The recent security incident involving Signzy, a prominent Indian fintech SaaS provider, has once again raised concerns about the security of APIs in the BFSI sector. While the exact details of the breach are still under investigation, it serves as a stark reminder that even companies specializing in security solutions can be vulnerable to attacks.
As per TechCrunch (https://techcrunch.com/), a digital new agency, and it citing multiple sources, reported that the Bengaluru-based startup was hit by a cyberattack in the early weeks of November 2024.
Efforts were made by different media houses; to corroborate the news from Computer Emergency Response Team (CERT-In). It has been reported by CERT-In that it is “in process of taking appropriate action with the concerned authority.”. Further, CERT-In has separately acknowledged the report.
One of Signzy’s customers PayU has confirmed that it received a written confirmation from the company. It is also claimed by the startup company, Signzy, that it has affiliation with more than 240 financial institutions, which includes a few Indian biggies of Banks and NBFCs. It is also speculated that Signzy has also got some collaborative projects with Reserve Bank of India.
The Fact of the Case
APIs are the backbone of modern banking and financial services. They enable seamless communication between various applications, facilitate online transactions, and drive innovation in the industry. However, APIs also present a significant attack surface for cybercriminals if not adequately secured. It is speculated that the Security Breach, has occurred on the API that was deignated to handle ‘Online Identity Verification Service’ and ‘Customer Onboarding Platform’. The data lost by Signzy, is to the tune of approximately 700GB of data and as claimed by the hacker, it also includes, PAN Card details and images of PAN Cards that were collected, Image of Customer Signatures, Images and details of Aadhaar, The Face Authentication and video recording of customers, Multiple JSON. The hacker has already published these data for download for a certain amount, and has also claimed that the data was extracted in November of year 2024 (from signzy.com), and also that the one-on-one negotiations with the company did not result in any conclusion, and hence the exposure of the data on darkweb.
The Signzy incident highlights some critical questions:
-
- Have BFSI institutions prioritized API security as much as other areas of cybersecurity?
- Are they implementing robust authentication, authorization, and input validation mechanisms to protect their APIs?
- Are they employing a defense-in-depth approach with multiple layers of security, including firewalls and intrusion detection systems?
- Are they effectively managing third-party risks associated with APIs?
- It is also not understood, as to why the Banks/BFSI/NBFCs had trusted the third party to store the significant data on their servers?
The unfortunate reality is that many organizations still need to catch up in API security. They may focus on traditional security measures like network security and endpoint protection while overlooking the unique vulnerabilities associated with APIs.
What needs to be done?
-
- Prioritize API security: BFSI institutions must treat API security as a top priority and allocate adequate resources for its implementation and maintenance.
- Implement robust security measures: This includes strong authentication, authorization, input validation, encryption, and regular security assessments.
- Adopt a defense-in-depth approach: Multiple layers of security, including firewalls, intrusion detection systems, and API gateways with built-in security features, can help mitigate risks.
- Manage third-party risks: Thoroughly assess the security posture of third-party API providers and ensure they meet stringent security standards.
- Stay informed about threats: Keep abreast of the latest API security threats and vulnerabilities and proactively update security measures accordingly.
The Signzy incident should serve as a wake-up call for the BFSI sector. API security is not an afterthought; it’s a critical component of a comprehensive cybersecurity strategy. By taking proactive steps to secure their APIs, BFSI institutions can protect their customers’ sensitive data, maintain their reputation, and ensure the continued trust in the digital financial ecosystem.
Moving Forward:
The industry needs to adopt a proactive and collaborative approach to API security. Sharing information about threats, vulnerabilities, and best practices can help strengthen the collective defense against cyberattacks. Regulatory bodies can also play a crucial role by establishing clear API security guidelines and standards for the BFSI sector.
The future of banking and financial services relies heavily on APIs. It’s time for the industry to step up and ensure that these critical components are adequately secured against the evolving threat landscape.