Why bad bots and open banking are creating opportunities for cybercriminals [Q&A]
We all know that bad bots are, well… Bad. But open banking is supposed to be good, giving consumers more control over their finances. Combine open banking and bad bots though and you have opened up a world of new threats to banks, customers, and their data.
We spoke to Alan Ryan, AVP for UK and Ireland at Imperva, about how open banking has created new opportunities for cybercriminals, and why the traditional siloed approach to security needs re-appraising.
BN: Why has introducing open banking increased the number of attacks on the finance sector?
AR: Since open banking was launched in 2018, we've seen an explosion in the number of APIs used by the financial and fintech industries. This is because APIs are essential to Open Banking because they enable applications to 'talk' to one another and exchange data. However, while this is substantially more convenient for consumers, it has also opened multiple doors to cyber attackers. Because so many APIs connect directly to backend databases that often hold sensitive data, cybercriminals see them as a prime target.
To mitigate the risk of an attack, organizations need to treat APIs with the same level of protection they provide for their business-critical web applications. Yet, most organizations have a huge number of ‘shadow’ APIs that IT doesn’t have visibility over -- for instance because they were never correctly retired --and traffic is essentially unmonitored. This is a particularly difficult problem for the financial services industry, with research showing that 30 percent of all financial services API traffic goes through shadow APIs, an 89 percent increase from 2021.
BN: What's the role of bad bots in targeting the financial sector?
AR: Bad bots -- automated software applications created to carry out tasks with malicious intent -- account for more than a quarter (27 percent) of all traffic to financial service organizations -- and target APIs in a number of ways, including:
- Account takeover fraud: Research shows Account Take Over (ATO) attacks heavily target the financial sector, with almost 40 percent of all attacks hitting financial sites and 35 percent targeting APIs directly. These brute force style attacks -- also known as credential stuffing, credential cracking or dictionary attacks -- use lists of compromised user credentials to break into a system. The attack uses bots for automation and scale, and APIs are a particularly attractive target since they can provide access to especially sensitive data or functionalities.
- Data scraping and theft: Competitors use bots regularly to scrape proprietary content and information on rates so they can stay a step ahead and remain competitive. By targeting APIs, bad bots can extract not just sensitive commercial information such as pricing and product information, but user details and other personal data. This can have a whole host of consequences -- from losing a competitive advantage, to IP infringement, identity theft or fraud.
- Distributed Denial of Service (DDoS) attacks: Bad bots are perfectly capable of launching a 'traditional' DDoS attack -- overloading a web application with requests in order to damage performance and either force downtime, or act as a decoy for an even more serious attack. However, these can also be an indirect consequence of other bot activity that makes constant requests to the server.
- API probing: Bad actors will use bots as reconnaissance tools: identifying potential vulnerabilities in APIs that they can later exploit. Worst of all, from the point of view of the defender, this probing can uncover 'shadow' APIs that the organization is no longer monitoring -- meaning attackers can know an environment better than the company itself.
BN: Do changing working patterns demand a new approach to cybersecurity?
AR: With customers demanding more personalized services and 24/7 accessibility, more customer experiences are being digitized than ever before -- which is introducing new security risks.
Many businesses are restructuring their outdated monolithic applications, breaking them into smaller, distributed microservices that exchange data through APIs with first and third-party services. APIs are central to this transformation. But the rapid pace of development leaves many vulnerable to increasing business logic attacks -- an attack that exploits an application's intended functionality and processes, rather than technical vulnerabilities. In fact, API insecurity now accounts for around £59 billion in global losses annually.
As companies continue on their digital transformation journey, the complexity of managing and securing these interconnected components will skyrocket -- leading to an impossible number of security alerts and potential vulnerabilities to manage. Today, businesses need a new approach that enables them to easily discover which APIs need protection, so security teams can easily apply defenses to mitigate attacks.
BN: How can the finance sector better protect itself?
AR: The financial sector will always be a top target for attackers so its vital financial service organizations take steps to mitigate the risks. This requires organizations to look at the entirety of their cyber security -- from data to applications to the edge of the network. Traditionally, it's been easy for organizations to take a siloed approach to security, treating factors such as sensitive data applications and API as separate issues, that each need a separate solution. However, the opposite is true -- these things are all interlinked. For instance, an ATO attack targeting vulnerable APIs will soon find its way to sensitive data and potentially compromise critical applications.
Instead, businesses must protect critical applications, APIs, and data, anywhere, at scale -- which requires a cohesive approach. For example, if a bank is targeted by the ATO attack above, an integrated and coordinated security stack that aligns with the architecture of the banks’ website and applications would enable them to detect the threat and quickly apply the necessary defenses. Complete visibility into high risk APIs, data and applications will be critical to this level of mitigation.
BN: What are the advantages of taking a holistic approach to security?
AR: Financial institutions will always remain a prime target for bad actors given the value of the data they hold. Protecting that data requires a holistic approach that can function across the distributed nature of the systems, data and applications, often encompassing a multi-cloud strategy.
Given the high percentage of data breaches caused by API vulnerabilities these two security stacks need to be considered together in any strategy not as individual silo's that need protection. Implementing a solution that integrates the visibility and security of the Data together with the API's will significantly mitigate the risk of an attack, reducing the risk of a data breach, nullifying new threats, and limiting the impact on the business, economy and the public.