Protecting Open Banking & PSD2 APIs from Bot Attacks

Open Banking APIs Are Modernizing Fin-Tech Services

The Open Banking standard is a pioneering, long-awaited upgrade to financial technologies that makes use of APIs (Application Programming Interfaces) to enable third-party developers to build applications and services provided by financial institutions. In October 2015, the European Parliament adopted the PSD2 (Payment Services Directive) which aims to promote the development and use of innovative mobile and online payments through open banking.

A number of countries are now adopting and launching open banking initiatives based on the European and UK model. Many of these include provisions that enable financial applications to transact and manage finances, as well as for consumer credit firms to access account information for affordability verification and credit checks with customers’ consent.

By adopting Open Banking, banks and FinTech firms benefit by adopting a common framework of APIs to offer customers better and faster services along with innovative products. These include apps that help carry out e-KYC, government document verification, offer tailored insurance products, get credit scores, and much more. And just as websites and mobile applications are vulnerable to malicious bot attacks, so are these APIs.

Bad Bots Put Open Banking APIs at Risk

APIs are at the core of Open Banking, enabling the exchange of data between financial organizations. These APIs are at risk of exposing customers’ PII (Personally Identifiable Information) as well as the business logic of the applications they facilitate. In just the first 6 months of 2020, bad bot attacks on APIs have grown from 16.6% to 21.7% and are likely to proliferate as attackers find more vulnerabilities that they can exploit.

Our recent analysis on a major bank’s website found that bad bots made up nearly 54% of all its traffic, while only 39% was human. The bank’s log-in page alone registered 4.3 million bot hits over a two-week period, three times the number of genuine visitors, providing a clear indication that the bank was being heavily targeted by bad bots. While bot attacks on websites and applications are by now a well-known threat, it is not as widely known that crucial APIs including those used for Open Banking is increasingly being targeted by cybercriminals using bots. Modern websites and applications are almost entirely powered by internal and external APIs that drive back-end systems, mobile applications, and other essential services to enterprises and their customers.

How Bad Bot attacks affect APIs

Loss of PII and business data — Breached APIs can expose PII to attackers, putting at risk sensitive personal data including account and transaction details, purchase histories, and much more. For financial institutions, data breaches are among the most harmful in their impact, leading to customer churn, litigation, and potentially large compensation pay-outs.

Application Denial of service attacks — As we have seen with banking websites and applications, there are growing numbers of Application DDoS (Distributed Denial of Service) attacks on APIs that attempt to overwhelm banking and fin-tech infrastructures. Carried out using sophisticated human-like bots distributed over thousands of IP addresses and device IDs, such attacks can be very difficult for conventional security systems to detect and mitigate. These attacks cause slowdowns and unavailability of critical applications and services, making for a frustrating experience for customers and organizations.

Payment and transaction fraud — Cybercriminals are always on the lookout for vulnerabilities that allow them to execute malicious attacks. While one of the goals of Open Banking is to make transactions easier and more transparent, nefarious botmasters continually probe systems for weak points and are known to sell exploit kits on the Dark Web that leverage sophisticated bots to carry out fraudulent transactions.

With Radware Bot Manager’s experience in protecting websites, applications, and APIs from bad bots, we are continually introducing product and feature upgrades along with enhanced detection capabilities to provide our customers with comprehensive bot protection. Let’s look at the key improvements to our bot management solution for APIs that benefit enterprises in the banking, fin-tech, as well as other industries that are impacted by malicious attacks.

M2M Protection — API Client SDK

Conventional bot detection systems rely on the capabilities in the user’s web browser, from writing and reading cookies, to fingerprinting the user and device using the browser’s JavaScript capabilities and analyzing various parameters and headers that every browser generates. For API end-point protection, however, a different approach is required, as data flow between APIs is primarily programmatic Machine to Machine communication (M2M) without conventional browser data being available to analyze. M2M communications protocols are application-layer protocols that facilitate the transmission of messages between devices. This calls for a different set of capabilities to detect and protect API endpoints from abuse.

Radware’s Client SDK for M2M API protection is a simple SDK that needs to be integrated into client libraries that are used to access API services. This requires a simple one-time integration of Radware’s API with client libraries to protect machine-to-machine communications. After integration, Radware’s API collects several parameters from the device and implements a logic similar to that used by browsers to maintain cookies. During every financial transaction, all this data is pushed to Radware’s Cloud for analysis to authenticate every single time access is requested. Our bot detection engine analyzes these parameters to fingerprint and track usage and access patterns to protect enterprises and customers from malicious activity. If malicious intent is detected for any API calls, they are immediately identified as bots. This provides the API server with another layer of security when authorizing API requests. This second layer of authentication significantly augments protection for API calls over Open Banking APIs used by banks.

ATO Protection for APIs

Radware Bot Manager now has a new feature that allows us to intercept the response to authentication APIs. In conventional bot protection systems, only the requests to API services are analyzed, which often requires other forms of confirmation to know if the authentication was successful. For websites, the page that is called up next confirms successful authentication, but this is difficult to confirm when logging in via mobile or device APIs. With our new integration option, we can now intercept the response from the API service to collect relevant data for our cloud-based detection systems to analyze. This new capability lets us accurately track every log-in and authentication process to ensure extremely high levels of protection for these API endpoints.

API Flow Control

Radware Bot Manager can now prevent abuse of APIs by providing a fair API access model that is automatically built by studying patterns of access to a given application over time. The API flow is modeled to analyze expected probabilities of transitions across different nodes, and access patterns are then analyzed against this model to check if the sequence is suspicious and needs to be blocked. This provides unprecedented detection capabilities against malicious API access patterns.

Invocation Context-Based Protection

Radware Bot Manager has an enhanced capability to identify malicious access that targets embedded financial services APIs by looking at the overall ‘invocation context’. In other words, by analyzing how users engage with the application and identifying anomalous access and usage patterns. When bots try to bypass regular Web-based log-in processes to navigate, for example, to a funds transfer page, they often try to access the APIs involved to get information as quickly as possible, allowing cybercriminals to execute ATO and other activities with minimal expenditure of time and effort.

Radware Bot Manager has enhanced features capabilities that can contextually analyze API traffic based on normal usage patterns. We thus protect financial websites, mobile applications, and APIs from attacks by analyzing contextual patterns and blocking anomalous usage. Write to us at botmanager_info@radware.com if you’d like to learn more about protecting vital banking and fin-tech APIs.

Originally published at https://www.shieldsquare.com on Augest 07, 2020.