Open banking is one of the most significant emerging trends in the financial industry, allowing banks and FinTechs to share financial data in a quick, easy and secure manner across a network of platforms.
It has been steadily gaining popularity in recent years, with more than 10,000 financial institutions (FIs) around the world practicing open banking and 87 percent of the world’s nations having open banking protocols in place as of 2019.
Open banking is typically achieved via application programming interfaces (APIs), sets of rules and procedures that permit developers to create algorithms and applications that access features or data or interact with other systems. This allows third-party developers to create tools based on FIs’ specific services and information and ensure that they are compatible with other banks’ procedures. This not only helps FIs communicate with each other, but it also makes it easier to comply with transparency regulations while providing customers with more control over their data.
Open banking comes with security risks, however, as a hacker that manages to breach an open banking API can hijack all of the apps that harness this interface to gather data. The following Deep Dive explores the various ways bad actors take advantage of open banking and the steps banks can take to protect themselves, their developer partners and their customers.
Security Risks Facing Open Banking
FIs may reap benefits for engaging in open banking, but not everyone may embrace it the same way. Studies have shown that 49 percent of bank customers believe their personal data will be less safe due to open banking. This fear is, in some ways, justified as their data can be exposed not just in an attack on their banking app of choice, but also by an attack on the API that their app is leveraging. Fraudsters have a variety of tools at their disposal to obtain this data and are attacking these APIs at higher rates than ever before.
The most popular technique, credential abuse, involves fraudsters using compromised passwords and other login information to gain access to sensitive systems. There were 85.42 billion such attacks between December 2017 and November 2019, 16.55 billion of which targeted APIs, and of these attacks, 463.3 million were aimed at the financial industry. These credential abuse attacks come in a variety of forms, with some hackers choosing to overwhelm API defenses with simultaneous logins from a host of bots and others using more targeted techniques like phishing individual API developers and using their login credentials. One 2018 study found that 81 percent of open banking-related breaches were the result of stolen or weak passwords.
Other hackers may choose not to attack APIs directly, instead attacking the FinTechs that are leveraging these platforms to work with banks. These companies are largely newer and less experienced at dealing with financial crimes than the banks they work with, making them an easier target. Many of these fraudsters impersonate banks’ digital signatures to gain access to customer data, targeting either the FinTechs themselves or third-party companies that collaborate with many FinTechs at once to aid in the transfer of data between FinTechs and banks. The latter group is an even more tempting target than the FinTechs themselves as hackers that manage to breach these third-party companies can disrupt all of their partner FinTechs at once.
Having such a wide range of fraud targets and techniques against open banking systems means that no single defense mechanism will be enough to stop hackers. Multilayered approaches that harness a variety of defensive measures will be more effective.
Securing Open Banking Systems
The first line of defense against fraud attempts on open banking systems is at the point of entry and requires ensuring that anyone accessing banking apps or APIs has the right to be there. Passwords at this point can be ineffective as 65 percent of individuals use the same passwords for multiple accounts. Any data breach that exposes one of their accounts potentially compromises every account that shares the same password.
Multi-factor authentication (MFA) is a much more effective way to secure these entry points by requiring not only a password, but also an additional verification method, such as a code sent to a user’s phone or a biometric system, like a fingerprint reader or facial recognition scanner. Experts say that the best MFA systems rely on three points of data: something the user knows, such as a password; something the user has, such as a key fob or a code sent via text message; and something the user is, which typically consists of a biometric identifier. Requiring any two of these three data points is enough to protect against 99.9 percent of fraud attempts, according to one study.
The small number of fraudsters that manage to bypass MFA systems can be countered with artificial intelligence (AI) and machine learning (ML) systems, which analyze the thousands of payments routed through open banking APIs and look for unusual system commands, transactions or other suspicious activity. These systems can look through transaction logs much faster than human analysts and reduce fraudulent transactions by 65 percent and the total amount of money paid out through these transactions by 75 percent.
Fraudsters are constantly developing, testing and deploying new tactics, making it incumbent on FI security teams to anticipate future threats and develop countermeasures before they fall victim. MFA and ML systems can effectively stop current threats, but future hazards will need even more advanced systems.