Connect with us

Finance

WHY SECURE APIS ARE THE KEY TO FINANCIAL CONTROL

Published

on

APIs

Stefano Vaccino, Founder of Yapily

 

Consumers never owned their financial data. Banks controlled everything from how much money came into an account, to where that money was spent. While technology has already changed some of these processes, like the way we pay or move money around, when it comes to control over our data, the system has remained unchanged for decades. Until now.

Open Banking has disrupted the status quo. A decade on, and thanks to APIs that underpin Open Banking infrastructure, consumers now have more control over their financial data than ever before.

 

APIs

Stefano Vaccino

Handing back consumer control

Before Open Banking, consumers were at the mercy of the banks when it came to accessing their own data. There were only two ways to leverage the financial data in personal accounts to get better deals and access fundamental services. The first involved consumers physically printing or downloading a PDF of their bank statement to share with other banks or third party providers (TPPs).

The second saw banks and third parties utilise screen scraping. This meant users had to share their username and password to grant access to their bank account, to, for example, feed into money management tools or to access account information. Both options are long and cumbersome, but option two left consumers at risk of fraud and data breaches unless they remembered to change their passwords.

 

Reducing account fraud & data breaches

Many organisations have legacy IT systems which utilise screen scraping. This practice easily leaves systems open to data breaches. In fact, the Commonwealth Bank has reported that companies using screen scraping are at least two times more likely to experience account fraud. Not only is this bad for consumers, businesses can also be badly hit by the repercussions.

Thankfully, as of March 14th, a combination of SCA and PSD2 regulations mean that screen scraping has effectively been outlawed – significantly increasing the security of payments. The only secure way of accessing account information is through an API. Now, every individual payment requires a unique authorisation token, which once used, cannot be used again. Even tokens for recurring payments, such as standing orders for mortgage repayments, can be revoked and immediately rendered useless if suspicious activity is detected. This has greatly increased the security for consumers who make payments online.

 

Breaking down barriers with APIs

While in the UK, Open Banking was given a narrower focus than in the EU – only the nine largest banks were mandated to provide TPPs access to their services and data. However, it did specify a single, pre-defined API (Application Programming Interface) that was set as the standard for integration. While not as immediate as expected, banks did eventually make good progress in opening up these APIs, and it has led to the creation of new services. Moreover, APIs have been instrumental in handing back control of financial data to consumers.

 

Heading into an Open Finance future

Thanks to these APIs, we are seeing the global growth of Open Banking. Now, consumers can choose when to stay or go, as well as how much information they want to share, with whom and for how long. This is an important move given that as many as 15 million people in the UK could be using the wrong financial services product for them. In fact, around two million people miss out on the best interest rates and four million are denied credit each year.

Further, we’re not only in a world already reaping the benefits of Open Banking. We’re also moving towards a financial services industry powered by Open Finance, where laborious processes such as mortgage applications will be gone. Data that would have historically taken weeks or months to manually compile and send to the bank for review will be collated in minutes. Credit scores to ID verification, property affordability and residential checks will all be securely and seamlessly accessed thanks to open APIs. This will greatly reduce the lag time between application and acceptance or rejection – giving consumers greater control over the whole mortgage process.

In a world powered by Open Banking and Open Finance, consumers now have more control over their financial data than ever before. We can expect to see financial inclusion for the unbanked and a better experience for those with existing products and services.

 

Business

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Published

on

By

Mike Fleck, Senior Director, Sales Engineering at Cyren

 

Email remains the most popular and successful attack vector in the digital landscape, the reason being because it is simply the most commonly used digital communication channel across the globe. On average, over 330 billion emails are sent every day. The sheer volume-and the fact that almost every employee within an organisation uses email- makes this channel a popular target for potential security threats. Finance organisations use email not only for internal communication but also for customer service interactions and marketing. A banking survey in 2021 showed that over 76.8% of users consider email as the primary channel for communicating with banks. That’s why financial institutions are at the frontline of email-driven security risks.

In order to attain more insight into the email threats targeting the financial sector and the potential remedies, we talked to Mike Fleck at Cyren, a leader in enterprise email security solutions.

  1. What do you see as the main reason for the continued increase in successful email threats targeting the financial sector?

Email threats have become much more dynamic over the years.  Although phishing continues to be the most common attack vector in the domain of email threats, the mix of breaches attributed to email attacks has expanded significantly in recent times. In our latest benchmark research, we surveyed 226 organisations that use Microsoft 365 for email. We found that compared to 2019, there was a 71% increase in ransomware-driven email attacks, 44% increase in phishing attacks, and 49% increase in credential compromise attacks. Phishing is no longer the only path for email threats, as attacks are now being driven by multiple sophisticated methods, which evidently leads to more successful threats.

