Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations’ Growing API Attack Surface

By Doug Dooley

[By Doug Dooley, COO, Data Theorem]

The rise of OpenAI and new changes with ChatGPT-4 Turbo will help to revolutionize the way financial services organizations take advantage of their data, enabling them to scale their analysis rapidly and stay agile in a fast-paced digital environment. However, the number of enterprise Application Programming Interfaces (APIs) to connect and share data with GenAI system like OpenAI has also brought new risks and vulnerabilities to the forefront. With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data.

APIs have become the backbone of modern digital ecosystems, allowing financial organizations to streamline operations, automate processes, and provide seamless user experiences. They are the data transporters for all cloud-based applications and services. APIs act as intermediaries between applications, enabling them to communicate with each other and exchange data. They also provide access to critical services and functionality in your cloud-based applications. If an attacker gains access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, financial losses, compliance violations, and reputational damage. For hackers looking to have the best return on investment (ROI) of their time and energy for exploiting and exfiltrating data, APIs are one of the best targets available today.

It’s clear these same APIs that enable innovation, revenue, and profits also create new avenues for attackers to achieve successful data breaches for their own gains. As the number of APIs in use grows, so does the attack surface of a financial organization. According to an industry study by Enterprise Strategy Group (ESG) titled “Securing the API Attack Surface”, the majority (75%) of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the dynamic nature of API attack surfaces.

API security is critical because APIs are often the important link in the security chain of modern applications. Developers often prioritize speed, features, functionality, and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications. As evidence, the same ESG study also revealed most all (92%) organizations have experienced at least one security incident related to insecure APIs in the past 12 months, while the majority of organizations (57%) have experienced multiple security incidents related to insecure APIs during the past year.

One of the biggest challenges for banks and other financial service organizations is protecting their APIs and proprietary data from OpenAI and other generative AI tools. With ChatGPT 4-Turbo, the technical and cost barriers for experimentation on APIs and data have substantially lowered. Further, the new support for API keys, OAuth 2.0 workflow, and Microsoft Azure Active Directory opens up enterprise data like never before. As a result, the popularity and growth of Enterprise AI assistants enabled by tools such as OpenAI’s Playground and the new “My ChatGPT” creator will invite an onslaught of new users attempting to gain greater insights on proprietary banking data. The intention for nearly all these new Enterprise AI experiments will be to help customers get better financial services and insights, but as the popularity and usage of Enterprise AI continue to surge, financial institutions will find themselves facing a unique dilemma. On one hand, the potential benefits of harnessing AI-powered tools like OpenAI’s Playground for automating tasks, enhancing customer experiences, and increasing their clients’ wealth are enticing. However, this newfound capability also opens the door to unforeseen vulnerabilities, as these AI agents access and interact with sensitive financial APIs and private data sources.

The advent of Enterprise AI assistants introduces a host of security concerns for the financial sector. One immediate concern is the potential for unintended data exposure or leakage as AI systems learn and adapt to their environment. While AI-driven tools aim to streamline processes and improve decision-making, they also have the capacity to inadvertently access or expose critical financial data, likely violating many privacy laws such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and California Consumer Privacy Act (CCPA) to name a few. Financial institutions must carefully monitor and regulate these interactions to prevent unauthorized access or misuse of sensitive information.

Furthermore, financial service companies must grapple with the challenge of securing their APIs against malicious actors who may exploit AI-powered systems for nefarious purposes. The integration of AI agents into financial processes creates an additional attack surface that can be targeted by cybercriminals seeking to breach systems, steal valuable data, or disrupt operations. Robust security measures and continuous monitoring are essential to mitigate these risks and safeguard against potential breaches.

As Enterprise AI assistants become increasingly prevalent within the financial services sector, institutions must strike a delicate balance between harnessing the potential of AI for innovation and ensuring the highest standards of data protection and cybersecurity. A proactive and comprehensive approach to API security, data governance, and AI-assisted decision-making is paramount to navigating these new challenges successfully while maintaining the trust of customers and regulatory bodies.

When it comes to securing APIs and reducing attack surfaces to help protect from ChatGPT threats, Cloud Native Application Protection Platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various API attacks threats. CNAPPs do three primary jobs: (1) artifact scanning in pre-production; (2) cloud configuration and posture management scanning; (3) run-time observability and dynamic analysis of applications and APIs, especially in production environments. With CNAPP scanning pre-production and production environments, an inventory list of all APIs and software assets is generated. If the dynamically generated inventory of cloud assets has APIs connected to them, ChatGPT, Open AI, and other AI and ML libraries can be discovered. As a result, CNAPPs help to identify these potentially dangerous libraries connected to Enterprise APIs and help to add layers of protection to prevent them from causing unauthorized exposure from API attack surfaces to protect your organization’s reputation and clients’ private data, and build trust with your customers.

Ultimately, the key to managing the risks posed by expanding API attack surfaces with ChatGPT is to take a proactive approach to API management and security. When it comes to cloud security, CNAPP is well suited for financial organizations with cloud-native applications, microservices, and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for protecting expanding API attack surfaces, including those caused by ChatGPT.


No posts to display