In just a few short years, open banking—the use of open APIs to allow third parties to build products and services atop the offerings of banks, insurance companies, and other financial institutions—has changed the financial services landscape.
The ability to leverage existing financial services products to build new offerings in spaces like lending, payments, and insurance has made it vastly simpler for consumers to complete transactions, manage their financial lives, and control their personal data. At the same time, open API protocols are driving innovation across financial services, and creating significant revenue streams for financial institutions. And with the new release of the FDX API 5.0, which codifies standards for API security, interoperability, and performance—as well as the upcoming PSD2 Strong Customer Authentication (SCA) deadline in the European Union—more innovation and new revenue opportunities are sure to come.
But where there’s reward, there’s invariably risk. By their nature, open APIs expose internal and customer data to third parties—making that data more vulnerable to being accessed by bad actors. This is of particular concern vis-à-vis account aggregators, who, like Mint and Plaid, enable modern financial services to consumers. Read on to learn how bad actors use aggregators to attack and defraud banks, insurance companies, and other financial institutions.
Financial account aggregators can add real value to consumers, giving them a single-screen view of their financial life. They also benefit financial institutions by reducing transaction friction and creating new revenue streams. That’s why many financial institutions relax their security procedures when connecting with aggregators. But because they can store data from hundreds of millions of accounts, aggregators are attractive targets for bad actors—especially smaller aggregators, which may lack the funding and security sophistication of more established peers.
The growth in stolen account data available to bad actors, meanwhile, is fueling automated credential stuffing attacks, in which bad actors try to access accounts using botnets and stolen credentials. These attacks have become a sizable problem for financial institutions, causing substantial data breaches and considerable financial losses—to the point that the FBI recently issued a formal warning to the U.S. financial sector concerning the threat posed by credential stuffing.
The most alarming result of the boost in credential stuffing is the increase in account takeovers (ATOs), in which attackers take control of the accounts they’ve gained access to in order to fraudulently drain those accounts of funds. According to a recent report by Aberdeen Group, 84% of online financial services companies had online users who had been the victim of an ATO in the past year.
The survey also calculated the mean cost of credential stuffing attacks, finding—shockingly—that it can amount to more than six times the revenue generated from monthly active users.
The risks don’t stop there, and unfortunately are more serious than some may think. Bad actors know that aggregator traffic is less likely to be blocked, so they like to use them as backdoors into financial institutions. In 2019, for example, financial services giant NCR Corp. found it necessary to temporarily block certain aggregators from accessing its digital banking platform when it discovered a wave of automated account takeovers coming from them.
By opening APIs to aggregators, financial institutions also add to system performance risk by causing or contributing to spikes in traffic. This is in part because aggregators are among the heaviest users of open banking APIs, generating 20% of a typical bank’s traffic. Another factor, according to the FBI, is that credential stuffing attacks can put such a strain on financial institutions’ authentication systems that those institutions become convinced they’re facing a denial-of-service attack.
The bottom line is that open banking exposes financial institutions to significant, pervasive risks. That’s why, at F5, we’re taking a strategic approach to helping financial institutions manage and secure open banking APIs.
F5 is already a leader in delivering API management, high-performance API gateways, and advanced security controls in an all-in-one solution, reducing tool sprawl, and limiting architectural complexity.
F5 monitors login attempts to financial-institution accounts in real time, enabling financial institutions to distinguish between real users, bots and automation, and manual (human-driven) fraud attempts. We like to think that’s one of the reasons that the top 15 U.S. commercial banks all use F5 solutions. Now, we’re innovating to extend our solution set and provide even more comprehensive support for open banking.
In the coming months, you’ll see more from F5 around open banking, focused on topics including better management of traffic from aggregators and protection against API attacks.
One example is our Aggregator Management product, which provides F5 customers in the open banking community greater visibility into API traffic, automatic detection of credential stuffing, anomalous-traffic detection, and the ability to limit content-access privileges for aggregators. For financial institutions, this means more fine-grained control over aggregators, better protection of consumer accounts from fraud, better app availability—and less risk.
Stay tuned! And in the meanwhile, learn more about the risks of open banking and how to fend them off: