The invisible battlefield of financial innovation

By Chuck Herrin, Field Chief Information Security Officer for multi-cloud application services and security company, F5.

APIs – or application programming interfaces – have become the lifeblood of digital transformation as they help power innovation, business-to-business integrations, and the management of vast quantities of sensitive data in financial services.

That innovation has in turn revolutionised the financial sector in Australia through advances in digital banking, fostering greater accessibility and personalisation. A study showed that in 2023, Australian banks emerged as leaders in ICT investment among their APAC peers. The top six Australian banks collectively spent circa A$7.6 billion on ICT – a 6.1 per cent increase from 2022.

This rapid rise has ushered in unprecedented agility and connectivity, but it has also created a massive security gap.

What we see at F5 tells us that over 90 per cent of web-based attacks now target API endpoints, and Gartner predicts that API abuses will account for more than 50% of data breaches by 2025. This alarming trend highlights the urgency with which financial institutions must address security risks while navigating the quick-fire evolution of the industry.

From Innovation to vulnerability

Dating back to at least the 1960s as a method of communication between system components in early computing environments, APIs became more commonplace in the 1990s with the rise of web technologies. The open-source movement further accelerated their adoption, as developers shared frameworks and tools to standardise API design and implementation. Tech giants such as Salesforce and eBay then revolutionised the concept further by allowing third-party developers to integrate with their platforms in the early 2000s.

APIs quickly became indispensable for modernising financial services, enabling seamless customer experiences and unlocking new revenue streams. However, security measures struggled to keep pace. It wasn’t until 2019 – nearly two decades later – that the OWASP API Top 10 spotlighted the unique vulnerabilities inherent to APIs.

This lag in security preparedness has left financial institutions exposed to increasingly sophisticated attacks.

Imagine a bank’s system that handles currency conversions, for example, turning Australian dollars into U.S. dollars. This system works via APIs – essentially a digital messenger that lets apps and websites talk to each other and request services, such as calculating exchange rates or completing transactions.

In one real-world example, my former company’s research team showed a banking customer how to bypass their controls and manipulate transactions. This type of attack bypassed the security checks built into the bank’s app, allowing us to print free money completely undetected into one of our accounts.

Even though the bank had otherwise sophisticated security measures in place, our team was able to exploit these gaps and make their actions look normal. As a result, the system couldn’t tell the difference between the hackers’ fake requests and legitimate ones, and the attack went unnoticed until we briefed the customer on what to look for and how to mitigate their API risks.

High stakes balancing act

Australian financial institutions are under immense pressure to innovate quickly while safeguarding customer trust. APIs are at the centre of this tension, offering the agility needed to launch new products and services rapidly. Yet, this speed often comes at the expense of security, leading to friction between development and security teams, as well as boards and executive management where speed-to-market and security are both top priorities.

Bridging this divide requires clear governance standards that integrate security into the development lifecycle without stifling innovation.

A proactive approach – embedding security considerations into product management decisions – is essential for reducing vulnerabilities from the outset, as is collaboration. Security solutions must align with development workflows to minimise disruption and encourage adoption. Simply put, you cannot secure that which you cannot see, or that which you don’t understand. Getting the visibility needed to ensure protection requires a proactive, simple, and effective approach.

Regulatory frameworks add another layer of complexity to API security. Financial institutions must navigate strict compliance requirements while maintaining operational efficiency. Metrics like incident response times and results of API security assessments are vital for meeting regulatory expectations and improving overall resilience.

Third-party risks and hidden threats

As financial institutions increasingly rely on third-party APIs for core functions, their attack surfaces grow. These integrations are essential for enhancing services, but they also introduce risks due to limited visibility into third-party security practices.

Compounding the challenge is the sheer number of APIs in use. Common industry estimates suggest that up to 50 per cent of API endpoints are unmanaged, and keeping an up-to-date inventory of APIs and endpoints is a daunting challenge. Dormant or outdated APIs – sometimes called ‘zombie or shadow APIs’ – are especially vulnerable, providing attackers with hidden entry points. Continuous monitoring and governance are critical to mitigating these threats and ensuring a secure API ecosystem.

Lessons learned; actions required

The rapid growth of APIs has reshaped financial services, but it has also created vulnerabilities that can no longer be ignored. These persistent challenges demand a proactive, forward-looking approach.

By embedding security into the DNA of API management, fostering collaboration between teams, and learning from past mistakes, financial institutions can build robust defences against evolving threats. APIs are the backbone of tech and financial institutions are the backbone of funding future industry and economic growth – securing them is essential for innovation.