Mike Fleck

The financial sector has always had a red mark on its back to threat actors, mainly because of the highly sensitive information and valuable assets managed by financial organisations. Email serves as the most vulnerable and easily compromised access point for threat actors, which is why the number of email breaches has massively increased over the years. Our research found that the number of email breaches across all organisations has almost doubled each year over the past three years.

Although most organisations are using email client plug-ins for reporting suspicious messages, only 22% of the organisations stated that they analyse all reported messages for malicious content, leaving a major gap in awareness and threat response. Our survey showed that inefficient threat response and a lack of urgency is the most concerning factor for security managers. Threat actors are consciously aware of these shortcomings, which is why they are able to frequently launch successful email attacks targeting the financial sector.

  1. Why is the email channel so appealing for fraudsters, and what are the techniques they use to target financial service organisations in this way?

Historically, email has always been the primary channel for business communication, and as businesses continue to attain cloud-based services, email has become a productive norm for file-sharing and communication. Email channels also integrate easily with any cloud application, facilitating businesses to pursue more productive interactions. There is also the fact that email is accessible to most personnel regardless of their technical ability.

This flexibility and continued dependency on email is also the reason why it is an appealing channel for threat actors. Because email channels are integrated with almost every organisation’s platform, breaching an email allows cybercriminals to backtrack into critical network infrastructure and compromise valuable assets. Most threat actors tend to target the user rather than the system, and email channels are used by almost every employee in a financial organisation regardless of their experience, role, technical awareness, or skills. Therefore, targeting emails allow threat actors to utilize a much wider attack surface.

Another major reason is breaching the email channel is far less complex than breaching secured network endpoints and access firewalls. With techniques like social engineering and phishing, threat actors often don’t have to use significant resources or complex methods to breach employee email accounts. Our research showed that phishing is still the most used technique by attackers; 69% of all email breaches were due to phishing attacks. Other frequent techniques were Microsoft 365 credential compromise (60%), malware (59%), and ransomware (51%).

The means of carrying out these attacks are also easily accessible and available to almost anyone. Threat actors can buy a ransomware kit for as low as $66, and phishing kits are available for as little as $20. So, even the most inexperienced attackers can use such tools to exploit the email accounts of users and gain access to the critical resources of financial organisations.

Simply put, email provides a direct and economical path to the weakest point of every organisation’s cybersecurity program – its people.

  1. How important is proactive security awareness training when it comes to defending against email attacks?

The previous consensus was that email threats thrive on the user’s lack of awareness. Cybersecurity leaders believed that the “last mile” problem of phishing attacks can be solved if employees are able to detect and avoid fraudulent emails. Frequent awareness training is important to help employees stay up to date on evolving email attacks and identify malicious content or messages more easily. Over 99% of organisations offer awareness training, but only one in seven organisations offer training monthly or more frequently.

The dynamics of the attack vectors and techniques change constantly with the emergence of new technologies and vulnerabilities. Without frequent training, employees won’t develop a conscious awareness of email threats. We found that organisations that offer email awareness training every 90 days or more frequently, are less likely to fall victims to phishing, business email compromise (BEC), and ransomware attempts.

Our research also showed a correlation between frequent training and email reporting frequency. Organisations that offer frequent training also experience a high rate of malicious or suspicious email reports – meaning that employees become more conscious and aware of the potential threats. That’s why frequent proactive awareness training is critical for protecting against email attacks. However, organisations need to appreciate that a higher volume of reported emails will result in a higher number of alerts that Security Operations Centre analysts must investigate.

  1. What are the steps you would recommend financial organisations take to implement effective inbox security solutions that bolster their cyber resiliency immediately?

Financial organisations need to act quickly when responding to a potential threat, as even a fractional security breach can cause unprecedented damage to its assets. Organisations are beginning to realise that employees fall victim to these scams because they are busy and distracted – not because they are apathetic or gullible. Also, relying on employees to spot and report suspicious messages is not a complete or efficient solution to the problem. Employees do not consistently report every threat, and what alerts they do generate have a false positive rate of at least 41%. In addition to constant awareness training, organisations must incorporate effective inbox security solutions to increase their cyber resiliency.

When implementing effective inbox security solutions, financial organisations must consider the response and reporting time.  They must choose solutions that can detect threats in real time and automate the response to those threats for quick remediation.

