The digital economy continues to grow, up significantly from 2002, when total holiday sales hit just $416.4 billion.

Eventually it all passes through financial service institutions. Whether payments are processed through Apple Pay or Venmo, PayPal or a debit card, there is always involvement with an account at a financial services institution.

This opens up the door for more attempts by criminal organizations to gain access to those accounts, especially through FinTechs. Whether via scams, such as those experienced by Zelle users or Robinhood customer service employees, or directly via credential stuffing or brute force, attacks can produce windfalls for those who persist in their efforts.

The headline grabbing breaches we hear about today are executed directly against the user interfaces of a financial services institution: a web app, text message, or email. It is troubling, then, to consider the potential impact of explosive API growth that fuels the digital financial ecosystem—and the implications of associated third-party risks, which criminal organizations are quickly recognizing as a lucrative attack vector.

APIs are increasingly appealing to criminal organizations

Consumers today are presented with an increasingly diverse payment ecosystem from which to fund their holiday spending splurge:

• More than 2 out of every 3 Gen Z shoppers plan to shop via nontraditional channels such as Instagram, WhatsApp, and livestreams this holiday season.
• According to an NPD survey from June 2021, more than 50% of consumers say they have made purchases via Instagram or Facebook. 15% of those consumers named TikTok as a social media platform where they discover and learn about products. (Source: 2021 Holiday Shopping Ecommerce Stats & Trends)

A thriving payment ecosystem relies on the use of APIs to facilitate digital financial transactions. Standardization supports the need for fast, secure transactions to address the impatient nature of consumers and the ability of a digital business to adapt and grow. The leading standard today is FDX (Financial Data Exchange), and as of September 2021 boasts 22 million consumer accounts using the FDX API for open finance data sharing. Notably this has resulted in a significant increase in the volume of API calls, which have surged to just shy of 2 billion per month. (Source: FinExtra)

A recently published report from F5’s Office of the CTO, “Continuous API Sprawl: Challenges and Opportunities in an API-Driven Economy (source: https://www.f5.com/pdf/reports/f5-office-of-the-cto-report-continuous-api-sprawl.pdf) ,” notes the rapid proliferation of APIs and the governance and security risks this poses.

It found that APIs, which power everything from digital payments to entertainment services and enable robust marketplaces, currently number around 200 million. By 2030, that figure could reach 1.7 billion.

Coupled with findings from F5 Labs (source: https://www.f5.com/labs/articles/threat-intelligence/2020-apr-vol1-apis-architecture) research that shows the number of API security incidents, many of which are related to third-parties like FinTechs, is growing every year, financial institutions have a lot more to worry about than the potential for imminent regulatory action and competitive forces.

Defending the digital economy

Securing APIs and protecting consumers and business against fraud is an increasingly important focus for digital firms in all industries, but especially those in the financial services industry.

Furthermore: “Different development teams working on multiple applications often use disparate toolsets. That means traditional security teams may not own a centralized point of control to enforce security. This requires a standard set of tools to embed the right controls into the API development and management processes.”  (Source: F5 CTO Security Renuka Nadkarni, Secure the FDX API to Defend Data in Open Banking https://www.f5.com/company/blog/secure-the-fdx-api-to-defend-data-in-open-banking)

The F5 open banking solutions guide provides a comprehensive approach to F5 solutions for open banking. Additionally, Nadkarni notes that “FDX has published comprehensive advice regarding the controls that should be implemented in order to protect from threats and risks to consumer accounts information and service integrity.” These controls include:

• Software security—control for the OWASP top 10 and other software vulnerabilities—including deploying a web application firewall (WAF)
• Network and systems security
• Operational security
• Physical security
• Business continuity and disaster recovery
• Supplier security
• Design patterns for authN/authZ including controls for credential stuffing
• Patterns for a secure gateway architecture (SGA), including API security controls baked into the API gateway

Finally, it is important to note that defending financial data—whether in flight or at rest—is increasingly important in a digital as default economy. While certainly the risk of fraud to business is considerable, the risk to consumers is even greater.

Learn how F5 can help support your open banking initiatives here.

• Coinsmart. Europe’s Best Bitcoin and Crypto Exchange.
• Platoblockchain. Web3 Metaverse Intelligence. Knowledge Amplified. FREE ACCESS.
• CryptoHawk. Altcoin Radar. Free Trial.
• Source: https://bankautomationnews.com/allposts/risk-security/fintechs-use-growing-amongst-consumers-and-criminal-organizations/