While SCA might thwart some cybercriminals, Open Banking APIs present a new opportunity

By Andy Still, CTO, Netacea 


Credential stuffing has plagued the financial services industry for a while. It is a technique involving cybercriminals using trial and error to ‘stuff’ stolen usernames and passwords into log-in pages, at high velocity, to gain fraudulent access to accounts. Bank accounts are the jackpot for cybercriminals. Once in, they can move money, make purchases, and even set up direct debits all without detection. 

Yet, the advent of PSD2 and its subsequent Strong Customer Authentication (SCA) requirements that needed to be implemented by the 31st December 2020, will hopefully see credential stuffing become a thing of the past for many in the industry. SCA demands that certain payments use two-factor authentication, meaning cybercriminals have to work a lot harder to bypass extra security. Without this additional step, cybercriminals can use bots to check thousands of stolen card details and passwords every minute. These credentials, leaked by data breaches and then sold on the dark web, are much less effective if hackers need to also try to subvert one-time passwords and other security methods.

Making the jobs of cybercriminals harder seldom has negative effects. But the issue that banks and other financial service providers need to face is that when one method of attack is thwarted, cybercriminals won’t simply give up—instead, they will look for another way in. And PSD2, the regulation that demands SCA, gives them an opportunity: APIs. 


APIs: prime targets for cybercriminals?

The UK has already adopted banking APIs thanks to the Open Banking initiative. Aimed at democratising the banking industry, Open Banking requires banks to open up their APIs, allowing third parties to access the financial information needed to develop new apps and services and providing account holders with greater financial transparency. However, these APIs are a prime target for cybercriminals.

Access to APIs is restricted to regulated third-party providers (TPPs) that have been subject to extensive verification of their security, operational governance and risk management controls. But this doesn’t mean that they are fully protected from attacks. Businesses have three points of vulnerability—the browser, the mobile apps, and the API server—and all of these can be exploited to initiate attacks.



Read More: Bot operators are expanding their scope: from sneakerbots to general sniperbots



In addition, many businesses don’t seem to fully understand the risks associated with APIs. Our recent research shows that businesses, including financial services, rank mobile and website as about as likely as each other to suffer from a bot attack, with APIs in a distant third. This could be due to a lack of available APIs, but it is much more likely to be indicative of a lack of awareness, visibility or thought around bots using APIs as an in.

However, even if banks take every precaution to make sure their APIs are secure, there are ways to attack them that are beyond their control. A hacker with access to a TPP’s system could use it to scrape personal details. Or a poorly designed third-party app could be used by a hacker to reverse engineer access to an API and use automated attacks to attempt account takeover and commit fraud.

Banks are being asked to secure their APIs. But even if they do this perfectly, they are still vulnerable if the third parties connecting to their APIs are careless. Blocking IPs and blacklisting certain TPPs will provide a partial solution, but a further problem remains—banks will no longer understand their data traffic.

Right now, good and bad bots, alongside humans, are interacting with online and mobile banking. There is enough history available to identify good and ill intent, and block those who are looking to takeover accounts or perform similar attacks. APIs do not have the same history, making distinguishing between the good and bad guys even harder. 


Strengthening the industry’s position 

Banks not only need to secure their APIs, they also need to quickly get up to speed with what honest and malicious intent looks like. And the best place to start is looking at all the API interactions. Once an overall picture of how TPPs interact with banking APIs is formed, it makes bad behaviour more obvious. 

But the bot landscape is evolving so quickly that what looked like good and bad behaviour six months ago will have changed. Regularly reviewing the activity happening on APIs is imperative. The more the industry learns about APIs, the stronger the position they’ll be in to combat attacks in the future.

While traditionally banks have kept information to themselves, Open Banking has changed that forever. And the same openness should now apply to cybersecurity. Banks must initiate conversations with partners, competitors, and customers to bolster the industry’s understanding of attacks and become united in the fight against cybercrime. 


Andy Still

Andy is a pioneer of digital performance for online systems. As Chief Technology Officer, he leads the technical direction for Netacea’s products, as well as providing consultancy and thought leadership to clients. Andy has authored several books on computing and web performance, application development and non-human web traffic.

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...