Locking Down APIs

Protecting the ubiquitous code that enables untold numbers of payments connections is no easy matter. It’s also critical.

Just how attractive to criminals are the networking connections between payments and financial-services companies, on the one hand, and third parties, on the other? Extremely.

Witness that one day in August 2019, a single financial firm weathered more than 55 million malicious login attempts by criminals trying to stuff their collection of ill-gotten personal information in the firm’s Web pages.

The bad guys, in this instance, were not successful, says the security company Akamai Technologies in its “State of the Internet/Security” report released earlier this year, which cataloged the attack.

What are application programming interfaces (APIs) and why are they so important? They enable sharing information without cumbersome logins. They’re the software code, for example, that enables a third-party to move funds to your bank account. Just as important, they segregate information to make it tougher for criminals to access it.

APIs have been active for some time in some very prominent payments programs. They make it possible for Green Dot Corp., for example, to enable Apple Inc. to link Apple Pay to Green Dot’s infrastructure. “While regulatory issues still need to be managed by Green Dot, the technical connectivity to the Green Dot infrastructure becomes simple,” says Tim Sloane, vice president of payments innovation at Marlborough, Mass.-based Mercator Advisory Group Inc.

“APIs enable companies with no experience in payments to quickly integrate their systems and software to payment experts and rapidly start transacting payments,” Sloane continues.

Further, APIs make banking programmable, says Ron Van Wezel, senior analyst at Aite Group LLC, a Boston-based consultancy, “allowing third-party developers (fintechs and others), to access bank data and functionality to create new value for customers.”

This has led to open banking on a global scale, he says, and holds still greater promise. “While still in initial stages,” he adds, “open banking will lead to the next wave of digitization in payments, reconfiguring age-old value chains and changing business models.”

‘Time-Based ROI’

Adapting existing models to the capabilities afforded by APIs, and the creation of new ones, won’t happen smoothly unless these connections are protected. Protecting APIs is vital because criminals have incorporated them into their target portfolios.

Criminals want to access data held by financial-services companies because that’s where the money is. But this data also includes personal information associated with a victim’s financial account, says Steve Ragan, an Akamai security researcher. “Information has value, and can be sold or traded,” Ragan says.

“When criminals are targeting APIs, they’re attempting to bypass defenses and target as many accounts as possible,” Ragan says. “[Multifactor authentication] makes things harder for the criminals, not impossible, but certainly harder.”

Online criminals follow patterns similar to those they observe in the physical world. The time needed to commit the crime, for example, should not outweigh the perceived return on investment.

“There is a time-based ROI for a lot of criminals,” Ragan says. “If an account doesn’t fall instantly to a username/password combo, they move on to a new account. Only the more dedicated ones will attempt password variations or move on to phishing in order to attempt a multifactor authentication bypass.”

APIs are subject to a number of common threats, says Johannes Ullrich, dean of research at SANS Technology Institute, a cooperative research and education organization. “Encryption, since [APIs] go over public networks, is a problem,” Ullrich says. “They have to know who is sending the request. Then ensure the message is not altered as it’s transmitted.”

Protecting the integrity of API connections also buttresses any service guarantees ensuring a certain number of API connections for authorized users, he says.

Generally, API protection starts with the concept of least privilege, followed by fail-safe defaults (meaning a user’s access should be denied unless granted access explicitly), Ragan says.

Multiple security considerations come into play, says Mathieu Auger-Perreault, director of fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research.

“Securing APIs, just like securing other components of the payments ecosystem, requires multiple layers of defense, including making sure API developers are aware of security risks and best practices,” Auger-Perreault says in an email.

Among Auger-Perreault’s considerations:

– Is the communication channel secured?

– What kind of data is the API providing? Is it providing too much information versus what is required?

– How are API requests authenticated and authorized?

– Is the API vulnerable to injection attacks?

– Is the API producing logs and are these logs collected and analyzed by the security team?

Actions and techniques to answer these questions include involving the organization’s technology security team in API development, Auger-Perreault says. Others are to use encryption and adopt a need-to-know or least-privilege mindset when deploying APIs that also include the data these APIs provide.

API managers should keep several factors in mind, says Keith Fulton, senior vice president and chief information officer of bank solutions at Fiserv Inc. “Business owners should think about the level of security they need–where does the use case fall on a security spectrum?,” Fulton says by email. “Any API that involves the transfer of personally identifiable information, or the movement of money, must be secure.

“Think about the other businesses you are making APIs available to or using APIs from, and question their security practices,” Fulton continues. “This is a situation where the chain is only as strong as the weakest link. If the businesses you connect to are not practicing good security habits, that can put your business at risk as well.”

Behind the Endpoint

Traditionally, encryption and some sort of authentication formed the bulk of API protection efforts, but those steps alone are no longer sufficient, says Sam Pfanstiel, director of security consulting services at ControlScan Inc., an Atlanta-based data-security provider.

Today, securing an API entails peeling back to what’s behind the endpoint—that’s technical speak for the very end of the connection enabled by the API—Pfanstiel says.

“Is the software being developed by a programmer trained in software security?” is one of the questions to ask. Does the software code have some sort of separation of duties, so if one component is compromised it’s less likely to spread? Today, protection APIs involve encryption, authentication, security development, empirical testing, and separation of duties, Pfanstiel says.

Mercator’s Sloane advocates a sandbox approach. That segregates the API and its specific task so it can be tested in as close to a real-world environment as possible.

“Then a proactive vetting of the user organization by the payment platform and bank to validate the use case, the adherence to regulations, and the availability of funds,” Sloane says.

“With all of that in place,” he continues, “the only thing left to do is to have a development team that follows traditional banking-system development and personnel management policies to prevent against insider attacks, blackmail, trap doors, etc.”

APIs can be written in any computing language and sometimes can be so numerous an organization might lose track of all the APIs it allows, says Ullrich. “The API represents your business logic,” he says. “They can all implement their own front end. The value is providing the standardized interface.”

Payments and financial-services entities are working on API standardization, too. Nacha, the Herndon, Va.-based automated clearing house governing body, created the Afinis Interoperability Standards body to advance API standardization.

And nonprofit Financial Data Exchange has an overall mission of fostering common, interoperable standards for access to financial data. It is an independent unit of the Financial Services Information Sharing and Analysis Center, a Reston, Va.-based association.

Moving Money

Using best practices to secure APIs will only become more important as the use of APIs proliferates. “The speed with which businesses can adopt new payment strategies and innovate will continue to increase significantly,” Sloane says. A new range of use cases, potentially disruptive ones, will start to appear, he says.

“In some instances, these will be implemented by innovations in a siloed payments infrastructure, while in other cases it may be implemented on top of a regulated standard as may become possible under the PSD2 standards across all [European Union] banks,” Sloane says.

“These payment APIs,” he continues, “could in essence allow new payment schemes that totally bypass the traditional payment networks. In short, APIs will continue to speed up disruption.”

Auger-Perreault has a similar take. “APIs will enable ‘fast followers’ in the payments space to keep pace with more powerful and well-funded financial brands ratcheting up the competitive landscape,” he says. “APIs are critical to the infrastructure of payments and enable money to move.”