New Research Shows Vulnerabilities in Banking, Cryptocurrency Exchange, and FinTech APIs Allow Unauthorized Transactions and PIN Code Changes of Customers
Noname Security, the API security company, and Alissa Knight, Partner at Knight Ink and recovering hacker, announced at Money 20/20 new research, “Scorched Earth: Hacking Bank APIs” which unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries. Details of this new research will be shared during Knight’s keynote address at Money 20/20 today at 3:25 PM PST.
Open banking has propelled the ubiquitous use of APIs across banking, enabling third-party developers to develop apps around the financial institution. Whether pursued as a compliance requirement or a business strategy, open banking has ignited financial services firms to focus on APIs and API security.
Given this growing trend, Knight focused her vulnerability research on financial services and FinTech companies and was able to access 55 banks through their APIs, giving her the ability to change customers’ PIN codes and move money in and out of customer accounts. Vulnerable targets ranged from companies with 25,000 to 68 million customers and $2.3 million to $7.7 trillion in assets under management. Among the key research findings:
- 54 of the 55 mobile apps that were reverse engineered contained hardcoded API keys and tokens including usernames and passwords to third-party services
- All 55 apps tested were vulnerable to woman-in-the-middle (WITM) attacks, allowing Knight to intercept and decrypt the encrypted traffic between the mobile apps and backend APIs
- 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities allowing Knight to change the PIN code of any bank customer’s Visa ATM debit card number or transfer money in/out of accounts
- 100% of the APIs tested were vulnerable to Broken Authentication vulnerabilities allowing Knight to perform API requests on other bank customer accounts without authenticating
- One of the banks tested outsourced the development of their code; the developer reused that same vulnerable code across hundreds of other banks allowing the same attacks to be employed against those other bank targets
Recommended AI News: Platform9 Announces SaaS GitOps Engine to Simplify Multicloud Operations and Governance With Latest Kubernetes Release
Knight said, “For the last decade, I’ve been focusing my vulnerability research into evaluating the security of the APIs that are now the bedrock of much of our nation’s critical infrastructure. My exploits have transcended APIs in emergency services, transportation, healthcare, financial services to FinTech. APIs have become the plumbing for our entire connected world today.”
Knight went on to say, “Unfortunately though, this is not without consequence as my research has proven. Many financial services and FinTech companies have opted to not develop their apps internally – instead they’ve outsourced their API and mobile app development to third-parties. It’s clear based on my findings where authentication and authorization are very much broken, that there is no ‘trust but verify’ happening with these third-party developers.”
“Exacerbating the issue is the fact that these third-parties are reusing the same vulnerable code with their other bank customers. In my research, I was able to exploit broken authentication and broken object level authorization issues that allowed me to perform unauthorized money transfers and PIN code changes for any customer account, indicating a clear and present danger in our financial system caused by these insecure APIs,” continued Knight.
Recommended AI News: MicroTech Partners with Visium Technologies
With traditional banks having to compete against the neobanks and fintechs to keep up with the new demands for how consumers want to bank today, traditional Main Street banks are rushing to deploy new technologies to enable frictionless digital experience to try and erase the lines between neobanks and traditional.
Globally, open banking programs have driven API-centric services offerings, opening payments, account services, and other data to third party providers. In addition, digital transformation initiatives are top priorities as financial services organizations look to improve the customer digital experience. The effort to attract new and keep existing customers by delivering additional value has resulted in more application services and the supporting APIs. This increased adoption of API use has resulted in a dramatic increase in the attack surface they represent.
“As Knight’s research has shown over the last couple of years, no industry is immune to an API attack; however, more and more are occurring especially within the Fintech space due to the sensitive nature of the data the APIs can provide and hackers have realized just how easy they are to exploit as Knight’s latest research reflects,” said Mark Campbell, Sr. Director at Noname Security. “APIs are at the heart of their digital strategies to improve their customers’ experience and protecting them has become a top priority. We are uniquely addressing this challenge by delivering a single platform that provides API posture management, API detection and response, and API testing to add security into an organization’s API development life cycle.”
Recommended AI News: INTERSWITCH Partners with INTERSTELLAR to Develop Blockchain-powered Infrastructure Services and Solutions
[To share your insights with us, please write to sghosh@martechseries.com]
Comments are closed.