Open Banking Requires Rethinking about API Protection

New open banking regulations promoted by the Bank of Israel introduce new risks in the application programming interfaces (APIs) between the bank and third parties. "Each API interface needs dedicated protection," says Dr. Doron Chema, co-founder and CEO of L7 Defense.


 .Founders of L7 Defense. Photo: L7 Defense


The Bank of Israel's open banking announcement reveals the need for API protection solutions.  Let’s understand more, by answering the question: what is an API? "To simplify, an API is any "logical point" on application servers or website that can respond to requests from outside," explains Doron Chema, co-founder and CEO of L7 Defense, a provider of API protection solutions. "Such a "point" can send files in response to a request, stream songs, execute money transfers in an app and more. In fact, every user action on a site or in an app usually activates a large number of APIs behind the scenes.” 

The Objective: Accessibility to Customer Bank Data

In the open banking world, it appears that the Bank of Israel wants to enable third-party FinTech companies to access customer bank data. According to the publication: "Third-party access to customer accounts will be in stages. In the first stage within one year of the new directive’s publication, third parties gain access to information on the balances and movements in customer accounts. In the second stage after one and half years, access to transaction information on bank and non-bank debit cards will be enabled with the ability to initiate payment in the customer's bank account. The third stage after two years includes access to additional customer information such as: information on customer bank credit and loans, information on customer bank deposits and savings, and information on the customer securities portfolio”.

Implementation of this regulation requires information disclosure via bank APIs to third parties…. "To protect information in today’s open world, each API needs separate handling for specific needs.  Existing solutions such as Legacy Web Application Firewalls (WAFs) aren’t specific and only protect against average characteristics of APIs in the context of an app or website," explains Dr. Chema. " Next generation defense solutions need to tailor policies to each API according to its specific native properties. For example, when APIs response time is 200ms and 10 ms, setting an average response time policy to 50ms simply doesn’t help to stop Applicative DDoS attacks. This is also the case in average protecting from Bot attacks on specific transactional APIs. For many API protection solutions today, that's what’s still whats happening…."

What Dr. Chema is talking about is a relatively new reality. The demand for individual API solutions started last summer, and is still in its infancy. "Finance, aviation, trade and other organizations are beginning to realize that defense policies based on averages leaves them exposed. Therefore, APIs on the average threshold defined by the defense policy are protected, but the rest are not protected…," says Dr. Chema. "Our system has the ability to find all the APIs including all the response points on a website or app page, and to customize and enforce specific policies to by-pass them using Rivers Proxy. Everything is automated and autonomous.”

Contribution to Profit

Our customers see the value of APIs protection, not just for information security, but for their business. Any user or session that fails to reach a site results in financial loss to the publisher or app (false positive result). On the other hand, economic damages also can be caused by any malicious user or session on the site (false negative result).

"The API cycle trend in the software world today leads to self-sufficient APIs that are used by many apps. This is a weak point for any site or app! Therefore, the solutions using average APIs protection are ineffective. It’s time to transform to the specific individualized protection for each external interface point." Dr. Chema explains. "We’re playing a game about the level of system errors. Web publishers don’t want to lose revenue from false alerts that prevent user entry, plus publishers need secure interfaces. Advanced API protection needs this in banking, commerce and expanding 5th generation world-wide networks."