If you’re API and you know it, block aggregators

I bumped into a real API marketplace the other day.

Just what I've been looking for ...

... but not sure why they're opening physical stores pic.twitter.com/NaUUiyQ4lK

— Chris Skinner (@Chris_Skinner) February 17, 2020

It gained a few nice comments like:

“So people could stock up on spaghetti code and sandbox toys” from Alex Kuznetsov; and

“It doesn’t actually stock anything. Just lets you connect to other stores more easily to get what you need” from Ron Miller

Regardless of the humour, APIs are in vogue and in controversy after JPMorgan Chase made a decision that third parties can now only access customer data via APIs.

JPMorgan sets July deadline for fintechs to sign new data access deals via APIs, not passwords https://t.co/cGZLviDLr3

— Chris Skinner (@Chris_Skinner) February 16, 2020

The decision is an interesting one, as it’s in keeping with the idea of Open Banking as per the UK and EU approach. In particular, Europe resisted the idea of the Yodlee aggregator view of the world, where customers give their passwords to third parties. America allowed this, and screen scraping cut and paste, but the security of such access has always been questionable for many.

Therefore, it does not surprise me that a major bank like JPMC is setting a deadline for moving away from screen scraping to APIs. According to Reuters, third party payments providers (TPPs) must sign a deal with the bank by July 30 committing to API access, and dropping password access, if they want to continue providing services to JPMC’s clients.

It does not mean the customer has to drop aggregators who use password access by July 30. Just that their providers must commit to transition across by that date.

“We’ve been working on this with aggregators and fintechs since 2016 because our secure API is the best way to help our customers make smart money decisions more easily and safely,” Paul LaRusso, managing director of digital platforms at Chase, said in a written statement to Reuters. “Customers can still use their favourite apps and websites while these companies migrate to our API.”

Interestingly, a few folks are making a big deal out of this.

FinTech Futures spoke to Canadian start-up Cinchy, which is trying to eliminate the replication of data in banks. CEO Dan DeMers says “even APIs create a spaghetti infrastructure” which is susceptible to security breaches because the technology still has to replicate data like the bank’s siloed, legacy systems.

He may have a point as, over the last two years, there has been a dramatic shift in the number of cyber-criminals targeting APIs in an effort to bypass security controls, according to the new State of the Internet report that Akamai released today. Akamai’s report observed an astonishing 85 billion credential abuse attacks in the two-year period from December 2017 to November 2019. A significant proportion of these attacks were against hostnames clearly identified as API endpoints, which totaled over 16 billion hacking attempts.

The report indicates that APIs are being used primarily as a weapon against the financial services industry, with almost 500 million attacks targeting financial organisations. In addition, the attacks against the finance sector in this two-year period were not exclusively API focused; Akamai recorded the single largest credential stuffing attack against a financial services firm in the company’s history, consisting of over 55 million malicious login attempts.

The solution?

According to Cinchy it is to use a networked approach, where all data is available to all without replication.

Interesting idea, but probably resisted by many today. A bit like the idea of using cloud a decade ago, the idea of networked data rather than replicated data is a difficult cultural barrier to overcome. Longer-term maybe Cinchy’s idea will work … but today, this is a tough sale.