| > With respect I think you're speaking outside the bounds of your knowledge of these systems. I'm not going to argue with you on this; you're entitled to your opinion :) > That is just table stakes. Have you ever found any vulns in bank API gateways? Infosec consultancies find vulnerabilities in the API gateways of retail bank clients, yes. That's one of the things they are paid to do. And yes, I found issues myself in part of the open banking consent flow I was asked to test for a retail bank when I worked for such a consultancy. Such features don't get built without flaws. The folks who are smart enough to reverse the mobile apps, any crypto used and write their own client get to play with these features in prod after they've been tested (either internally or via a contracted pen-test firm). > Everything this thread refers to countermeasures banks employ to keep third parties from leveraging their private mobile API gateways. When I talk about breaking things I'm talking about breaking these countermeasures. Then we seemingly agree these countermeasures are not effective - which is the point I attempted to express :) > whereas even bank employees would only about their employer's systems I have never been a bank employee so don't personally know, but presumably some of them move between orgs. |