www.cequence.ai
Open in
urlscan Pro
141.193.213.11
Public Scan
Submitted URL: https://go.cequence.ai/NDkwLVJRRi05NjAAAAGXCADSq-Xvr_XNL55UL0UGX9MFlb9Gpg0z7R1Sm0XKKn-grQLrA1BhrO7yR2wTUk5TX7PAmxc=
Effective URL: https://www.cequence.ai/blog/api-security/protecting-open-banking-apis/?utm_source=Email+Marketing&utm_medium=Email&utm_...
Submission: On November 26 via api from US — Scanned from DE
Effective URL: https://www.cequence.ai/blog/api-security/protecting-open-banking-apis/?utm_source=Email+Marketing&utm_medium=Email&utm_...
Submission: On November 26 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
/
<form action="/">
<input class="search-input" name="s" required="">
<button class="search-icon"><img src="/wp-content/themes/cequence/dist/images/icon/search.svg" alt="search-img">
</button>
</form>/
<form action="/">
<input class="search-input" placeholder="Search…" name="s" required="">
</form><form id="mktoForm_1102" class="email-signup-form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: "PT Sans Caption"; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1102"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="490-RQF-960">
</form><form class="email-signup-form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: "PT Sans Caption"; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Cequence a Leader in new GigaOm Radar for API Security report
Search for:
Blog Contact Us
* Why Cequence
* Products & Services
* * * PRODUCTS
* DISCOVER with SpyderPublic-facing API Attack Surface Discovery
* COMPLY with SentinelAPI Security Compliance and API Security Testing
* PROTECT with SpartanBot Management and Fraud Prevention
* Products Overview
* * SERVICES
* Managed ServicesSubscription-based API security services to augment
and extend your team’s capabilities
* Assessment ServicesQuick, time-bound assessment of key API security
areas
* * SUPPORT & DEPLOYMENT
* CQ Prime Threat ResearchServices team specializes in bot
attacks, risk analysis, and incident response
* Deployment OptionsFlexible options for on-premises, SaaS, and hybrid
deployments
* Customer SupportConnect directly to our help desk site for in-depth
product support
* * * Unified API Protection Platform OverviewManage all API security risks
and threats, including protection from malicious bots, in a single,
powerful platform.
* Solutions
* * * API SECURITY USE CASES
* API Discovery & Risk Classification
* API Governance & Compliance
* BOLA Attacks Prevention
* Cloud-Native App Security
* Sensitive Data Exposure Remediation
* Securing GenAI
* * BOT MANAGEMENT USE CASES
* Account Takeover Prevention
* Prevent Shopping Bots
* Stop Content Scraping
* More Bot Management Use Cases
* * BY INDUSTRY
* Automotive
* Financial Services
* Healthcare
* Online Dating
* Public Sector
* Retail
* Telecom
* * BY SIZE
* SMB
* Enterprise
* Resources
* * * Resource CenterBrowse our datasheets, case studies, solution briefs,
and more
* BlogKeep up-to-date with our API security and bot management posts,
relevant news, product info, and industry trends
* API Bites Knowledge HubSnackable information bites to help guide and
educate
* * EventsMeet Cequence on the road or join a virtual gathering
* Customer SupportConnect directly to our help desk site for in-depth
product support
* Partners
* * * Channel Partners
* Technology Partners
* Cloud Provider Partners
* * Contact Partner Team
* Log in to the Partner Portal
* Company
* * * OVERVIEW
* About Cequence
* What Our Customers Say
* Awards
* Trust Center
* Contact Us
* * WORK WITH US
* Careers
* Become a Partner
* * PRESS
* Press Releases
* Newsroom
Search for:
* Why Cequence
* Products & Services
* * * PRODUCTS
* DISCOVER with SpyderPublic-facing API Attack Surface Discovery
* COMPLY with SentinelAPI Security Compliance and API Security Testing
* PROTECT with SpartanBot Management and Fraud Prevention
* Products Overview
* * SERVICES
* Managed ServicesSubscription-based API security services to augment
and extend your team’s capabilities
* Assessment ServicesQuick, time-bound assessment of key API security
areas
* * SUPPORT & DEPLOYMENT
* CQ Prime Threat ResearchServices team specializes in bot
attacks, risk analysis, and incident response
* Deployment OptionsFlexible options for on-premises, SaaS, and hybrid
deployments
* Customer SupportConnect directly to our help desk site for in-depth
product support
* * * Unified API Protection Platform OverviewManage all API security risks
and threats, including protection from malicious bots, in a single,
powerful platform.
