APIs: The Soft Underbelly of On-line Banking

Vordel CTO, Mark O’Neill, has just written a guest blog for the guys over at the programmableWeb on the spate of recent Distributed Denial of Service (DDoS) attacks on banks in the US. Below are the first few paragraphs.

In recent weeks, there have been a number of highly publicized cyber-attacks on US banks. These attacks take the form of Distributed Denial of Service (DDoS) attacks, involving enormous amounts of traffic being sent to Internet-facing banking services, rendering them unusable.

Much of the press coverage of the DDoS attacks has focused on the fact that the Websites of the banks were taken offline by the sheer volume of traffic. It is understandable to focus on the takedown of the banking websites, because that is the most visible aspect of the attacks. Many banking customers, of course, primarily interact with their bank through online banking using their web browser. When the website is down, they can’t check their balances or pay bills. Understandably, this is very frustrating for users and results in material loss if it results in a bill not being paid in time.

However, a side-effect of the attacks has been to also render the mobile apps of the affected banks useless. Although users could initiate the mobile banking apps from their phone or tablet, the apps could not “call home” to their banking systems, so they could not connect to any account details, or even log the user in.

The loss of the mobile app functionality was reported as a side-effect of the attacks, along the lines of “…and also, mobile banking apps were affected”. However, the disabling of mobile apps points to a larger issue, which is not being reported.

Like other mobile apps, mobile banking apps use APIs to perform actions and receive data. The DDoS attacks effectively disabled this API access. You can read the rest of the story over at the programmableWeb