Motivated attackers look for the money. To date, most have gone after data that is ultimately sold, or they engage in various acts of fraud, such as using stolen credentials to abuse services, such as transactions or payment processing. Now that APIs connect core business systems to partners, third parties and even customer business systems, an entirely new level of fraud and abuse is within the grasp of cybercriminals.
Leaving Your Core Systems Exposed
Criminals can successfully manipulate core business systems through business APIs, which today are typically unmonitored and ungoverned. This idea of exposing core business systems requires definition. Consider a bank that exposes its customer’s accounts to fintech providers, an airline reservation system that authorizes access to online travel agents and aggregators, or a payments company that grants access to thousands of merchants to process payments for their customers. A corporation opens its core revenue-generating business services to external partners via a business-to-business API in each example. The impact of abuse of these is now a significant business problem.Â
APIs are a vital component of business innovation and a business necessity. They are extensively utilized to gain efficiencies and increase the effectiveness of digital business initiatives. New expectations from partners and customers have created a need for greater visibility, faster responses and easier interaction. This environment has led to the exponential growth in the need to connect systems.
See More: API Security: Ten Major API-Related Vulnerabilities and Ways to Address Them
Most companies are willing to provide access to these systems because they are profitable and incorrectly regarded as safe and low-risk. Because access is controlled and typically secured through authentication and the APIs are designed for specific purposes, companies have seemingly ignored the concerns for security and potential abuse.
Failing Logic
The transformation has been staggering in many regards. Connecting core business systems to external systems has exposed what had been typically tightly guarded within company networks through access, segmentation and layers of security protection. Now, business logic and processes are both visible and available for interaction. Through the conduit of business APIs, data can be scraped or exfiltrated, orders can be placed or changed, discounts applied, shipping destinations altered, funds transferred, payments sent, purchases made and a myriad of other operations arranged or changed. Since every business is unique, the possibility for abuse is only limited by the information transferred on the API.
Of course, the implications are not lost on the more sophisticated cybercriminals. Attackers have demonstrated the tendency to seek the greatest reward for the least effort. Data breaches still have value, but engaging directly in the theft of more valuable assets, including money, has much greater attractiveness.
Focusing on API Vulnerabilities
Cybercriminals are just starting to discover the value of API abuse and fraud. Most companies are ill-equipped to monitor channels and detect unauthorized activity. Security has been focused on vulnerabilities rather than on what goes on within an API. Addressing vulnerabilities is valuable, but it falls short of what needs to be done given the potential ramifications of abuse, misuse and fraud.
Besides not understanding the core problem or mistakenly equating vulnerability checking for security, most organizations also have difficulty simply knowing all their APIs. Most lack a comprehensive way to identify all interfaces. It is hard to evaluate them, determine the ones with the greatest potential for risk and understand their operation. Once these capabilities are in place, organizations need to monitor what is happening within them and utilize behavioral analytics to identify abnormal and malicious actions.
See More: Finding Flaws in Business Logic: How Attackers Are Abusing Your Applications and APIs
Balancing Innovation with Security
A shift necessary to prepare for the new risk of business misuse and fraud is the understanding that they can be commandeered for other purposes despite the intended usage for an API. Cambridge Analytica figured out how to do this with a Facebook API designed for a specific use and thereby accomplish their purposes in what became a headline-making scandal. A company may have an interface to share analytics data or provide status updates. Still, it may provide the means for unauthorized activity, such as manipulating a business process, creating an order or changing an invoice or pricing. Additionally, access may be given to a fully vetted and trusted business partner. However, there is no guarantee that that partner’s partner, contractor or rogue employee might gain access to it for unauthorized use.
APIs turn businesses inside out by design. Driven by the competitive necessity of digital business, companies embrace this new connectedness and visibility while also taking on additional risk. Now they must evolve their security for these new realities.
Should competitive necessity override security requirements when it comes to APIs? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to get your take on this!