New Research Shows Vulnerabilities in Banking, Cryptocurrency Exchange, and FinTech APIs Allow Unauthorized Transactions and PIN Code Changes of Customers

Noname Security sponsored research by vulnerability researcher Alissa Knight highlights need for financial services industry to prioritize API security

LAS VEGAS--()--Noname Security, the API security company, and Alissa Knight, Partner at Knight Ink and recovering hacker, today announced at Money 20/20 new research, “Scorched Earth: Hacking Bank APIs” which unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries. Details of this new research will be shared during Knight’s keynote address at Money 20/20 today at 3:25 PM PST.

Open banking has propelled the ubiquitous use of APIs across banking, enabling third-party developers to develop apps around the financial institution. Whether pursued as a compliance requirement or a business strategy, open banking has ignited financial services firms to focus on APIs and API security.

Given this growing trend, Knight focused her vulnerability research on financial services and FinTech companies and was able to access 55 banks through their APIs, giving her the ability to change customers' PIN codes and move money in and out of customer accounts. Vulnerable targets ranged from companies with 25,000 to 68 million customers and $2.3 million to $7.7 trillion in assets under management. Among the key research findings:

  • 54 of the 55 mobile apps that were reverse engineered contained hardcoded API keys and tokens including usernames and passwords to third-party services
  • All 55 apps tested were vulnerable to woman-in-the-middle (WITM) attacks, allowing Knight to intercept and decrypt the encrypted traffic between the mobile apps and backend APIs
  • 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities allowing Knight to change the PIN code of any bank customer’s Visa ATM debit card number or transfer money in/out of accounts
  • 100% of the APIs tested were vulnerable to Broken Authentication vulnerabilities allowing Knight to perform API requests on other bank customer accounts without authenticating
  • One of the banks tested outsourced the development of their code; the developer reused that same vulnerable code across hundreds of other banks allowing the same attacks to be employed against those other bank targets

Knight said, “For the last decade, I’ve been focusing my vulnerability research into evaluating the security of the APIs that are now the bedrock of much of our nation’s critical infrastructure. My exploits have transcended APIs in emergency services, transportation, healthcare, financial services to FinTech. APIs have become the plumbing for our entire connected world today.”

Knight went on to say, “Unfortunately though, this is not without consequence as my research has proven. Many financial services and FinTech companies have opted to not develop their apps internally - instead they’ve outsourced their API and mobile app development to third-parties. It’s clear based on my findings where authentication and authorization are very much broken, that there is no ‘trust but verify’ happening with these third-party developers.”

“Exacerbating the issue is the fact that these third-parties are reusing the same vulnerable code with their other bank customers. In my research, I was able to exploit broken authentication and broken object level authorization issues that allowed me to perform unauthorized money transfers and PIN code changes for any customer account, indicating a clear and present danger in our financial system caused by these insecure APIs,” continued Knight.

With traditional banks having to compete against the neobanks and fintechs to keep up with the new demands for how consumers want to bank today, traditional Main Street banks are rushing to deploy new technologies to enable frictionless digital experience to try and erase the lines between neobanks and traditional.

Globally, open banking programs have driven API-centric services offerings, opening payments, account services, and other data to third party providers. In addition, digital transformation initiatives are top priorities as financial services organizations look to improve the customer digital experience. The effort to attract new and keep existing customers by delivering additional value has resulted in more application services and the supporting APIs. This increased adoption of API use has resulted in a dramatic increase in the attack surface they represent.

“As Knight’s research has shown over the last couple of years, no industry is immune to an API attack; however, more and more are occurring especially within the Fintech space due to the sensitive nature of the data the APIs can provide and hackers have realized just how easy they are to exploit as Knight’s latest research reflects,” said Mark Campbell, Sr. Director at Noname Security. “APIs are at the heart of their digital strategies to improve their customers' experience and protecting them has become a top priority. We are uniquely addressing this challenge by delivering a single platform that provides API posture management, API detection and response, and API testing to add security into an organization's API development life cycle.”

Noname Security protects APIs in real-time and detects vulnerabilities and misconfigurations before they are exploited. The Noname API Security Platform integrates with existing security infrastructure, like WAFs, gateways, and SIEMs, to apply and enforce new policies and communicate to API and security stakeholders in real-time. Financial organizations can leverage the Noname API Security Platform to detect and mitigate the risks associated with the vulnerabilities Knight uncovered to:

  • Significantly reduce or eliminate attack surfaces by detecting and remediating misconfigured APIs (e.g. broken authentication).
  • Identify anomalous behavior, broken authentication, and terminate suspicious API sessions.
  • Enable security teams to detect range violations and irregularities in the API calls and responses such as transfer amounts over a certain limit.

Learn more about this new research and the Noname API Security platform by:

  • Attending Knight’s Keynote:
    • Attend Knight’s keynote “Scorched Earth: Hacking Bank APIs”
      • When: Tuesday, October 26 at 3:25 pm
      • Where: Ignite Stage, Expo Hall, Hall D, Level 2
  • Visiting the Noname Security Booth 1821:
    • Get a demo of the Noname API Security platform
    • Spin the wheel at our booth to get a chance to win a copy of Knight’s book
    • Attend the book signing with Knight Wednesday, October 27 10-1

About Noname Security

Noname Security is the creator of the most powerful, complete, and easy-to-use API security platform, used by Fortune 500 companies to discover, analyze, remediate, and test their legacy and modern APIs. Noname Security is privately held, with headquarters in Palo Alto, California, and an office in Tel Aviv.

Contacts

Media

Susan M. Torrey
susant@nonamesecurity.com
650-492-1921

P.J. Lee
Inkhouse for Noname Security
noname@inkhouse.com

Contacts

Media

Susan M. Torrey
susant@nonamesecurity.com
650-492-1921

P.J. Lee
Inkhouse for Noname Security
noname@inkhouse.com