What API Breaches Mean For The Financial Services Industry

Data breaches are a major threat within any industry and can seriously threaten a company's reputation, economic viability, and customer base. Data breaches within financial institutions are especially damaging, since they not only compromise private and sensitive data but are often the footholds for subsequent financial theft.

Unfortunately, various sources including Business Insider report that data breaches at financial institutions are increasing. And as a February 2019 report from Akamai has noted, another industry is facing harder hits, too.

Keep reading to understand how data breaches involving application program interfaces (API) in retail may impact the financial industry, as well. 

The Exponential Rise in API Breaches Within Retail Industry: Why Financial Firms are Taking Notice

According to Akamai's 2019 State of the Internet/Security: Retail Attacks and API Traffic report, cyber attackers launched a credential abuse technique called credential stuffing against retail sites over 10 billion times between May and December of last year. Credential stuffing relies on multi-functional bots and tools that allow hackers to target multiple retailers at once. 

Credential stuffing is a technique that allows hackers to steal login information, breach APIs, and subsequently access private and sensitive information. Once hackers are able to access accounts on these retailer platforms, they are able to steal private information that has a high value on the black market and dark web, including credit card information and demographic information.

But while the Akamai report focused on the impact within the retail industry, the report's authors also pointed out that hackers use this same method to target login pages on banks, as well (in addition to music, entertainment, hotel, and travel sites). 

API Breaches, Retail, and The Financial Industry: A Closer Look

The following are a few major takeaways from a comprehensive report from Business Insider on business and operational models within the financial services industry.

• More banks are using online and open banking methods and rely on API technology to do so. 
• A significant factor behind this growing trend is that regulations compel banks to provide customers (or appropriate third parties) with direct access to their data. Using technology to provide such access is important for customer autonomy, but unfortunately it may also be putting banks and their customers at a greater risk for cyber attacks.

And as Akamai reports, hackers are often correct in assuming that consumers tend to use the same login credentials (e.g., username and password) for multiple accounts. For this reason, the significant amount of data theft ongoing within the retail industry may be tied directly to breaches seen in the financial industry. 

5 Tips for Banks to Avoid Credential Stuffing and API Breaches

To protect your financial institution (and clients) against API breaches, try the following strategies:

1. Offer your clients multi-factor authentication. This requires your clients to provide additional methods of identification (such as a single-use code sent to their phone) in addition to their login info in order to help verify their identity.
2. Use CAPTCHAs. This is another customer-facing tool that can make it harder for cyber attackers to breach your system.
3. Keep track of your site's login success ratio. Low long success ratios (e.g., 0.1 to 10%) should be considered a major warning sign of an API breach.
4. Require the use of JavaScript. This provides another hurdle for cyber attackers and can make your site less appealing to infiltrate since you can customize protective measures specific to your organization (rather than relying solely on generic protective measures that are shared on multiple websites).
5. Consult with experts. It's important to remember that none of these strategies can offer 100% protection, but they do represent cost-effective ways to make it that much harder for phishers and cyber attackers to carry out their crimes. So, stay vigilant and consult with cybersecurity professionals for more customized information. 

Are you concerned about API breaches within your financial services firm?  Have you taken the necessary precautions to protect yourself against malicious users and cyber crime from inside and outside your company?

How prepared is your business for a cybersecurity incident?

Contact Integrity Technology Solutions to find out how we can help.