An effective approach for financial leaders is to invest in automated solutions that can detect and remove social engineering threats in real time. Automated inbox security solutions can continuously scan inbound and outbound email folders, including their contents such as URLs and web pages. Such solutions can detect and report anomalies, resulting in real-time detection. Automated threat response solutions can strengthen the built-in security capabilities of the email gateway, such as Microsoft 365 Defender. Combining automated solutions with the existing threat response framework can optimise the response process and significantly reduce the time and cost of threat investigation.

 

Continue Reading

Finance

Main Factors Accelerating API Security Risks in Financial Services

Published

on

By

By: Yaniv Balmas, VP of research at Salt Security

 

The API ecosystem is exploding and nowhere has API delivery accelerated as much or as fast as in financial services. Leveraging APIs, financial services organisations can innovate and quickly bring to market unique customer experiences and services. While more than three-fourths of software developers say API development is or will be a top business priority, the figure is even higher in financial services – topping all other industries at more than 80%.

Because successful attacks are so lucrative against financial institutions, they have always been a top target. The growth of the API economy has made the financial sector an even bigger target, which is why minimising API security risks has become the top priority.

Four factors are driving the urgent need for better API security in financial services:

  • API usage in financial services is increasing
  • API attacks threaten digital transformation initiatives
  • API security incidents hurt customer trust
  • Traditional security solutions don’t protect APIs

API Usage Will Increase Even More

In financial services, the high-growth trajectory of APIs will continue to rise. With each use case and new service, the number of APIs in a typical financial services company grows ever higher.

APIs provide the required data connection to support today’s mobile financial applications and peer-to-peer payment systems. APIs are at the center of open banking. APIs enable financial services companies to standardise how they connect and exchange data, allowing consumer financial information to be instantly shared across organizations and third-party service providers. With different partners and technology suppliers, API connections are being continuously added to the financial ecosystem.

For financial services, that means even more APIs and a continuously growing attack surface that must be adequately protected.

API Attacks Threaten Key Business Initiatives

Open banking gives consumers more choices and convenience to address their financial needs. It also increases competition across the financial services industry and generates new revenue avenues. In addition, open banking provides more traditional financial institutions the opportunity to compete with faster-moving fintech companies.

Moreover, in financial services, Covid has hastened the adoption of digital transformation, including mobile and remote banking. In a pandemic-mandated stay at home world, consumers made their needs clear. They want integrated services and the ability to connect their financial lives when and where they desire. This requires banks and other finance companies to roll out new capabilities or risk becoming obsolete and losing customers and revenue.

Digitalisation has become a critical business initiative and is increasingly important in financial services. However, without the ability to protect the data being used within these services, financial organisations lose that opportunity entirely. Financial data breaches can cost the business in lost revenue from new opportunities and cause irreparable harm to an organisation’s brand.

Just a single API attack has the potential to wipe out all the gains made from an organisation’s digital transformation.

API Security Incidents Damage Consumer Trust

In financial services, the costs of lost trust can be high. Salt Labs, the research arm of Salt Security, provides ongoing API vulnerability research. In its latest report, Salt Labs uncovered a server-side request forgery (SSRF) flaw on a large fintech platform that provides a wide range of digital banking services to hundreds of banks and millions of customers.

The vulnerability had the potential to compromise every user account and transaction data served by its customer banks. Imagine the leaking of customers’ banking details and financial transactions and users’ personal data or, worse, unauthorised funds transfers into the attackers’ bank accounts.

None of these nightmares came to be, because Salt Labs found the problem before a bad actor did, and all issues have been remediated. But this type of exploit, had it occurred, would have likely caused irreparable reputational damage – not to mention financial losses, theft, and fraud.

The nature of financial services applications is to exchange sensitive financial and customer data, making APIs a high-stakes asset requiring protection.

Traditional Solutions Don’t Deliver Adequate API Protection

Most financial services companies have sophisticated runtime security stacks with multiple layers of security tools, such as bot mitigation, WAFs, and API gateways. These traditional tools provide foundational security capabilities and protection for traditional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

Attacker activity looks like normal API traffic to traditional tools, such as WAFs, API gateways and other proxy-based solutions. The architecture limits them to inspecting transactions one at a time, in isolation, and beyond rate-limiting. They also depend on signatures to detect well-known attack patterns. If the transaction does not match a known attack signature, the WAF will send it through. Since each API is unique with unique vulnerabilities, signatures cannot help prevent API attacks.

