Businesses depend on application programming interfaces (APIs) to ensure information flows smoothly between internal programs and software and third-party services. The technology’s significance cannot be ignored, as a 2018 survey found that each company manages an average of 363 APIs. These solutions can spare departments from creating multiple data copies for different teams, an often time-consuming process that adds room for error, and instead can enable departments to seamlessly connect with a single information repository.
Companies also leverage APIs to connect to third parties, either to call up information or allow these entities to use their data. Banking APIs help accounting software providers’ customers access bank account information within accounting programs rather than juggle multiple platforms and manually fill in financial details, for example. Many of today’s firms depend on APIs they offer, consume or rely on to power services they use.
Firms’ API safeguarding methods are not always up to snuff, though, and many businesses are uncertain of how their API strategies can expose them to vulnerabilities. A 2018 survey found that 50 percent of IT professionals labeled security among the most-pressing issues affecting their API strategies, and API-related services are expected to become those hackers most frequently attack by 2022.
Weaknesses in the technology’s handling have already resulted in major abuses, too. A computer science student reported using an API from peer-to-peer (P2P) mobile payments service Venmo to download — without users’ permission — the details of approximately 7 million transactions over six months in 2018, for example. The incident occurred despite the platform’s efforts to limit how frequently users could tap into the API to “call up” or summon information.
Businesses’ widespread API use makes the technology a lucrative target for cybercriminals, but firms cannot afford to miss out on their advantages and thus must effectively safeguard them. This month’s Deep Dive examines how APIs can be exploited and how companies can combat attacks.
Oversight And Authentication
Each API an organization leverages gives hackers a new opportunity through which to exploit or infiltrate its network and systems — unless that API is properly secured. Many companies have little oversight into their API strategies and fail to track the offerings they use or provide to third parties, however. Fifty-one percent of respondents in a 2018 study reported lacking confidence that they were aware of all APIs their companies provided, and almost 50 percent of surveyed IT professionals stated that they were uncertain they could tell if their APIs were being improperly used.
Companies, therefore, must work to identify and track APIs’ use and secure them against key threats. They also need to ensure that only authorized entities can access their APIs, as the technologies can provide data that fuels fraud. Social media networks’ APIs could collect users’ contact information for scammers’ targeted phishing campaigns, for example. Companies that offer APIs must have authentication measures in place — such as those requiring legitimate users’ to present credentials, or “API keys” — before granting access to them.
Hackers may try to use brute force to beat authentication measures, automatically plugging different credentials into logins until they are granted access. Some API systems attempt to thwart credential stuffing by ensuring users can send only a certain number of requests at a time, but bad actors fly under the radar by staying just below these limits or switching IP addresses. Others gain system access by intercepting and viewing messages with API keys or using phishing attacks to trick legitimate users into connecting with hackers’ systems, enabling fraudsters to acquire those keys.
Businesses can combat authorization issues by regularly changing their API keys and tightly encrypting messages via secure socket layer (SSL) and transport security layer (TSL) protocols, which can also make it harder for fraudsters to intercept communications and steal credentials. Organizations can rely on additional details — such as confirming that IP addresses and devices are those customers would be expected to use — to verify legitimate users. Such defense strategies can help businesses protect APIs from fraudsters, but authorization abuses are not the only tactics of which companies must be aware.
Defending Against DDoS Attacks
Many organizations also worry about DDoS attacks leveraged using APIs, with a 2017 survey finding that 39.2 percent of U.S. IT managers and security specialist respondents said DDoS and bot attacks were their top API security worries. These attacks involve bad actors overwhelming systems with high request volumes, often sent from many users. Systems that restrict how often users can call APIs can help prevent one bad actor from doing so but may fall short of stopping API requests sent from various sources.
Companies can track how their APIs are used and spot problematic behaviors that indicate foul play. Machine learning (ML)-based systems are capable of examining high API traffic levels that would be too much for human specialists to monitor, and can thus analyze API users’ behaviors to better identify fraud.
APIs are critical to businesses’ successes, streamlining internal data flows and enabling them to more easily integrate with third-party services. Such features and conveniences should not compromise security, however, meaning organizations competing in API-driven business environments must be ready to fight authentication abuses, DDoS attacks, hackers and more. Getting ahead of the competition requires adopting both advanced capabilities and robust, ever-evolving safeguards.