Security researchers have recently published a study that revealed vulnerabilities from financial technologies, banking, and cryptocurrency exchange sectors. The open banking system drove the utilisation of APIs throughout the banking sector, allowing third-party developers to create applications within financial services.
For this reason, financial services are pushed to prioritise API security, whether as requirement compliance or as a business strategy.
From the study, a security researcher has focused on vulnerabilities among financial services and fintech companies and has managed to access 55 banks via their APIs. The access has allowed the researcher to change customers’ PIN codes and transfer money in and out of the accounts.
These vulnerabilities are found in financial services with over 25,000 to 68 million customers and have $2.3 million to $7.7 trillion in managed assets.
Furthermore, 54 out of the 55 banks accessed by the researcher has been found to contain hardcoded API keys and tokens, which includes usernames and passwords to third-party applications. Meanwhile, all of the tested 55 bank applications are vulnerable to the man-in-the-middle (MITM) attacks that allowed the researcher to decrypt the encrypted traffic between the banking apps and the backend APIs.
The tested APIs are also vulnerable to Broken Object Level Authorisation (BOLA), which lets any actor change the PIN code of customers’ bank cards and perform transactions. Additionally, the APIs are also vulnerable to Broken Authentication that allows the performance of API requests from other bank customer accounts without the need to authenticate.
The developer of one of the tested banking apps has outsourced its vulnerable code and has been reused throughout hundreds of other banking apps, which allowed the same vulnerabilities to be executed against the other banks.
The security researcher concluded that as unsecured APIs continue to emerge, banking and financial services will always be exposed to vulnerabilities and attacks. The open banking system has pushed API-based services towards third-party providers. Nonetheless, it is beneficial for financial services’ digital transformation initiatives that are a top priority to reach a more improved customer digital experience.
To conclude, researchers are urging financial services to further API security measures to prevent problems that can occur because of the vulnerabilities found among the banking applications, whether tested for a study or not.