FinTechs grow in popularity amongst consumers and criminal organizations

Consumers are preparing to inject the digital economy with an estimated “$843-859 billion this year, more than double what they were in 2002, when total holiday sales hit just $416.4 billion.”

Ultimately this will all pass through financial service institutions. Whether payments are processed through Apple Pay or Venmo, PayPal or a debit card, there is always involvement with an account at a financial services institution.  

This, naturally, leads to attempts by malicious actors to gain access to those accounts, especially through FinTechs. Whether via scams, such as those experienced by Zelle users or Robinhood customer service employees, or directly via credential stuffing or brute force, attacks can produce windfalls for those who persist in their efforts.

Most successful breaches we hear about today are executed directly against the user interfaces of a financial services institution: a web app, text message, or email. It is troubling, then, to consider the potential impact of explosive API growth that fuels the digital financial ecosystem—and the implications of associated third-party risks, which criminal organizations are quickly recognizing as a lucrative attack vector.

APIs are Increasingly Attractive to Criminal Organizations

Consumers today are presented with an increasingly diverse payment ecosystem from which to fund their holiday spending splurge:

• More than 2 out of every 3 Gen Z shoppers plan to shop via nontraditional channels such as Instagram, WhatsApp, and livestreams this holiday season. 
• According to an NPD survey from June 2021, more than 50% of consumers say they have made purchases via Instagram or Facebook. 15% of those consumers named TikTok as a social media platform where they discover and learn about products. (Source: 2021 Holiday Shopping Ecommerce Stats & Trends)
  

A thriving payment ecosystem relies on the use of APIs to facilitate digital financial transactions. Standardization supports the need for fast, secure transactions to address the impatient nature of consumers and the ability of a digital business to adapt and grow. The leading standard today is FDX (Financial Data Exchange), and as of September 2021 boasts 22 million consumer accounts using the FDX API for open finance data sharing. Notably this has resulted in a significant increase in the volume of API calls, which have surged to just shy of 2 billion per month. (Source: FinExtra)

A recently published report from F5's Office of the CTO, “Continuous API Sprawl: Challenges and Opportunities in an API-Driven Economy,” notes the rapid proliferation of APIs and the governance and security risks this poses. 

It found that APIs, which power everything from digital payments to entertainment services and enable robust marketplaces, currently number around 200 million. By 2030, that figure could reach 1.7 billion.

Coupled with findings from F5 Labs research that shows the number of API security incidents, many of which are related to third-parties like FinTechs, is growing every year, financial institutions have a lot more to worry about than the potential for imminent regulatory action and competitive forces.

Defending the Digital Economy

Securing APIs and protecting consumers and business against fraud is an increasingly important focus for digital firms in all industries, but especially those in the financial services industry.

Furthermore: “Different development teams working on multiple applications often use disparate toolsets. That means traditional security teams may not own a centralized point of control to enforce security. This requires a standard set of tools to embed the right controls into the API development and management processes.”  (Source: F5 CTO Security Renuka Nadkarni, Secure the FDX API to Defend Data in Open Banking)

The F5 open banking solutions guide provides a comprehensive approach to F5 solutions for open banking. Additionally, Nadkarni notes that "FDX has published comprehensive advice regarding the controls that should be implemented in order to protect from threats and risks to consumer accounts information and service integrity." These controls include:

• Software security—control for the OWASP top 10 and other software vulnerabilities—including deploying a web application firewall (WAF)
• Network and systems security
• Operational security
• Physical security
• Business continuity and disaster recovery
• Supplier security
• Design patterns for authN/authZ including controls for credential stuffing
• Patterns for a secure gateway architecture (SGA), including API security controls baked into the API gateway

Finally, it is important to note that defending financial data—whether in flight or at rest—is increasingly important in a digital as default economy. While certainly the risk of fraud to business is considerable, the risk to consumers is even greater.