* Solutions
* * * API SECURITY USE CASES
* API Discovery & Risk Classification
* API Governance & Compliance
* BOLA Attacks Prevention
* Cloud-Native App Security
* Sensitive Data Exposure Remediation
* Securing GenAI
* * BOT MANAGEMENT USE CASES
* Account Takeover Prevention
* Prevent Shopping Bots
* Stop Content Scraping
* More Bot Management Use Cases
* * BY INDUSTRY
* Automotive
* Financial Services
* Healthcare
* Online Dating
* Public Sector
* Retail
* Telecom
* * BY SIZE
* SMB
* Enterprise
* Resources
* * * Resource CenterBrowse our datasheets, case studies, solution briefs,
and more
* BlogKeep up-to-date with our API security and bot management posts,
relevant news, product info, and industry trends
* API Bites Knowledge HubSnackable information bites to help guide and
educate
* * EventsMeet Cequence on the road or join a virtual gathering
* Customer SupportConnect directly to our help desk site for in-depth
product support
* Partners
* * * Channel Partners
* Technology Partners
* Cloud Provider Partners
* * Contact Partner Team
* Log in to the Partner Portal
* Company
* * * OVERVIEW
* About Cequence
* What Our Customers Say
* Awards
* Trust Center
* Contact Us
* * WORK WITH US
* Careers
* Become a Partner
* * PRESS
* Press Releases
* Newsroom
Free Assessment
Blog
PROTECTING OPEN
BANKING APIS: BEST
PRACTICES
November 19, 2024 | 7 MIN READ
by Varun Kohli
API Security
TweetLinkedInFacebook
EMPOWERING CONSUMERS WHILE PROTECTING APIS
The U.S. Consumer Financial Protection Bureau (CFPB) recently mandated digital
interfaces (APIs) to promote secure, authorized data-sharing between financial
institutions and third-party applications. These APIs empower consumers,
offering more control over their financial data across banking, budgeting, and
investment platforms. However, this also introduces heightened privacy and
security concerns, making robust API security strategies essential.
OPEN BANKING STANDARDS
To support open banking’s secure data-sharing goals, several industry standards
have evolved, including:
* FDX (Financial Data Exchange): In the U.S., FDX sets technical standards for
secure and transparent data sharing. FDX advocates for uniform,
consent-driven data access, improving interoperability and security in the
financial ecosystem.
* OFX (Open Financial Exchange): Originating in the 1990s, OFX is a global
standard that facilitates data exchange across financial institutions and
third-party applications. Over the years, OFX has adapted to meet rising
cybersecurity expectations, incorporating stronger authentication and
encryption protocols.
Both FDX and OFX play pivotal roles in guiding financial institutions and third
parties to implement secure applications and APIs, aligning with the goals of
open banking by promoting secure, user-consented data-sharing practices.
KEY SECURITY MEASURES FOR PROTECTING OPEN BANKING APIS
1. Implementing Strong Authentication and Authorization
The foundational layer of API security involves robust authentication and
authorization protocols. Common industry standards like OAuth 2.0 offer
mechanisms for secure token-based access, reducing the likelihood of
unauthorized access. By incorporating multi-factor authentication and
dynamically updating access tokens, financial institutions ensure that only
authorized entities can access sensitive data.
2. Encrypting Data in Transit and at Rest
Data encryption, both in transit and at rest, is essential in protecting
user information from interception and unauthorized access. Open banking
APIs should apply advanced encryption protocols, such as TLS (Transport
Layer Security), to shield sensitive data. Many institutions are also
adopting tokenization, replacing sensitive data with non-sensitive tokens,
ensuring an added layer of protection.
3. Rate Limiting and Throttling for API Protection
Rate limiting controls the frequency of requests to an API, mitigating the
risk of brute force attacks and API abuse. This security measure is crucial
in preventing overload scenarios and malicious activities, where attackers
or aggregators might flood the API with requests. By dynamically setting
rate limits, financial institutions can prevent service disruptions and
maintain system integrity.
4. Continuous API Discovery and Shadow API Monitoring
Open banking often requires frequent updates, which can unintentionally lead
to the creation of “shadow APIs” that remain undocumented and unmonitored.
Employing a continuous API discovery strategy helps organizations map and
monitor their APIs, minimizing the risk of exposing sensitive data through
these unknown or forgotten APIs.
