Voice of the Industry

All access security: how to keep APIs secure in an open financial services environment

Monday 6 February 2017 08:50 CET | Editor: Melisande Mual | Voice of the industry

David Jones, Irdeto: It simply cannot be ignored any longer: the world is becoming more open, leading to a continuous supply of new services and business models.

As experienced in industries like photography and media & entertainment, digital disruption is beginning to transform the payments and banking ecosystem. Consumer appetite for digital services is attracting new entrants and disruptors into an already fiercely contested financial services market. These new and unconventional financial services providers are embracing the use of open APIs to push the innovation envelope.

In addition, various government-led initiatives seek to make open APIs a regulatory requirement for all incumbent banks. A great example of this is in Europe, where the move towards an open banking and payments environment is encapsulated in the EU’s 2nd Payment Service Directive (PSD2). When adopted, PSD2 requires banks to enable third-party access to customer accounts. Open API technology is well-equipped to become a market standard to support PSD2.

It is fair to say that APIs are gaining traction in the financial industry and they will need to be embraced by the payments ecosystem. But what does this mean for security?

The opportunities and challenges that open banking and APIs provide

An API is a set of routines and protocols that specifies how software components should interact. They are an essential and ubiquitous aspect of online commerce. For example, each time an online payment is initiated by a consumer, an API request travels from the merchant’s web shop environment to an online payment gateway – often referred to as Payment Service Provider (PSP). The PSP then redirects the payment request via several parties to the consumer’s bank after which the authorization is either accepted or rejected. This message then follows the same way it arrived back to the merchant’s web shop.

One of the great things about APIs is that they open the door for many new innovative developments and entrants into the industry, forcing incumbent players to respond accordingly. However, despite these exciting possibilities, the industry must realize that APIs are not only a conduit for consumers to access devices and online services, they are also a frequent entry point for hackers and cybercriminals. Though the exact attack profile is still in review, it is believed the recent cyberattack on Tesco Bank, allowing hackers to steal money from up to 20,000 of the bank’s account holders, was achieved through weak APIs.

The current state of the digital security landscape

Currently, cryptography is used as a means to secure all electronic communication: from sending texts to making payments. Why then do client-side APIs continue to be so vulnerable?

The answer to that question lies in the fact that cryptography was originally developed for use in what is called a “blackbox” environment. In a blackbox environment, the communication endpoints, the user’s or merchant’s devices, are presumed to be trustworthy. In other words, they are assumed to be used in a safe and attacker-free environment. It goes without saying that this is an unrealistic scenario for ecommerce and open APIs in general.

Ecommerce is most often conducted in a “whitebox” environment, such as the internet, in which the communication end-points are presumed to be insecure. Effective cryptography in whitebox environments means that existing cryptographic models must be augmented with technologies that can harden web applications and mobile devices to prevent attacks on APIs. This requires ensuring the authenticity of the JavaScript that is requesting communication from the API. If the requesting code is authentic, the communication will be secure. 

Until now, it has been presumed that JavaScript could not be hardened to this level. But today, technologies can be applied to JavaScript to ensure its integrity at all times. Using these technologies, communication requests from corrupted JavaScript code will simply be rejected, or flagged as such. This protects the JavaScript from:

• Tampering;

• Reverse engineering;

• Data tampering and siphoning;

• Man-in-the-Middle (MITM) and a variety of other advanced attacks.

The most vulnerable APIs are those used by web applications (including browsers) on end-user devices (i.e. mobile devices, tablets, laptops, etc.). In 2015, about 40% of all data breaches occurred through these web applications (Verizon Data Breach Investigation Report (DBIR) for 2016). They are a soft target because most end-user devices are insecure and their openness allows hackers to view source code and learn how to attack it. If these computers are compromised, web applications are relatively easy targets for malicious code, which can be used to probe and view the application’s JavaScript. If the JavaScript is hacked, unauthorized requests can be sent to the API using common hacking techniques (such as parameter tampering, spoofing, etc.). In short, through this method, the hacker can steal the keys to the application and gain access to customer data and other critical company assets or even steal money.

Raising the bar for digital security standards

Irdeto challenges the status quo in digital security by combining its unique capabilities of integrity verification, extreme JavaScript diversification and whitebox cryptography in both the interface and the web application/browser.

To keep APIs protected in an “all access” environment, providers need to fundamentally re-think their approach to security. Network and perimeter security, standard API development practices and other commonly used security approaches are no longer enough. To ensure the safety of API data communications and enable new services, trust must be established in the web application and/or browser. New technologies and innovations must be considered at the onset of any new PSD2, API or payments and banking security initiative.

For similar stories, please check out our Web Fraud Prevention and Online Authentication Market Guide 2016/2017 here to get access to an insightful outline of the global digital identity and web fraud ecosystem.

About David Jones

David joined Irdeto in 2008, since that time his responsibilities have included Global partnership strategy and management, and technical partner support services. Dave has extensive international experience working with diverse global partnerships and their introduction to Irdeto’s global customers. In 2014 David moved to the Business Development team to drive entry into new markets/segments which can benefit from Irdeto’s core technologies. David now leads Irdeto’s Payments and Banking segment, delivering solutions to the Financial Services industry and driving relevant partnerships and channels.

About Irdeto

With nearly 50 years of experience, Irdeto is a pioneer in digital platform and application security. Its technology protects over USD 750 million in payments and more than 2 billion devices against cyberattacks for some of the world’s best known brands. Irdeto leverages this security expertise to enable banks and PSPs to deliver a convenient and safe digital shopping and banking experience for consumers.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: David Jones, Irdeto, security, fraud prevention, retail, ecommerce, API, PSD2, cryptography
Countries: World

Industry Events