In the James Bond movie “Skyfall”, Bond’s adversary, Silva, taps into the frequency Bond’s team is using on its walkie-talkies to eavesdrop on their plan. Though the walkie-talkies were an easy way for Bond’s group to communicate, the convenience was offset by the vulnerability and lack of security, opening the door for the antagonist to counter Bond’s plans. This plotline serves as a stark reminder that without proper safeguards, any communication tool can become a liability in high-stakes environments.Application program interfaces (APIs), for example, work as a pathway for two different technological applications to exchange information. Because of the ease of integration with APIs, they’ve become a standard part of every community financial institution’s (CFI’s) technical tool kit. Popularity of APIsAPI usage has exploded in recent years, particularly due to the advent of open banking. Research shows that more than 90% of developers were using APIs back in 2020 — a number that has certainly only grown since then. Some core providers, such as Fiserv, have thousands of APIs that financial institutions can plug into their systems. Potential Risks of Nonsecure APIsAccording to the 2024 Salt Security State of API Security Report, 95% of respondents reported security concerns within an API their production APIs.APIs come in two flavors: internal and external. Internal APIs work inside a CFI, where they allow different software components to talk to each other. External APIs let third-party applications access and interact with a CFI’s internal systems. You need effective security measures for both kinds of API, which means that both your internal team and your vendors need to be on board.If not executed securely, APIs can leave an opening for hackers, potentially allowing them access to a CFI’s confidential data. The right security measures can keep portals open within the API ecosystem but closed to unauthorized access. Security can also help protect CFIs from noncompliance penalties and operational efficiencies.What Your API Security Plan Should IncludeProtecting your APIs is important now and will get even more critical when the CFPS finalizes Section 1033 of the Dodd-Frank Act, sometimes called the “open banking” rule. In open banking, APIs facilitate the exchange of data between banks and fintechs. That helps both sides develop new applications and services. But it also means that APIs will help huge amounts of data change hands. Getting security in place now, while data volume is lower, can make a CFI’s burden lighter when data volume goes up.Your API security plan might include a combination of security features and also standard practices for your team. Here are some technical solutions and staff practices that can help you keep APIs secure:
- Use an API firewall. Your choice should have two layers: the first in DMZ, executing basic security mechanisms, and the second in LAN, with advanced security around data content. Make getting to your data a real hassle for anyone you don’t approve.
- Use third-party security programs. An antivirus system or internet content adaptation protocol (ICAP) server can help prevent malicious code or data from interacting with your systems.
- Don’t share information unnecessarily. Error messages should give as little information as possible, and don’t share IP addresses. Use IP whitelists and blacklists to restrict data access. Limit the number of people who have administrator access and separate that access into different roles. Hide your CFI’s sensitive information.
- Limit your system to a set number of messages per second. Restrict the access you give to any one user or application. This helps prevent a hacker from flooding your system with multiple requests, locking legitimate users out of their network access.
- Vet all third-party data. Check every surprise gift of data your server receives, no matter the source. Be particularly cautious of big packages of content or data.
- Stay up to date. Keeping your software, infrastructure, and overall security network current lets your APIs benefit from the most recent security patches.
- Encrypt data. Data that’s been converted to code is much harder to steal. Use one-way (good) or two-way (better) encryption for all exchanges. Use the most recent HTTP encryption versions to block the weakest cipher suites.
- Authenticate users. Before you let someone talk to your APIs, make sure you know who that someone is. A username and password, an API key, or a token generated by a third-party identity provider can all help you know who is ringing the metaphorical doorbell.
- Monitor API usage. Know what your APIs are up to by using a monitoring dashboard to track your API use. Audit and log API use on your server. You’ll be more able to notice and track anything suspicious.
- Prioritize items on the Open Web Application Security Project (OWASP) list of the top ten worst API vulnerabilities. These are the most common ways for hackers to exploit websites and apps to steal information or disrupt service.
As open banking becomes more popular to help meet the increasing customer demands for digital banking capabilities, CFIs need APIs to connect with third-party solutions that provide convenience for customers. However, the way you connect to these outside APIs is vital, and overlooking a small detail can lead to data loss and unauthorized users accessing your systems. Careful security measures can help your team ensure that your APIs don’t start talking to anyone harmful.