WHAT NEEDS TO BE DONE TO MAKE THE PLATFORM MORE SECURE
By David Midgley, Head of Operations, Total Processing
I’m sure if you’re reading this, you already have a reasonable idea of what an API is and how it works. For anyone who may have stumbled upon this article though, an API lets one website use elements of another. In its’ simplest terms, an API is what allows third-party apps to run on Facebook.
For example, it is an API that allows you to share an article on a national newspaper’s website via your social media accounts and then show on the national newspaper’s website how many people have shared that article.
APIs also have their use in the payments sector too. For example, in the case of Total
Processing and other payment gateway providers, we give our clients access to data so they can connect their website to the payment gateway we provide them and then also allow them to access data when payments are made via the gateway, and I’m sure this is also the case for other payment gateway providers.
Therefore, given that an individual’s personal and financial details are being provided on the website and via these gateways, it is important this access is properly secured and cannot be easily worked out or hacked into by malicious parties.
For example, in January 2015, the self-titled ‘internet security enthusiast’ Paul Price flagged up that the API of British greeting card manufacturer Moonpig used a hard-coded username and password to connect to their server that was easily retrievable.
This meant that, according to Price’s analysis, it would have been very easy to build up a
database of the addresses and card details of over three million people who used Moonpig’s
service in a matter of hours.
Thus, it is evident that vulnerabilities that can be exploited exist in APIs. This means patches and other updates still need to be developed in order to firm up the integrity of the firewalls put in place to prevent undesirables from being able to access what is very sensitive financial and personal information that can be used to access a person’s bank account or steal their identity.
It’s not difficult to sure up the security of an API either, and no one should feel unconfident or overwhelmed at the prospect of doing this.
As a start, a company should keep all security software used internally and externally up-to-date and make sure their privacy and spam settings are rigid to help prevent a hacker from gaining access via a company’s own systems.
Furthermore, organizations should implement two-stage authentication like 2FA (2-Factor
Authentication; Password and SMS) at the very least.
In addition, limiting the data request rate for consumer applications would also help to prevent, or at least limit, a malicious party’s ability to bring your site down by overloading it with high-frequency traffic via the API.
The API developers using Representational State Transfer (REST) principles when designing
the interface should also help with security too. REST uses a set of at least five different
commands to access data.
Therefore, if an API is implemented in a RESTful way, it will have predictable outcomes, thereby simplifying the security for the person implementing it, but making it difficult for an outside party who doesn’t have access to break the security walls down.
All of this is particularly pertinent for us in the UK as our present government has said it wants banks to open up access to customer data using APIs in order to help drive innovation and boost the level of competition in the sector. The government has even said they will legislate to make this a reality if they have to as well.
There is an argument to be made for why this would be a good thing too, as more competition in banking means these institutions will have to work harder to innovate.
Hopefully, this, in turn, will drive the product and service levels up for the consumers.
Furthermore, a more open publication of data should assist alternative providers by giving them a new source of information that will help them to make more efficient and effective lending decisions.
Therefore, the implementation of open APIs giving access to banking data is going to happen.
However, this doesn’t have to be as worrying as it may seem. Banking APIs being open should hopefully force them to prioritize making their API tools as secure as possible.
I say this as banks opening up access to customer data should also lead to new stricter
regulations coming in that would require these institutions to make sure adequate security
measures are in place. Furthermore, the government has tasked an Open Banking Working Group (OBWG) led by the industry to develop the framework that would underpin the open banking standard needed to facilitate the plans.
As part of this, the OBWG has published a report that has said that an independent authority would be responsible for handling complaints and establishing “how data is secured once shared, as well as the security, reliability, and scalability of the APIs provided”.
This independent authority would also be able to “vet third parties, accredit solutions and
publish its outcome through a white list of approved third parties”.
Access would only be granted where the bank account holder has given informed consent, so if you’re still worried about your banking data being accessed via an open platform, it is possible to opt-out.
Therefore, it is safe to say that safe that the use of APIs will continue to grow, particularly given that the UK government wants our financial institutions to use them and even uses open-access APIs themselves to give anyone who is interested access to their own departments’ data sets via the launch of data.gov.uk.
The increased use of APIs is in many ways a good thing too. Software or websites being able to use the data and functionality of other software and websites helps to create a quicker and more fluid browsing experience for users.
Furthermore, the government is now pushing for banks to use open API, which is very good, as if nothing else, the implementation of an open API should make the security of the platform your data is held on even better, and these better security measures should also spread to other industries.
Finally, open-access APIs will also help to make the level of competition among banks even
higher for you as a consumer, and the government then looks for other industries to also do the same, your choices as a consumer should improve in other areas too.
About The Author
David is Head of Operations at the payment gateway and merchant
services provider Total Processing. Prior to joining Total Processing in
February 2016, David spent over two and a half years at the merchant
services provider Axcess Merchant Services having previously sent over
nine years in a variety of roles at the banking group HSBC.
He lives in the city of Leeds, West Yorkshire in Great Britain. David can be
reached online on Twitter @davidmidgley4 and at our company website