Blog

API Security Podcast: How APIs Enable Digital Transformation and Automated Attacks

October 18, 2019 | 2 MIN READ

by Matt Keil

API Security

It’s no secret that APIs are an invaluable tool for application developers who are tasked with doing more with less.

Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, organizations are using APIs for many things, including to facilitate interoperation with other applications, reduce development time and extend functionality.

Biggest drivers in your decision to develop/consume APIs

Source: SmartBear State of the API, 2019 Report

Unfortunately, APIs are commonly used for automated attacks against public facing applications, as shown in the Prying-Eye vulnerability attackers. According to Gartner, by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 20191. By targeting the API instead of scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.

An example of an API-based attack against a financial services mobile application is shown in the image below. Bad actors decompiled the mobile application to (1) discover the account login APIs. An automated attack was then executed against the login API (2) and if successful the bad actors attempted to commit financial fraud by transferring funds (3) across the Open Funds Transfer (OFX) API.

API Attack

Bad actors will deconstruct the mobile applications which are heavily reliant on APIs to then launch an automated attack. For example, a financial services customer was able to detect and block an account takeover attack that targeted the mobile application account login. The bad actor, if successful, would then try to transfer funds using the OFX API.

Cequence was able to detect and block this ATO attack using our intelligence-based approach that allows API Spartan to discover all application endpoints – API, web, mobile – protecting them from automated attacks. Our unique approach to detecting and preventing automated attacks eliminates application instrumentation and mobile SDK penalties that may result in application deployment delays, security gaps and user dissatisfaction. An added benefit is consistent protection against all manner of automated attacks – ATO, fake account creation, content scraping and more –  regardless of which application channel is being attacked.

Learn more:

1) Gartner, API Security: What You Need to Do to Protect Your APIs, August 2019

 

Matt Keil

Author

Matt Keil

Director of Product Marketing

Matt Keil focuses on product marketing and content creation. Previously, he spent nearly two decades in enterprise network security, including roles at Palo Alto Networks where he was instrumental in launching the company.

Related Articles