APIs are a double-edged sword, bringing the developer advantages of ease of use and flexibility to the attacker community, allowing them to more easily launch automated attacks such as account takeovers, credential stuffing, fake account creation or content scraping. The trend towards APIs as an attack vector of choice is validated by Gartner who states that by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 20191. Customer examples of API-based attacks are shown below.
Account Takeover and Financial Fraud
An example of an API-based attack against a financial services mobile application is shown in the image below. Bad actors decompiled the mobile application to (1) discover the account login APIs. An automated attack was then executed against the login API (2) and if successful the bad actors attempted to commit financial fraud by transferring funds (3) across the Open Funds Transfer (OFX) API.
Image 1: Bad actors use mobile APIs as a means of automating account takeovers and if successful, commit fraud or theft.