Follow us

54 of 55 FinTech apps contain hardcoded credentials

API's security vulnerabilities have brought management issues into focus

Published: November 1, 2021 By Ozair Malik

Application Programming Interface

Image source - freepik.com

Compromised Vulnerabilities of APIs

APIs can be segregated as private, partner, or public. In the case of client-facing linked things and apps, APIs are often put as both private and public because outside users won't be acquiring them using a company's private intranet.

However, this makes an embryonic vulnerability if companies suppose that a private API doesn't need to be protected.

Restricting API access to validated users isn't ample. In this instance, the firm in question depended on its app to hide the statistics of others, which still left the API itself bare.

Open banking has set in motion the all-over use of APIs across banking, permitting third-party creators to develop apps on every side of the financial foundation.

Whether tracked as a conformity need or a business plan of action, open banking has set alight financial services companies to make APIs and API security their point of convergence.  

Considering trends, Knight shifted her liability research on financial services and FinTech companies and successfully ingressed about 55 banks by their APIs, giving her the facility to interchange users' PIN codes and shift money in and out of customer accounts.

Open to attack targets lined up from companies with 25,000 to 68 million customers and $2.3 million to $7.7 trillion in assets subservient to governing.

Financial Services and API Security Issues

  • 54 out of 55 apps contained API keys and tokens, including credentials information to third-parties.
  • This allowed Knight to intercept and decrypt the encrypted influx between phone apps and APIs due to the vulnerability to MITM attacks.
  • Broken Object Level Authorization (BOLA) allowed Knight to intrude and change PIN codes, Credit/Debit card information, etc.
  • Due to the BOLA vulnerabilities, Knight managed to manipulate information without authentications.

For the last decade, I've been aiming attention to my vulnerability research into determining the security of the APIs that are now the basis of much of our nation's tough groundwork. My performances have outstripped APIs in the emergency services, transportation, healthcare to FinTech. APIs are the measure for our entire connected world till date.

Knight

Flourishing of API

With the growth in technology, APIs provide the users to consume services via connected devices, ultimately depending on increasingly dependent on APIs. These APIs can be classified as private, partner, or public.

APIs are the core of nearly every digital aspect, enabling customers to monitor and embody their routines using IoT-connected devices or promoting remote monitoring services that incorporate car owners to track their vehicles.

Subnormal Security of APIs

Undoubtedly, APIs are dependable, and organizations are severely dependent on them, but the vulnerabilities enable cybercriminals to access sensitive user data, whether identity or billing information.

APIs security problems open doors for attacks or the exposure of customers' personal information due to the dependency of users on IoT devices and lifestyle subscription services.

The Attack Surface

With long-established banks having to throw one's hat in the ring against the neobanks and fintech to keep pace with the newest requirements for how users want to bank in this century.

Traditional Main Street banks are storming to bring new technologies into play to qualify easy-running digital experience and make it easy for the lines between neobanks and traditional.

Internationally, open banking schemes have guided API-centric services subscriptions, opening payments, account services, and others to third-party contributors.

Additionally, digital initiatives are the most pressing concerns as financial services companies look to upgrade the digital customer encounters.

The attempt to allure new and keep present customers by transporting additional value has followed in more application services and supporting APIs.

This escalated acquiring of API use has emerged in a noticeable escalation in the attack surface they speak of.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select