Published on the 15/11/2021 | Written by Heather Wright
When we said open banking, we didn’t quite mean this…
Open banking has taken on new meaning with ethical hacker Alissa Knight recording 100 percent success in hacking 55 banking apps, changing PIN codes and moving money in and out of accounts as she went.
Scorched Earth: Hacking Bank APIs details how APIs – which Knight dubs ‘the plumbing for our entire connected world today’ – provided fertile ground for hacking.
How secure is are your APIs? With APIs rapidly becoming an attack vector of choice, now’s a good time to check.
Open banking is driving ubiquitous use of APIs across banking, opening up payments, account services and other data to third party providers.
The research, sponsored by API security company Noname, which just landed itself US$60 million in Series B funding, found the same API vulnerabilities in banks which had 25,000 customers and a few million in managed assets as she did in banks with 68 million customers and US$7.7 trillion in assets under management.
Key findings included that 54 of the 55 mobile apps that were reverse engineered contained hardcoded API keys and tokens including user names and passwords to third-party services, and all 55 apps tested were vulnerable to wo/man in the middle attacks, allowing Knight to intercept and decrypt the encrypted traffic between the mobile apps and backend APIs.
Meanwhile 100 percent of the APIs tested were vulnerable to Broken Object Level Authorisation (BOLA) vulnerabilities, allowing Knight to change the PIN code of any bank customer’s Visa ATM debit card number or transfer money in/out of accounts.
Equally, 100 percent of the APIs were vulnerable to broken authentication vulnerabilities – one of the Open Web Application Security Project’s (OWASP) top 10 vulnerabilities – enabling Knight to perform API requests on other bank customer accounts without authenticating.
“In my research, I was able to exploit broken authentication and broken object level authorisation issues that allowed me to perform unauthorised money transfers and PIN code changes for any customer account, indicating a clear and present danger in our financial system caused by these insecure APIs,” Knight says.
Part of the issue, she suggests lies with many financial services and fintech companies outsourcing their API and mobile app development to third parties – some of whom are reusing the same vulnerable code with multiple bank customers.
Many financial services and fintech companies have opted to not develop their apps internally.
In one case a bank outsourced development of their code to a developer who reused the same vulnerable code across hundreds of other banks.
The report adds to warnings about the growing attack surface posed by web APIs, not just for banking, but for all enterprises as API. Gartner has predicted that by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.
It was the growing list of web API attacks which saw OWASP release its list of Top 10 API security issues back in 2019.
A recent Akamai report noted ‘frustrating’ patterns of API vulnerabilities, saying often API security is relegated to an afterthought in the rush to bring them to market, with many organisations relying o traditional network security solutions which are not designed to protect the wide attack surface that APIs can introduce.
“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” Steve Ragan, Akamai security researcher and author of the State of the Internet/Security report says.
“API attacks are both under-detected and underreported when detected.
“While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack, but that doesn’t mean they should be ignored.”
Exercise equipment maker Peloton, LinkedIn and John Deere are among the companies whose APIs have been found lacking in recent times.
Notes Noname marketing VP Chris Heggem in a recent blog post: “Words and phrases like digital transformation, cloud migration, apps and microservices all mean the same thing – lots and lots of APIs.”
He says API security needs to be operationalise access the enterprise: Developers need to write code with security in mind, cloud and platform teams need to use APIs that are configured properly and security teams need to detect, investigate and respond to incidents.
“Often, especially in larger organisations, APIs are deployed to production faster than they can be secured and there often isn’t a clear line of communication across enterprise teams,” Heggem says.
Posture management, runtime security and active testing are also advocated by Heggem, who says detecting and blocking the behaviour is only one piece of the puzzle.
A complete API inventory enables organisations to identify and remediate misconfigurations and vulnerabilities.
“Organisations need better visibility into the traffic and behaviour of their APIs [with runtime security]. This provides better detection and response to anomalous and suspicious behaviour so attacks can be prevented in real-time when something out of the ordinary occurs.”