5. Security Testing and Compliance Monitoring
Security testing helps ensure compliance with open banking regulations.
Automated testing and vulnerability scans, when integrated into an
institution’s development pipeline, provide proactive identification of API
weaknesses, enhancing security while reducing the risk of data breaches.
Institutions should conduct periodic penetration tests and align API
practices with standards set by PSD2 (the EU’s Revised Payment Services
Directive), the CFPB, and similar regulations globally.
MITIGATING FINANCIAL AGGREGATOR ABUSE
A distinct security challenge in open banking is managing financial aggregator
abuse. Financial aggregators are companies that consolidate a consumer’s
financial data into a single view for reporting and analysis purposes, such as
tax planning or household budgeting. These aggregators used to gather the
consumer’s data from various banks and other financial organizations through
screen scraping, which is an automated process whereby a bot logs in as the
consumer and collects the information from the screen. It worked, but it was
error-prone since even small changes to the financial website could cause the
bot to fail or return incorrect data. Now these connections are made via APIs,
which are documented and repeatable, but they have also become a point of attack
for bad actors attempting to commit fraud, identity theft, or steal funds.
Attackers find this consolidated pool of sensitive information extraordinarily
valuable, enabling them to launch high-value attacks across institutions.
Attackers can leverage aggregators as a backdoor into financial institutions,
and aggregator APIs are an obvious target. It’s critical to protect these APIs
as compromising one may lead to the compromise of others.
Effective security of these aggregator APIs includes:
* Implementing granular rate limits that detect abnormal patterns from both
trusted and untrusted sources.
* Employing anomaly detection tools to identify excessive or suspicious data
requests, thereby stopping abuse in real time.
* Ensuring comprehensive user consent and monitoring protocols so that users
and institutions maintain visibility into data-sharing activities.
GEOGRAPHIC PERSPECTIVES ON OPEN BANKING API SECURITY
UNITED STATES
In the U.S., the CFPB’s recent rule encourages banks and credit unions to adopt
APIs for consumer-driven data sharing. However, API security standards remain
voluntary, with frameworks like FDX offering guidance. This regulatory
environment necessitates that U.S. financial institutions independently
implement robust security protocols to prevent data misuse while enabling open
data sharing.
EUROPE
Europe’s PSD2 regulation mandates strict security requirements for all open
banking APIs. PSD2’s strong customer authentication (SCA) requirements enforce
multi-factor authentication, while its open API mandate requires banks to allow
licensed third-party providers to access accounts directly. This regulatory
environment has made Europe a leader in secure, standardized open banking APIs,
providing a model for other geographic regions.
ASIA-PACIFIC
In the Asia-Pacific region, open banking is still emerging but quickly gaining
traction, driven by customer demand for convenience and security. Countries like
Australia have introduced initiatives, such as the Consumer Data Right (CDR),
which mandates data-sharing standards for financial services. These initiatives
provide a foundation for secure data exchange, though API security practices may
still vary widely across different regions.
HOW CEQUENCE SECURES OPEN BANKING APIS
As open banking continues to reshape global financial services, Cequence offers
a tailored solution to address these API security challenges through a
combination of AI-driven analysis, continuous monitoring, and proactive threat
detection. With features that enhance visibility and security, Cequence helps
institutions mitigate risks associated with shadow APIs, aggregator abuse, and
regulatory compliance.
Key capabilities include:
* Anomaly Detection and Threat Intelligence: Using machine learning, Cequence
identifies low-and-slow attack patterns, probing activity, and anomalies,
ensuring proactive threat detection.
* Automated Mitigation and Throttling Controls: Cequence dynamically adjusts
access rates and automatically mitigates suspicious behavior, reducing the
risk of abuse without disrupting legitimate use.
* Programmable Pivots: The ability to pivot on key data fields to detect and
mitigate malicious behavior in increasingly complex
consumer-aggregator-financial organization relationships.
* End-to-End API Security Lifecycle Management: From discovery to
decommissioning, Cequence provides continuous oversight, ensuring APIs remain
secure throughout their lifecycle from birth to grave and beyond using
automated testing, discovery, inventory, compliance, detection of threats to
natively mitigating risk without relying on a third party.
By combining these capabilities, Cequence empowers financial institutions to
offer secure, compliant open banking experiences across global markets,
reinforcing trust and stability in the open banking ecosystem.
