In just a few short years, open banking—the use of open APIs to allow third parties to build products and services atop the offerings of banks, insurance companies, and other financial institutions—has changed the financial services landscape.
The ability to leverage existing financial services products to build new offerings in spaces like lending, payments, and insurance has made it vastly simpler for consumers to complete transactions, manage their financial lives, and control their personal data. At the same time, open API protocols are driving innovation across financial services, and creating significant revenue streams for financial institutions. And with the new release of the FDX API 5.0, which codifies standards for API security, interoperability, and performance—as well as the upcoming PSD2 Strong Customer Authentication (SCA) deadline in the European Union—more innovation and new revenue opportunities are sure to come.
But where there’s reward, there’s invariably risk. By their nature, open APIs expose internal and customer data to third parties—making that data more vulnerable to being accessed by bad actors. This is of particular concern vis-à-vis account aggregators, who, like Mint and Plaid, enable modern financial services to consumers. Read on to learn how bad actors use aggregators to attack and defraud banks, insurance companies, and other financial institutions.
Accelerating risk: How aggregators and third-party payment providers enable credential stuffing and account takeovers
Financial account aggregators can add real value to consumers, giving them a single-screen view of their financial life. They also benefit financial institutions by reducing transaction friction and creating new revenue streams. That’s why many financial institutions relax their security procedures when connecting with aggregators. But because they can store data from hundreds of millions of accounts, aggregators are attractive targets for bad actors—especially smaller aggregators, which may lack the funding and security sophistication of more established peers.
The growth in stolen account data available to bad actors, meanwhile, is fueling automated credential stuffing attacks, in which bad actors try to access accounts using botnets and stolen credentials. These attacks have become a sizable problem for financial institutions, causing substantial data breaches and considerable financial losses—to the point that the FBI recently issued a formal warning to the U.S. financial sector concerning the threat posed by credential stuffing.
The most alarming result of the boost in credential stuffing is the increase in account takeovers (ATOs), in which attackers take control of the accounts they’ve gained access to in order to fraudulently drain those accounts of funds. According to Javelin Strategy and Research, in their 2021 Identity Fraud Study, ATO fraud resulted in over $6B in total losses in 2020.
The survey also calculated the mean cost of credential stuffing attacks, finding—shockingly—that it can amount to more than six times the revenue generated from monthly active users.
The risks don’t stop there, and unfortunately are more serious than some may think. Bad actors know that aggregator traffic is less likely to be blocked, so they like to use them as backdoors into financial institutions. In 2019, for example, financial services giant NCR Corp. found it necessary to temporarily block certain aggregators from accessing its digital banking platform when it discovered a wave of automated account takeovers coming from them.
By opening APIs to aggregators, financial institutions also add to system performance risk by causing or contributing to spikes in traffic. This is in part because aggregators are among the heaviest users of open banking APIs, generating 20% of a typical bank’s traffic. Another factor, according to the FBI, is that credential stuffing attacks can put such a strain on financial institutions’ authentication systems that those institutions become convinced they’re facing a denial-of-service attack.
The bottom line is that open banking exposes financial institutions to significant, pervasive risks. That’s why, at F5, we’re taking a strategic approach to helping financial institutions manage and secure open banking APIs.
Helping financial institutions embrace open banking—securely
F5 is already a leader in delivering API management, high-performance API gateways, and advanced security controls in an all-in-one solution, reducing tool sprawl, and limiting architectural complexity.
F5 monitors login attempts to financial-institution accounts in real time, enabling financial institutions to distinguish between real users, bots and automation, and manual (human-driven) fraud attempts. We like to think that’s one of the reasons that the top 15 U.S. commercial banks all use F5 solutions. Now, we’re innovating to extend our solution set and provide even more comprehensive support for open banking.
In the coming months, you’ll see more from F5 around open banking, focused on topics including better management of traffic from aggregators and protection against API attacks.
One example is our Aggregator Management product, which provides F5 customers in the open banking community greater visibility into API traffic, automatic detection of credential stuffing, anomalous-traffic detection, and the ability to limit content-access privileges for aggregators. For financial institutions, this means more fine-grained control over aggregators, better protection of consumer accounts from fraud, better app availability—and less risk.
Stay tuned! And in the meanwhile, learn more about the risks of open banking and how to fend them off:
- Watch our webinar, Open Banking Trends, Challenges, and Opportunities, to learn more about open banking.
- Explore our Aggregator Management solution.
- Explore a blueprint to protect against open banking bot attacks.
- Take our threat assessment to see how effective your current API security is.
- Learn how F5 can help organizations prevent ATO attacks without adding friction for users.
- Learn how Shape technology helped a top 10 North American bank eliminate credential stuffing.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...