APIs are the tool of choice for developers and the #1 target for malicious use
Today, everything is an app. A Tesla isn’t really a car, it’s a four-wheeled app. Each of the 142 billion device app downloads, including your favorite money management or shopping or fitness app, are all based on application programming interfaces (APIs). The user interface designed to provide an engaging user experience is supported by APIs connecting to compute resources located elsewhere – be it cloud, data center or both.
Validating that APIs are the developer tool of choice, Cequence Security’s latest report on API usage and threats found that 14.4 billion or 70% of the 21.1 billion application requests analyzed were based on APIs. Designed for machine-to-machine interaction, APIs give developers great flexibility, allowing them to build complex functionality that performs the entire transaction, including the payload. Usage patterns validating these findings include increased use of GraphQL for development and APIs referencing health monitoring services, OpenAPI specifications, and sensitive data models.
This same power and flexibility found in APIs is also exploited by attackers, who use their developer skills for malicious purposes. Analysis confirms that APIs are the primary target for malicious use with 80% or 1.8 billion blocked API-based attacks. APIs make it easier to execute sophisticated and hard-to-prevent automated attacks and abuse of business logic, evidenced by increased ATOs against login APIs and increased content scavenging against APIs.
Login APIs targeted by 62% increase in ATOs
During the analysis period from June to December 2021, the data reflects a 95% increase in the use of APIs to facilitate account logins and registrations. This increase in activity is reflected in a 62% increase in account takeovers (ATOs), known to be one of the most common automated attacks and often the precursor to different types of fraud. As an example, gift card fraud has been increasingly common in 2021 as a whole, largely due to the pandemic. Successful ATOs result in theft of cards or points, fraudulent purchases, or resale for profit, impacting businesses with lost revenue, unhappy and frustrated customers, and increased infrastructure costs .
By having a greater financial impact on organizations and users, ATOs are the first step in loan fraud. In 2021, attackers targeted APIs supporting financial membership enrollment program offers that included automatic qualification for low-value loans. Using a combination of APIs and manual efforts, attackers launched large-scale ATO attacks and, if successful, were then able to apply for a pre-qualified loan, leading to financial fraud.
Content scraping against APIs skyrockets 178%
Content scraping, often thought of as benign, but in reality can be difficult to prevent and can have a huge impact on an organization’s bottom line, with a massive 178% increase. The term content scraping is often equated with web or HTML content, however, when analyzing the most common type of stolen content – prices, part numbers, product descriptions – the dramatic rise comes into its own.
APIs are used to call inventory and pricing databases, making it easy to use automation to quickly and easily steal desired content. The business impact of content scraping includes loss of intellectual property, increased competitive pressure on sales margins, and compute resource cost overruns.
API at Risk: System Health, Sensitive Data, and Internal API Exposure
Looking at the data from a developer-centric perspective, the analysis shows growth in the use of new tools such as GraphQL and the adoption of OpenAPI specifications, both of which can accelerate API delivery more secure and consistently coded. On the other hand, the analysis showed a dramatic increase in APIs that use or may expose too much data, introducing potential security risks.
- OpenAPI/Swagger and GraphQL on the rise. APIs referencing OpenAPI or Swagger specifications jumped 352%, signaling an increase in adoption that can lead to better and more secure APIs. However, when care is not taken to control public access to specifications, they can provide a blueprint for an API attack. GraphQL, a fast-growing new development technology that offers speed and flexibility, saw usage increase 133% over the six-month period. Too often, new technology adopted (too) quickly can introduce security risks.
- APIs and data exposure risks are skyrocketing. Health monitoring APIs, used much like a blood test to uncover system issues, soared 941%. When coded without considering security best practices of using minimal information, attackers can use system information for malicious purposes. Use of APIs that include sensitive data such as payment or personal identification information jumped 87%, underscoring the continued need for enhanced security and privacy during API development. Public APIs tied to internal or non-production applications increased by 46%, reminding organizations that they must take a stance of treating all APIs as if they were internal to avoid unintended API exposure.
3 Steps to Complete API Security
Comprehensive API security requires a prevention-focused approach that combines comprehensive API visibility, execution risk assessment, and remediation with native online attack prevention.
- Step 1: API Discovery and Inventory Tracking: You can’t protect what you can’t see. Integration with any element of your API management infrastructure using in-line or out-of-band data collection ensures that all APIs are found, tracked, categorized, and assigned to a respective owner.
- Step 2: API risk assessment and remediation: Acting as a final security check, using predefined or custom risk assessment rules helps discover and remediate APIs with weak authentication, exposing sensitive data, using verbose or non-compliant error messages. published specifications.
Step 3: Native online protection against attacks and exploits: Even a perfectly coded API can be attacked, reinforcing the need to actively analyze and prevent attacks in real time, using predefined and customizable policies with response options that include log, block, limit throughput, geofence, header injection, or application-configured or API-configured deception.
Schedule your free API security assessment and demo today
The post New API Research Shows 62% Growth in ATOs Targeting Login APIs appeared first on Cequence.
*** This is a syndicated blog from Cequence’s Security Bloggers Network written by Jason Kent. Read the original post at: https://www.cequence.ai/blog/new-api-research-shows-62-growth-in-atos-targeting-login-apis/