What Needs To Be Done To Make APIs More Secure
The presence of APIs to provide access and aid interconnectivity between websites is becoming increasingly commonplace. Furthermore, the use of APIs will continue to grow as more and more devices come to market and the popularity of the Internet of Things (IoT) continues to grow.
However, as the use of APIs grows, so will the attempts of hackers and groups with ill intentions to exploit any security vulnerabilities for personal and financial gain.
Therefore, in this article, David Midgley, Head of Operations at payment gateway and merchant services provider Total Processing, presents the reasons why it is so important to ensure API security levels are the very best and how to do this.
Given you’re reading this on Information Security Buzz, I’m sure everyone already knows what an API is and how it works. For those who have stumbled upon this article though, an API lets one website use elements of another. For example, it is an API that allows you to share an article on a national newspaper’s website to your Twitter account.
APIs also have their use in the business sector as well. For example, in the case of Total Processing, we allow our clients to connect their website to our payment gateway and then also allow them to access data when payments are made via the gateway. I’m sure this is also the case for other payment gateway providers too.
Therefore, given that personal and financial details are being provided via these gateways, it is vital this access is secured properly and cannot be hacked into by malicious parties. For example, in January 2015, the self-titled ‘internet security enthusiast’ Paul Price flagged up that the API of Moonpig, the folks with the catchy jingle that allow you to create a unique greeting card, used a hard-coded username and password to connect to their server that was easily retrievable. This meant that, according to Price’s analysis, it would be very easy to build up a database of the addresses and card details of the three million users of Moonpig’s service in a matter of hours.
It is evident then that exploitable vulnerabilities exist in APIs. This means patches and other updates still need to be developed in order to firm up the integrity of the firewalls put in place to prevent undesirables from being able to access what is very sensitive financial and personal information that can be used to access a person’s bank account or steal their identity.
It’s not difficult to sure up the security of an API either, and no one should feel unconfident or overwhelmed at the prospect of doing this. As a start, a company should keep all security software that is used both internally and externally up-to-date and make sure their privacy and spam settings are rigid to help prevent hackers from gaining access via the company’s own systems. Furthermore, limiting the data request rate for consumer applications should also help to prevent, or at least limit, a malicious party’s ability to bring a site down by overloading it via the API. The API developers using Representational State Transfer (REST) principles when designing the interface would also help with security too. REST uses a set of at least five different commands to access data. Therefore, if an API is implemented in a RESTful way, it will simplify the security for the person implementing it, but making it difficult for an outside party who doesn’t have access to break down a company’s firewalls.
All of this is particularly pertinent given the UK Government has said it wants banks to open up access to customer data using APIs in order to help drive innovation and boost the level of competition in the sector. The government has even said they will legislate to make this a reality if they have to as well. This would arguably be a good thing too, as increased competition in banking should mean that these institutions would have to work harder to innovate against smaller competitors, thereby hopefully driving up product and service levels for consumers. Furthermore, a more open publication of data should help alternative providers too, as they will now have access to a new source of information that will help them to make more efficient and effective lending decisions.
Therefore, the implementation of open-access APIs in the banking sector is going to happen. However, this doesn’t have to be a source of worry. Banking APIs being open should force them to make securing their API tools as much as possible a priority. I say this as banks opening up access to customer data should also lead to stricter regulations coming in too that would require these institutions to make sure adequate security measures are in place.
Furthermore, the government has tasked an Open Banking Working Group (OBWG) to develop a framework that would underpin the open banking standard that would be needed to facilitate the government’s plans. As part of this, the OBWG has published a report. This has said that an independent authority would be responsible for establishing “how data is secured once shared, as well as the security, reliability and scalability of the APIs provided”. In addition, the independent authority would also be able to “vet third parties, accredit solutions and publish its outcome through a white list of approved third parties”. It is also important to remember that the bank account holder would have to give informed consent in order for their account data to be accessed. Therefore, if you are still worried, it is possible to opt out.
Hence, it is safe to say that the use of APIs will continue to grow, particularly given that the UK government wants our financial institutions to use them. The UK Government even uses open access APIs themselves to give access to their own departments’ data sets via data.gov.uk.
The increased use of APIs is a good thing too. Websites and online software being able to use the data and functionality of other websites and online software helps to create a more fluid browsing experience for users. Furthermore, the implementation of open-access API should make the security of the platform even better. These improved security measures should spread to other industries too. Finally, open-access APIs will also help to make the level of competition among banks even higher for you too. It is not unreasonable to think that the government would then look for other industries to also do the same. Therefore, the proliferation of open-access APIs should mean that your choices as a consumer will improve in other areas too.