API security requires big data to capture all API traffic and artificial intelligence (AI) and machine learning (ML) to continuously analyse the large volumes of API traffic. Without continuous analysis of API traffic, you cannot understand normal behaviour for each unique API and gain the context required to pinpoint attackers.

In addition, while open banking defines standards around how APIs should be structured to enable predictable integrations and communications, open banking provides no standard to meet the majority of API security requirements. Moreover, basic controls, such as authentication, authorisation, and encryption, fall short of meeting API security challenges.

API Security at the Forefront for Financial Services

APIs have become essential for financial services to meet changing consumer expectations and innovate to remain competitive. At the same time, APIs are now the most frequent attack vector. In the past 12 months, 95% of organisations experienced an API security incident, and API attack traffic grew 681% – more than twice as fast as overall API usage traffic.

Therefore, financial services organisations must put API security at the forefront to protect this growing attack surface. To do so requires dedicated API security tooling for the entire API lifecycle that provides continuous attack surface visibility, early attack prevention, and automated insights for continuous API improvement.

Continue Reading

Magazine

Trending

News2 days ago

Wombat partners with Currencycloud to launch its new, free Instant Investment service to open up investing for a wider market.

UK-based micro-investment platform Wombat has partnered with Currencycloud, the experts in simplifying business in a multi-currency world, to launch its...

Business2 days ago

A lack of training and email security solutions is contributing to a rise in email threats targeting the finance sector.

Mike Fleck, Senior Director, Sales Engineering at Cyren   Email remains the most popular and successful attack vector in the...

Top 102 days ago

Insurance providers must be ready to tackle quote manipulation as potential fraud rises

Sam Marsh, director, product management at LexisNexis Risk Solutions Insurance As road fuel costs reach a record high[i]  and inflation...

News2 days ago

Urban Company rolls out health insurance for service professionals in partnership with ACKO Insurance

Health insurance plan to benefit 40,000+ service partners in India Service partners can avail up to 12 free-of-cost online doctor consultations in a year...

Finance2 days ago

Main Factors Accelerating API Security Risks in Financial Services

By: Yaniv Balmas, VP of research at Salt Security   The API ecosystem is exploding and nowhere has API delivery...

Business2 days ago

Automation: the future of supply chains?

By Andrew Scargill, Logistics Operations EMEA at Digital River   Caught between the chaos of coronavirus and fallout from Brexit,...

News2 days ago

Can intelligent automation ensure the survival of the insurance industry?

Eric Tyree, SVP of AI and Innovation, SS&C Blue Prism   The economic viability of the insurance industry’s current business...

Business2 days ago

Time to make your energy future more predictable

– Alistair Booth, MD, Ortus Energy   UK businesses have a real opportunity to lock-in some energy certainty as a...

Top 102 days ago

Signals: Simplifying Trading Experiences

by LegacyFX Trading signals are a way for investors to indicate that the market is moving in a specific direction....

News4 days ago

Rivery Raises $30M B Round of Venture Funding from Tiger Global

With data needs growing and data talent scarcity, there is huge demand for Rivery’s 100% SaaS solution to create an...

Banking5 days ago

Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study

Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute   Corporate responsibility is more important than ever. Today, many...

Interviews6 days ago

Q&A with Andréa Jacquemin, founder and CEO of Beamy

Beamy is a fast-growing scale-up that focuses on pioneering a new approach to SaaS management for large companies. Founded in...

News1 week ago

How to reignite your store with streamlined operations and a distinctive customer experience

Colin Neil, MD, Adyen UK   Retailers know that prioritising customer experience is vital to success today. This, amongst the...

Business1 week ago

5 tips to ensure CSR efforts come across as genuine

By Mick Clark, Managing Director, WePack Ltd   Corporate social responsibility – or CSR – is playing an increasingly pivotal role...

Business1 week ago

How to Build Your Credit Up Safely

by Taylor McKnight, Author for Compare Credit   What Is Credit? Credit is money owed by a person that allows...

News1 week ago

PCI DSS Compliance in the Cloud – Everything you should know

Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....

Banking1 week ago

2022 ESG Investment Trends

Jay Mukhey, Senior Director, ESG at Finastra   Environmental, Social and Governance (ESG) themes have been front and center throughout...

Business1 week ago

PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE

Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...

Technology1 week ago

UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks

New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...

Finance1 week ago

The power of diversity: The need for female role models in FinTech

By Isavella Frangou, VP of Sales and Marketing, payabl.   As our world is constantly evolving, it’s easy to believe...

Trending