Page 18 - Cyber Warnings
P. 18
Furthermore, organisations should implement two-stage authentication like 2FA (2-Factor
Authentication; Password and SMS) at the very least.
In addition, limiting the data request rate for consumer applications would also help to prevent,
or at least limit, a malicious party’s ability to bring your site down by overloading it with high-
frequency traffic via the API.
The API developers using Representational State Transfer (REST) principles when designing
the interface should also help with security too. REST uses a set of at least five different
commands to access data.
Therefore, if an API is implemented in a RESTful way, it will have predictable outcomes, thereby
simplifying the security for the person implementing it, but making it difficult for an outside party
who doesn’t have access to break the security walls down.
All of this is particularly pertinent for us in the UK as our present government has said it wants
banks to open up access to customer data using APIs in order to help drive innovation and
boost the level of competition in the sector. The government has even said they will legislate to
make this a reality if they have to as well.
There is an argument to be made for why this would be a good thing too, as more competition in
banking means these institutions will have to work harder to innovate.
Hopefully, this in turn will drive the product and service levels up for the consumers.
Furthermore, a more open publication of data should assist alternative providers by giving them
a new source of information that will help them to make more efficient and effective lending
decisions.
Therefore, the implementation of open APIs giving access to banking data is going to happen.
However, this doesn’t have to be as worrying as it may seem. Banking APIs being open should
hopefully force them to prioritise making their API tools as secure as possible.
I say this as banks opening up access to customer data should also lead to new stricter
regulations coming in that would require these institutions to make sure adequate security
measures are in place.
Furthermore, the government has tasked an Open Banking Working Group (OBWG) led by the
industry to develop the framework that would underpin the open banking standard needed to
facilitate the plans.
As part of this, the OBWG has published a report has said that an independent authority would
be responsible for handling complaints and establishing "how data is secured once shared, as
well as the security, reliability and scalability of the APIs provided".
This independent authority would also be able to "vet third parties, accredit solutions and
publish its outcome through a white list of approved third parties".
18 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide