Case 9: The Phantom API: Race Against Time to Resolve a Critical Security Issue
You join one of the fastest growing fintech startup companies in India and are part of their short-term personal loans side of the business. Like many companies, this company grew inorganically through mergers and acquisitions. As a result it witnessed many re-orgs in the past and is currently in another round of re-org needing your help.
One day you get a mailer from your banking partner notifying you of changes to its APIs that you are using seeking your urgent action to migrate to the upgraded APIs as the old ones would be sundown anytime due to security issues. In your introspection, you realize your company isn't using that API and notify the bank of the same. But the bank insists that it belongs to us and that funds are getting deducted from the bank account even. You get chills in your spine now upon hearing this as an engineering leader.
How would you go about working your way to identify the threat, what really is happening, and what counter-measures would you take to fix it ASAP. Remember, bad news in growing fintech is good news for vulture media that can cost the reputation of the company you are leading.