FinAi News

No products in the cart.

Subscribe
  • News
  • AI News Tool
  • Data
  • Transactions
  • Events
    • FinAi Banking Summit
    • FinAi Lending Summit
  • Podcast
  • WEBINARS
    • Webinar Library
Log In
No Result
View All Result
  • Banking
  • Lending
  • Payments
  • Risk & Security
  • Strategy
FinAi News
  • News
  • AI News Tool
  • Data
  • Transactions
  • Events
    • FinAi Banking Summit
    • FinAi Lending Summit
  • Podcast
  • WEBINARS
    • Webinar Library
BAN PLUS
Log In
No Result
View All Result
FinAi News
No Result
View All Result

API vulnerabilities exposed for financial services institutions

Security teams should evaluate external APIs

Loraine LawsonbyLoraine Lawson
July 29, 2021
in Strategy
Reading Time: 3 mins read
0
Share on Facebook

Attacks that exploit application programming interfaces (APIs) are on the rise, resulting not just in stolen data, but compromised systems and even attacks on accounts, experts say. APIs are commonly used to connect banking applications to fintech and data services.

Image by CanStock

A number of high-profile attacks recently have leveraged API vulnerabilities, Roey Eliyahu, CEO and co-founder of the API-security firm Salt Security, told Bank Automation News. Eliyahu pointed to the April Experian data breach, in which an API exploit in a partner’s website could have potentially exposed the credit scores of millions.

“Unfortunately, APIs are very vulnerable,” Eliyahu said. “There is not enough awareness in the space. Companies are not realizing how vulnerable they are.”

Salt Security on July 14 released the results of a vulnerability report in which it determined an unnamed U.S. financial institution had numerous API weaknesses that could be exploited. Not only did the API security firm find data could be stolen, but it also discovered accounts could have been deleted by an attacker.

A “shocking number of API endpoints” are left open without requiring authorization, said Sander Vinger, a threat researcher with the technology security firm f5. That is a basic requirement, as a bank or financial institution would never allow individuals to log into their website without some form of authentication, he pointed out.

“If you are a developer, who always thinks about the legitimate users doing the right thing, you’re going to assume, ‘Well, this is made for machine consumption. So nobody is ever going to authenticate to this system,’” Vinger told BAN. “And that’s kind of where the mistake happens, right? Because attackers are big to go under the hood; as a matter of course, that’s how they work.”

Accessing external APIs

Increasingly, organizations are concerned about the security of the APIs they consume. Sixty-six percent of 200 survey respondents — which included a range of IT workers, 60% of whom were in technology and financial services companies — said they have delayed the deployment of a new application because of API security concerns, according to a Salt Security study released earlier this year.

One way that financial institutions and fintechs can determine risk is by enlisting a third party that specializes in API security to perform regular assessments of possible vulnerabilities, advised David Biesack, vice president of API platforms and lead API architect for the cloud-based digital banking fintech Apiture. It’s a practice he said Apiture has embraced.

Kendall Reese, the chief information security officer and senior vice president at the $23.3 billion Simmons Bank, based in Pine Buff, Ark., told BAN he often finds APIs from vendors and software-as-a-service providers are not created with security in mind.

To protect the bank, Reese’s team reviews security controls around APIs and assesses the level of risk an API might cause. The team considers the following:

  • How strong is the key used to allow access to the API?
  • Can the account used to access the API be limited to specific functions?
  • Can the availability of the API be limited to Simmons Bank Systems?
  • The bank also looks at certificates, tokens and the network whitelists to bolster security with APIs.

“Ultimately, Simmons Bank data is our responsibility wherever it is stored or utilized, and we try to limit the risk to our data,” Reese said.

Hardening APIs in development

Ideally, APIs should be “hardened” in the design process, Biesack said. This refers to making APIs more secure and closing vulnerabilities.

“Security must be a primary non-functional requirement, and the team’s API governance model should include risk assessment of all new API features,” Biesack told BAN. That means being familiar with the security measures that should be “deeply embedded in the software development life cycle, including security testing strategies,” Biesack added.

It’s also important to ensure authentication authorization is in place, Vinger said. While there are no standards around API at the moment, REST APIs, which adhere to the REST software architectural style, are more a philosophy than standard or protocol, Vinger advises developers to use:

  • OAuth 2.0, an industry-standard protocol for authorization;
  • OpenID Connect — an identity layer for on top of the OAuth 2.0 protocol — for URL routers and authentication; and
  • JSON Web tokens for security tokens.

Another tactic is to host regular internal security hackathons, in which developers are challenged to think like hackers and try to exploit the APIs, Biesack said.

Tags: APIscybersecurityfintechPremium
Previous Post

BNY-backed crypto platform Fireblocks seals unicorn status

Next Post

Citizens faces tech integration challenges in $3.5B Investors purchase

Related Posts

plaid
Strategy

Finance app network maker Plaid Is said to consider US IPO

July 2, 2026
(AI-generated)
Strategy

AI in trading can be risk for financial markets

July 1, 2026
Meta Platforms Inc. signage during the Meta Connect event in Menlo Park, California, US, on Wednesday, Sept. 17, 2025. Meta Platforms Inc., seeking to turn its smart glasses lineup into a must-have product, on Wednesday unveiled its first version with a built-in screen. Photographer: David Paul Morris/Bloomberg
Strategy

Meta is building a cloud business to sell excess AI compute

July 1, 2026
Next Post

Citizens faces tech integration challenges in $3.5B Investors purchase

EMERGING FINTECH DIRECTORY

Emerging Fintech Directory

The Buzz Podcast

SPONSORED

How AI and Product Experts Turn Fuzzy Requirements Into Focused Dev-ready Roadmaps

April 19, 2026

Is Your Technology Supplier There for You?

April 1, 2026

Hiding in Plain Sight: How to Use Data to Spot Consumer Accounts Being Used by Small Businesses

November 10, 2025

  • About Us
  • Help Center
  • Contact Us
  • Privacy Terms
  • ADA Compliance
  • Advertise

 [wt_cli_manage_consent]

Connect

twitter linkedin podcast podcast podcast
© 2026 Royal Media
No Result
View All Result
  • NEWS
    • All News
    • Banking
    • Lending
    • Payments
    • Risk & Security
    • Strategy
  • AI News Tool [Beta]
  • DATA
  • TRANSACTIONS
  • EVENTS
    • FinAi Banking Summit
    • FinAi Lending Summit
  • PODCAST
  • WEBINARS
    • Webinar Library
  • SUBSCRIBE
  • Log In / Account

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Unlock This Article

Create your free FinAi News account to access this article and stay informed on how AI is transforming financial services including banking, lending, payments, and risk.

Yes, I'd like to receive FinAi News updates, breaking news, and exclusive AI insights for financial services leaders.

Continue Reading with FinAi News Premium - Less than $2/Day

Upgrade to FinAi News Premium for unlimited access to news, insights, trends, and intelligence on how AI is transforming financial services including banking, lending, payments, and risk.
Upgrade to FinAi News Premium Subscription
No Result
View All Result
  • NEWS
    • All News
    • Banking
    • Lending
    • Payments
    • Risk & Security
    • Strategy
  • AI News Tool [Beta]
  • DATA
  • TRANSACTIONS
  • EVENTS
    • FinAi Banking Summit
    • FinAi Lending Summit
  • PODCAST
  • WEBINARS
    • Webinar Library
  • SUBSCRIBE
  • Log In / Account