Open Banking Opens Up New Security Vulnerabilities

Ransomware attacks continue to dominate the headlines. However, there is another cyber threat that the banking industry needs to turn its attention to: The growing risk from credential stuffing attacks.

This threat has become increasingly pressing in recent years, with the FBI recently issuing a security advisory warning that credential stuffing is now a major threat facing financial organizations. While there are many drivers behind this threat vector, in this article I’ll be focusing on one in particular – the broad deployment of application programming interfaces (APIs). These have become increasingly popular in recent years to enable innovative digital banking services, but credit unions must be cognizant of the new vulnerabilities that open banking introduces.

In fact, the 2020 FBI credential stuffing advisory warned that these attacks often target APIs as these systems typically are less monitored than customer-facing login systems and are also generally less likely to mandate multi-factor authentication (MFA). To illustrate the severity of this threat, Gartner said it believes that APIs will be the most frequent online attack vector by this year.

The Era of Customer Convenience

Before we delve into open banking security concerns, let’s first examine why APIs are so broadly deployed in credit unions today. One of the chief byproducts of digital transformation is consumers’ desire for a seamless online experience and intuitive, easy access to information. ­Leveraging APIs allows credit unions to deliver on these expectations and partner with various third parties to share financial data and, in so doing, provide members with simplified access to numerous services.

One recent study from Plaid found that 73% of Americans believe using financial apps and other digital tools is the “new normal,” and that 82% of these respondents report better results when they use this technology. As such, we can only expect the proliferation of apps to increase in the years ahead.

Convenience Can’t Come at the Cost of Security

It’s clear that open banking has and will continue to transform the customer experience, but it’s imperative that this convenience not come at the cost of security. A 2020 report from Enterprise Strategy Group and Veracode found that nearly half of all organizations surveyed regularly and knowingly push vulnerable code into production for various reasons, including:

• To meet a deadline (54%);
• Because they believe the code is low risk (49%); and
• Because the issues were discovered too late to fix them prior to deployment (45%).

Regardless of the reason, when security is not top of mind, it makes it easier for hackers to access member data and use it to defraud members and credit unions alike. In 2021, a white hat hacker was able to access 55 ­different financial organizations through APIs, change customer PINs and move money around. In one scenario, the code development was outsourced and the developer reused the code, meaning that hundreds of other financial institutions were vulnerable to the same attack vector.

Prioritizing Security

There are numerous steps credit unions must take at every stage from development through to deployment to mitigate API vulnerabilities. While there are too many to enumerate here, key considerations include:

• API discovery – to determine how many APIs exist in the environment;
• API inventory – to catalog all APIs, what they do and the type of information they handle; and
• API risk assessment – to determine whether any APIs are vulnerable to known risks, and also what would happen if one of these applications were attacked.

Combatting Credential Stuffing

As outlined, credential stuffing attacks are one of the primary ways hackers target API vulnerabilities. Therefore, it’s critical that credit unions take steps to combat these attacks as part of addressing overall API security.

Because compromised passwords are required for every successful credential stuffing attack, credit unions must prohibit the use of previously exposed credentials for member and employee accounts alike. However, this is challenging for numerous reasons – the prevalence of password reuse, the ever-growing volume of digital services and the sheer rate at which data breaches occur, to name just a few.

So, how can credit unions decrease the likelihood of a successful credential stuffing attack?

• Make MFA Mandatory: MFA should always be enabled whenever employees or members log into company accounts or systems.
• Deploy Web Application Firewalls: Using WAFs can help credit unions monitor for attacks and identify if a breach is occurring.
• Hash Passwords: Protecting all stored passwords with hashing ensures that no actual login details are revealed, should a data breach occur.
• Screen for Compromised Passwords: Another best practice is to ensure users are not using compromised passwords by screening them against a database of credentials exposed in previous data breaches. For maximum effectiveness, this should be done both at new password establishment and continuously thereafter.

Open banking offers credit unions numerous opportunities to meet members’ digital experience expectations and deliver new innovative strategies to maintain member loyalty and competitive advantage. By being mindful of inherent API security concerns and taking steps to address vulnerabilities like credential stuffing, credit unions can realize these benefits while protecting sensitive company and member data.

Mike Wilson Founder & Chief Technology Officer Enzoic Boulder, Colo.