That “digital transformation” you can’t stop thinking about is made possible by droves of application programming interfaces (APIs) — clever lines of specialized code that foster interconnectedness and new consumer experiences.
It’s happening in the B2B space as well, and not a moment too soon, as many B2B systems are in definite need of an upgrade — and could learn a thing or two from the consumer side.
PYMNTS’ June 2020 B2B API Tracker® done in collaboration with Red Hat, observes that recent rapid adoption trends for APIs among banks and financial institutions (FIs) indicate a wolf at the door (Big Tech, challengers), but more so, the realization that customer experience (CX) is the new currency. Even so, it’s still a fraudster’s paradise out there, and APIs aren’t immune.
“[Growth] in API usage has resulted in B2B transactions’ unparalleled acceleration, but banks must still contend with fraud threats,’ the Tracker states. “Bad actors are shifting their tactics to target bank APIs rather than the apps connected to them, as they can seize control of all connected apps simultaneously by infiltrating APIs’ codes. This also allows hackers to bypass in-app authentication procedures because it can be easier to steal API keys — the credentials developers use to build apps that harness APIs — than contend with apps’ biometric or two-factor authentication (2FA) processes.”
There’s work being done securing APIs, but businesses are using them confidently, not just to field new products and CX, but also as a data cyber shield found only in the clouds.
Cloud Havens and Changing Keys
There’s more than one way to beat a cyberthief, and the B2B API dev world is onto that.
“Increasingly, firms are moving toward multifactor authentication and OpenID Connect to combat … risk,” Anthony Golia, chief architect of North America financial services at Red Hat, told PYMNTS. “Cloud platforms are also helping firms secure APIs with built-in capabilities that apply security policies through nonintrusive policy enforcement. As a modern technology environment, cloud platforms can protect information with strong policies that can be applied consistently and quickly adopted as criminals continue to evolve their methods of attack.”
New banking protocols like periodic API key rotation and advanced machine learning (ML) systems seeking out anomalous behavior in API codes is part of the answer. “These systems will likely not stop fraud entirely but may be enough to keep bad actors from impeding API adoption around the world,” the June Tracker states.
Impeding bad actors is half the battle, and you do that by securing APIs themselves. That’s exactly what’s happening now as more API-powered challenger banks come online with security and risk management responsibilities essentially on par with those of legacy FIs.
“Banks are thus deploying various security measures to keep themselves, their customers and their FinTech partners safe,” the Tracker states, as the cat-and-mouse game continues.
MFA and APIs Make A Good Pair
Defenses built into API open banking are getting more impenetrable by the day, but that doesn’t stop fraudsters from trying, and succeeding too often. That’s changing now.
“API protection begins with ironclad user verification, such as MFA [multi-factor authentication] systems that require input from users besides their passwords, like codes sent to their phones via text messages or biometric inputs like fingerprints,” the June Tracker states.
“Studies have found that using MFA can prevent more than 99.9 percent of attacks that leverage stolen credentials, for example, making such solutions an imposing obstacle for hackers armed with pilfered passwords. Regularly rotating API keys — the unique identifiers that authenticate the users and developers accessing APIs — can also strengthen security efforts.”