of online, mobile, and open banking possible.
APIs connect traditional banks and the world of fintech. They make banking services accessible to anyone through web and mobile applications and programs, regardless of location and other physical obstacles.
In addition, APIs allow different banking applications, application parts, and programs to talk to each other and share data, making for a smooth and convenient user experience.
Some compare banking APIs to user interfaces. Just like user interfaces allow users to work conveniently with all sorts of apps and programs, banking APIs make it possible for banking apps and programs to interact with each other and work together.
When we say “work together,” we mean integrating banking with other services. For instance, if you do online trading or buy and sell crypto coins and connect these services with your bank account to transfer funds, APIs make this integration possible.
To make a long story short, if you can imagine modern banking and finance without apps and the Internet, you can imagine banking without APIs. That’s how widespread they are.
Alissa Knight’s Findings
Alissa Knight is one of the most authoritative ethical hackers in API security. Recently, she published a comprehensive report of her findings during her penetration tests of various finance and banking entities.
Alissa tested 55 different financial service providers falling within three categories:
- Traditional banks with digitalized services and apps
- Neobanks, i.e., strictly digital banking services
- Cryptocurrency exchanges
In her attacks, she used tools such as:
- MobSF to reverse engineer mobile apps, perform static code analysis, and find hardcoded API secrets
- Mitmproxy, an open-source HTTPS proxy tool, to intercept traffic between banking apps and API servers
- Postman, an API client, to analyze and experiment with API requests and responses
Out of the 55 organizations she tested:
- All but one had hardcoded API tokens and keys
- All were exploitable through a (wo)man-in-the-middle attack
- All were vulnerable to Broken Object Level Authorization (BOLA) attacks
- Many suffered from Broken Authentication
- Some lacked API endpoint visibility, which falls under Improper Inventory Management
In addition, Alissa found that:
- Many organizations protected their APIs behind WAFs (web application firewalls), which turned out to be utterly inadequate API security mechanisms.
- The same developers worked on different banking-related projects, dramatically increasing the probability of the exact vulnerable code being multiplied in various environments.
- An organization’s size and assets were irrelevant to securing APIs. Identical vulnerabilities plagued all the tested banks, regardless of whether a bank had a client base of thousands and an asset value of a few million or millions of customers and a few trillion dollars in assets.
Due to the discovered API vulnerabilities, Alissa could perform various malicious actions, including changing any bank client’s debit card ATM PIN code and transferring money in and out of accounts.
The Coinbase Hack
Coinbase is one of the top five cryptocurrency exchange platforms. It allows you to buy and sell, as well as store and transfer popular cryptocurrencies such as Bitcoin and Ethereum.
An ethical hacker with the peculiar name Tree_of_Alpha disclosed a Coinbase API vulnerability on February 11, 2022, on X (Twitter). The “potentially market-nuking” vulnerability, as Tree_of_Alpha called it, was specific only to the Coinbase API for Retail Advanced Trading.
The Coinbase report on the security incident claimed that no other APIs were affected by the vulnerability and no malicious actors had exploited it in the wild.
What Happened to Coinbase?
The ethical hacker discovered the vulnerability by chance while exploring a new Coinbase feature called advanced trading. This feature allowed users to sell one type of crypto (say, ETH) and use those funds to buy another (e.g., BTC).
When analyzing the API requests, Tree found that the value for the product parameter—signified the traded cryptocurrency and the currency to which it’s converted, such as “ETH-EUR” or “BTC-USD”—could be changed arbitrarily. More precisely, the ethical hacker could change the cryptocurrency from Ethereum to Bitcoin.
The problem was that Coinbase would complete the order through its Retail Advanced Trading API even though Tree didn’t possess Bitcoin, which meant the input validation check was inadequate. As long as the source account had sufficient funds in terms of numbers (for instance, 50 of some coin) regardless of the right cryptocurrency (Bitcoin, Ethereum, or Solana), the platform would process the transaction.
That implied that anyone, not just the ethical hacker, could trade cryptocurrency they didn’t own. An undiscovered vulnerability of that extent could’ve shaken Coinbase and affected the whole crypto market’s balance, which is why Tree_of_Alpha referred to it as potentially market-nuking.
Fortunately, an ethical hacker discovered and reported the vulnerability before any malicious hackers could exploit it. Coinbase fixed the problem promptly and rewarded Tree with a hefty bounty proportionate to the magnitude of the vulnerability.
Improper Input Validation
Often, developers build applications so they perform input validation on the front end but either lack server-side validation or implement inadequate validation mechanisms on the back end. At the basis of this choice (or oversight) lie the following assumptions:
- End users would only interact with the app on the front end.
- End users would refrain from tampering with the app even if they knew how to look beyond the front end and had the skills to meddle with the app.
That seemed to be the problem with the Coinbase platform as well. The developers didn’t expect someone to use a proxy to bypass the front end, look at API requests, and modify those requests to abuse an endpoint and threaten the platform.
How to Secure Banking APIs
There are three variables that modern banking organizations must factor in when drawing up an API security plan:
- API runtime security
- API security posture
- API security testing
API runtime security includes monitoring API traffic and behavior to detect anomalies, malicious requests, and other security issues while your APIs perform their daily tasks.
API security testing includes penetration testing as well as scanning for vulnerabilities in development and production.
Working on your API security posture means continually and methodically handling vulnerabilities, API inventory, data classification, and compliance.
Let’s focus on the last two.
Equixly and the Importance of a Purpose-Built API Security Solution
Due to the potentially disastrous consequences of vulnerable APIs in modern banking, financial service providers are highly recommended to have a separate, dedicated API security budget. Resources specially allocated for purpose-built API security solutions should play a significant part in budget planning. WAFs and other generic web security solutions struggle to effectively protect APIs.
One such purpose-built API security tool is Equixly.
Equixly is an AI-powered ethical hacker that allows you to automate penetration tests and turn them into a regular and frequent practice. The fruits of the work of all the Alissa Knights and Tree_of_Alphas of the world testify how beneficial ethical hacking is for API security. Without the proactive approach through ethical hacking, we’re limited to fixing thorny problems only after malicious actors have exploited them.
Besides testing your already launched APIs, Equixly enables you to integrate security into the software development life cycle (SDLC). From testing the new code developers add when building APIs, you can continue by checking the old code they change to decrease the probability of vulnerabilities finding their way into your APIs.
Equixly includes the most recent OWASP Top 10 API Security Risks list when attacking your APIs and scrutinizing the gazillions of responses it receives. It presents the test results in a clean dashboard where you can see the OWASP top ten issues your APIs suffer from.
In addition, Equixly provides detailed accounts of your API scans that you can download as PDF reports and informs you about discovered shadow API endpoints so you can improve and complete your API inventory. These features contribute to building a more robust API security posture and a safer information environment.
Final Thoughts
APIs are everywhere in banking, and they’re not as secure as we would like to think. As the digitalization and automation of banking services grows, so does the number of APIs in use. The obvious implication is that it takes a lot of work to secure them.
Find specialized API security solutions that allow you to work on your security posture, test APIs in development and production, and monitor how they function in runtime. And don’t search for the proverbial silver bullet. You won’t find it. But since you have to start somewhere, why not start with Equixly?
Download Equixly’s Banking & Insurance brochure:
Carlo De Micheli
Director of Product Marketing
Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.
Zoran Gorgiev
Technical Content Specialist
Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.