APIs: The Soft Underbelly of On-line Banking

This guest post comes from Mark O'Neill. Mark is a frequent speaker and blogger on APIs and security, and is CTO at Vordel. Vordel’s API Server enables enterprises to connect to Cloud and Mobile.

In recent weeks, there have been a number of highly publicized cyberattacks on US banks. These attacks take the form of Distributed Denial of Service (DDoS) attacks, involving enormous amounts of traffic being sent to Internet-facing banking services, rendering them unusable.

Much of the press coverage of the DDoS attacks has focused on the fact that the Websites of the banks were taken offline by the sheer volume of traffic. It is understandable to focus on the takedown of the banking websites, because that is the most visible aspect of the attacks. Many banking customers, of course, primarily interact with their bank through online banking using their web browser. When the website is down, they can’t check their balances or pay bills. Understandably, this is very frustrating for users and results in material loss if it results in a bill not being paid in time.

However, a side-effect of the attacks has been to also render the mobile apps of the affected banks useless. Although users could initiate the mobile banking apps from their phone or tablet, the apps could not “call home” to their banking systems, so they could not connect to any account details, or even log the user in.

The loss of the mobile app functionality was reported as a side-effect of the attacks, along the lines of “…and also, mobile banking apps were affected”. However, the disabling of mobile apps points to a larger issue, which is not being reported.

Like other mobile apps, mobile banking apps use APIs to perform actions and receive data. The DDoS attacks effectively disabled this API access. Unlike the website disruption, this API disruption is not directly visible to users. The perception of the attack is different, because the app itself is still present on their phone or tablet. In fact, when confronted with a mobile banking app which has problems performing certain functions, a user may simply blame their mobile network, or assume they have lost coverage.

As mobile app usage grows, and users primarily use apps to perform banking, the impact an API attack can have on an economy grows exponentially. Recent research from comScore points to the ever increasing number of mobile banking customers. In the fourth quarter of 2010 alone, almost 30 million Americans accessed their bank, credit card or brokerage accounts from a cell phone or tablet, up 54% from the same quarter a year earlier. Every financial services company worth its salt is focused on providing a mobile banking application to persist customer loyalty in a bid to maintain relevance in a very fluid market. They need to be cognizant of the security issues.

Protecting APIs against attack

API protection is something which will increasingly be a concern for security staff. At present, it may be grouped together with website protection. In the diagram below, we see how API access typically occurs parallel to regular Web access:

However, APIs are different in terms of usage patterns, and in terms of the types of traffic they receive. This means that it makes sense to protect them using different policies. Chief Security Officers and their IT security team members need to quickly come up to speed on both the threats posed to APIs and the very real impact an API disruption presents. Websites have been taken down before, but an attack on APIs is relatively new. As APIs are still quite new, it sometimes seems they are considered to come under the general rules for a bank’s Web resources. As such, there is a lot of focus on protecting the website from denial-of-service attacks (DoS attacks) or general attacks, while neglecting to prepare for an API disruption and its impact on mobile applications, which may be just as disruptive and damaging as a website outage.

In the case of the recent banking DDoS attacks, there was little the banks could do to protect against the attacks; such was the volume of data. However, separating the hosting of APIs from the hosting of “traditional” Website resources may be one mitigating factor. This means that a DDoS attack against the Website may not have the side-effect of taking down the APIs used by mobile banking apps.

Additionally, there are some API management products that can provide mitigation against attacks. These products have features including the ability to throttle traffic, and also ensure security as clients need to use a particular security token like an API Key or OAuth tokens. It is also critical to manage the use of the API keys as there is a tendency to casually share them within an organization without due care for their security. Additionally, API Management products can also detect unusual API patterns. For example, if the mobile application generally accesses certain API operations in particular patterns it can detect anomalous traffic activity and provides alerts.

One of the lessons from recent attacks is the need to put measures in place to protect APIs. Rather than APIs being taken down as a side effect of attacks on websites, future attacks could be directed against APIs with a goal of taking out mobile applications. As a significant amount of users continue to adopt mobile applications this risk is increasing. In conclusion, it’s clear that the protection of APIs is of key importance within the banking sector. Similar to attacking a bank’s website; the disruption of APIs means the bank’s mobile applications are useless, which will  also negatively impact a bank’s reputation and operations.

Be sure to read the next Best Practices article: Single Page Web Applications, Javascript and the Proliferation of APIs