We're Hiring!

Bank Account Aggregation Apps - Setting Boundaries

Account security concept; Credit cards with padlock

In the world of banking, security has always been important and the recent breach at Tesco Bank is a timely reminder. With an increased appetite for regulation in the banking sector and in the realms of data protection it is becoming ever more important for responsible companies to take action to tighten up their defences against the constant threat of data theft and fraud. Regulation is becoming a powerful lever to encourage banks to have robust mechanisms in place to protect their customers. The EU's General Data Protection Regulation (GDPR) raises the possibility of heavy fines if you fail to take steps.

Two growth areas in the world of banking are account aggregation and budgeting apps. They provide customers with the convenient ability to view all of their accounts and payments in one place. Unsurprisingly, banks are reluctant to endorse these apps because they spread the login credentials of their customers and increase the chance of data breaches. They also reduce the ability of the banks to advertise complimentary products within their own apps and websites and if the aggregators are badly behaved they can noticeably increase load on the bank's servers.

Aggregation apps often work by reverse engineering the API of the customer's bank and using the same credentials as the real customer to access the API and retrieve the account details. They are normally set up to allow read-only access to an account, but the credentials are the same, so any breach of customer data can expose their account to unauthorised access and theft.

What can banks do to protect themselves from this type of API Abuse? The customer login details provide user authentication, so the bank can tell who is attempting to access the API and block unauthorised access, but in this case the app has been given a valid login. So the important question here is not who is accessing the banking API, but what?

One method of simple app authentication is to use a key to secure the connection to the API. Anything which has the key is identified as being a valid user. This mechanism typically involves embedding the key in the genuine app. Unfortunately it is often far too easy to extract the key.

For financial apps and organisations who are security and reputation conscious it is important to use the most up to date and comprehensive solutions to protect themselves and their customers. Approov provides a means for a bank to securely identify the mobile software trying to gain access to their API. They can block traffic which has not come from their official banking app and thereby prevent aggregation apps from accessing any customer information, even if they have the customer login details. Even if a bank is willing or regulation enforces that third parties can connect to the API, banks still want to be able to monitor and control access. Approov enables this by using our proprietary technology to perform analysis of the app code itself, ensuring that only authorised software can access the protected API.

By providing a mechanism to identify what is being used to retrieve information from the API, we give banks a whole new ability to identify unofficial sources of traffic. This is a valuable tool in the fight against fraud. It also provides a potential opportunity to help secure APIs in the brave new world of PSD2 where banks operating in the EU will be required to open their APIs to third parties. There are still challenges in the realm of more traditional web scraping attacks, but with the rise of mobile first and mobile only offerings, there must be a strong focus on protecting the mobile channel.

The financial sector has a regulatory responsibility to take customer security very seriously. By using Approov they have an opportunity to gain control of third party access to their APIs and enhance their API security. To us, it seems like a natural fit.


Richard Taylor

- CTO and Co-Founder at Approov Ltd
Chief Technical Officer with more than 30 years of industry experience. Background in compiler optimization and processor architecture, working more recently in application security and cloud computing technologies. Richard Co-Founded and is CTO of Approov Mobile Security (previously Critical Blue Ltd) and has led a number of innovative product developments in the area of EDA, software optimization and remote software attestation.