LOOKING AHEAD
The evolution of open banking brings a new era of financial inclusivity and
innovation, but it also demands sophisticated security measures to protect
consumer data and maintain regulatory compliance. As financial institutions
adopt open banking, securing APIs becomes a fundamental component in delivering
a safe and trusted experience to customers worldwide. Through structured
security measures, a thorough understanding of standards like FDX and OFX, and
an awareness of global regulatory nuances, institutions can better safeguard
their APIs, building resilience against the challenges that accompany open
banking.
Further information from Cequence on open banking and financial aggregator
abuse:
* Webinar: Mastering the Open Banking API Gold Rush: Expert Tips and Strategies
* Blog: PSD2, the Future of Open Banking, and API Security
* Blog: Navigating the New CFPB Rule on Open Banking: The Details
* Blog: CFPB to Announce Major Open Banking Proposed Rule
* Blog: The Open Banking API Security Imperative
* Blog: Financial Aggregators a Vehicle for Credential Exploitation?
Contact us to learn more or schedule a personalized demo and discuss your
business-specific needs.
Author
Varun Kohli
CMO
Varun Kohli, CMO at Cequence, formerly led marketing teams at Feedzai, Symantec,
McAfee and ArcSight. Featured in major publications and broadcasts, Varun has
contributed to 9 successful company exits. He holds degrees from IIT Guwahati,
UC Riverside and UC Berkeley.
SIGN UP FOR THE LATEST CEQUENCE SECURITY NEWS
*
Submit
By clicking Subscribe, I agree to the use of my personal data in accordance with
Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease,
or rent your personal data to third parties.
RELATED ARTICLES
BEST PRACTICES FOR ADDRESSING LOG4J AND LONG4J PATCHING GAPS
January 27, 2023 | 5 MIN READ
Read Blog
CEQUENCE ACHIEVES PRESTIGIOUS AWS RETAIL COMPETENCY STATUS
October 31, 2024 | 3 MIN READ
Read Blog
VIRTUAL PATCHING: A PROACTIVE APPROACH TO API SECURITY
October 3, 2024 | 6 MIN READ
Read Blog
5201 Great America Parkway
Suite 240
Santa Clara, CA 95054
+1 650 437 6338
Contact Us
Book a Demo
FOLLOW US
Twitter LinkedIn Youtube
PRODUCTS & SERVICES
* Unified API Protection Platform
* API Spyder
* API Sentinel
* Spartan
* Managed Services
* Unified API Protection Platform
* API Spyder
* API Sentinel
* Spartan
* Managed Services
INDUSTRIES
* Automotive
* Financial Services
* Healthcare
* Online Dating
* Public Sector
* Retail and E-Commerce
* Telecom Services
* Automotive
* Financial Services
* Healthcare
* Online Dating
* Public Sector
* Retail and E-Commerce
* Telecom Services
RESOURCES
* Resource Center
* Blog
* Events
* API Bites Knowledge Hub
* Customer Support
* Resource Center
* Blog
* Events
* API Bites Knowledge Hub
* Customer Support
SOLUTIONS
* API Discovery & Risk Classification
* Sensitive Data Exposure Remediation
* API Risk Assessment & Compliance
* Cloud-native App Security
* BOLA Attacks
* Account Takeover
* Shopping Bots
* Content Scraping
* Securing GenAI
* API Discovery & Risk Classification
* Sensitive Data Exposure Remediation
* API Risk Assessment & Compliance
* Cloud-native App Security
* BOLA Attacks
* Account Takeover
* Shopping Bots
* Content Scraping
* Securing GenAI
PARTNERS
* Technology Integrations
* Channel Partners/SIs
* Cloud Providers
* Contact Partner Team
* Partner Login
* Technology Integrations
* Channel Partners/SIs
* Cloud Providers
* Contact Partner Team
* Partner Login
COMPANY
* About Us
* Careers
* Trust Center
* Newsroom
* Gartner Peer Insight Customer Reviews
* About Us
* Careers
* Trust Center
* Newsroom
* Gartner Peer Insight Customer Reviews
© 2018-2024 Cequence Security, Inc. All rights reserved.
Privacy Policy | Cookie Policy | Responsible Disclosure Policy.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Confirm My Choices
Back Button
Back
PERFORMANCE COOKIES
Vendor Search Search Icon Filter Icon
Clear Filters
Information storage and access
Apply
Consent Leg.Interest
All Consent Allowed
Select All Vendors
Select All Vendors
All Consent Allowed
Confirm My Choices