How APIs can improve banking security

Security is an issue in every industry, but none as critical as banking. Bank breaches lead to billions in losses, and a subsequent drop in customer trust in financial institutions. Banks need to act quickly to plug potential security holes, and the techniques that create those holes. One such process that can cause issues is screen scraping.

"Screen scraping is an automated process that uses bots, web crawlers, and other proprietary tools to log into websites on behalf of account holders using their passwords and credentials," Lee Wetherington, senior director of corporate strategy for Jack Henry, said in an email interview.

The problem with screen scraping is that it is difficult to tell which login attempts are from the actual users and which ones are fraudulent. Wetherington said this in turn makes, "systems vulnerable to credential-stuffing attacks and other cyber threats that continue to plague the industry at large."

In addition, users don't have control over their ID and passwords during screen scraping, which leaves them vulnerable.

"Screen scraping creates customer friction in conjunction with modern security practices such as two- factor authentication. With the ID and password no longer in the customers' possession it leaves more of their data vulnerable to cyber-attacks," Philip Suckow, VP of innovation at IncredibleBank, said in an email interview.

Jack Henry is addressing screen scraping by blocking inbound screen scraping with its Banno Digital Banking Platform, which delivers open-banking API connections to data exchange platforms Finicity, Akoya, Plaid, Envestnet | Yodlee and Intuit. This allows customers to have better control over their data, while still accessing banking services.

"Jack Henry is on track to eliminate all inbound screen scraping on its Banno Digital Banking Platform by the end of summer 2023 and replace it with secure and standardized APIs that allow for narrow account holder control of financial data," Wetherington said.

In particular, customers can use these APIs to a see where their data is shared, and they can in turn grant or revoke access to that data.

"Account holders will be able control the data they share with third party providers with more transparency and precision. They will have more granular control over which data they share, instead of giving third parties indiscriminate access to all of their data across accounts. This not only improves security and privacy but also reinforces the primacy of financial institutions in the financial lives of their account holders," Wetherington said.

The platform uses tokens to share the data, so that users do not have to reveal their usernames or passwords to third parties, which can in turn lead to data breaches.

"Direct APIs ensure stable, reliable, resilient connections between accounts exchanging financial data — unlike the chronic "broken" connections endemic to screen scraping," Wetherington said. "APIs also make it easier to recognize and neutralize unauthorized login attempts and other malicious activity, enabling banks and credit unions to minimize fraud and improve their account holders' financial security."

In addition, the platform is integrated directly within the user's digital banking account so users can control their data access from there.

This is part of a broader effort by Jack Henry to help deliver industry standards for open banking in the U.S.

"Jack Henry's integrations support the Financial Data Exchange standard, establishing broader industry alignment around open banking in the U.S.," Wetherington said.

Suckow recommended financial institutions embrace these APIs and work closely with partners, "on data strategies that allow for the safe, secure, and controllable data exchange through API frameworks."

Screen scraping is far from the only issue impacting banking security. Some issues are more internal in nature, such as phishing and social engineering attacks. Click here for an article that goes into more detail on other banking security issues and how banks can address them.