Thwarting the Naughty, Protecting the Nice

Smart retailers are checking their cybersecurity lists twice to be sure they’re protecting the biggest attack vector of the season: the APIs that allow consumer apps to communicate with their e-commerce sites. What’s at risk and how can you protect yourself?

This holiday season, more than half of U.S. consumers (57%) are expected to purchase gifts online to the collective tune of $235.86 billion. For retailers, that would put receipts at a welcome 15.5% higher than those in 2021. But sellers should also keep in mind that as digital sales increase, so does the opportunity for cyber mischief and risk.   

Businesses everywhere have been buckling down to defend against high-profile ransomware attacks. As they move forward with immutable data backups and other countermeasures, they’re advised not to take their eye off other types of threats. 

“Ransomware protection is critical. But it also serves as a distraction that could open other doors to hackers,” warns Filip Verloy, technical evangelist, EMEA, at Noname Security. As businesses focus their attention on the threat du jour, he explains, hackers are apt to seek less visible attack vectors to exploit.

One growing target, for example, are the application programming interfaces (APIs) that allow consumer apps and e-commerce transaction systems to intercommunicate. APIs can expose valuable data that hackers are highly motivated to steal and sell, he says. “But APIs, their risks, and how to protect them aren’t yet well understood by many organizations.”

APIs’ Critical Role

APIs are the glue that interconnects the back-end components of the world’s expanding digital business ecosystem. Verloy estimates that about 80% of APIs in use in web commerce are so-called RESTful APIs, designed specifically for open communications and interoperability across the Internet.

They consist of open software and protocols that allow consumer applications to interact with millions of web-based e-commerce transaction systems and make it possible for different businesses’ systems, such as those of supply chain partners, to communicate with one another. 

Shoppers using an app on their phone or computer to make holiday purchases at Amazon, Walmart, Apple, eBay, and countless other retail sites interact with many different APIs behind the scenes. They’re blissfully unaware of the complexities of the inter-system communication that lets them check product availability, compare pricing, complete a transaction, receive a confirmation, get tracking alerts, and so forth. In this way, APIs are invaluable for creating simpler, faster experiences for users across the Internet, says Verloy.

When implemented securely, APIs play a huge role in customer satisfaction and innovation, he adds. He points to Nike, for example, which allows online shoppers to customize materials, color, laces, soles, and even placement of the Nike swoosh logo before making a sneaker purchase. Enabling such personalized services requires a variety of APIs to exchange details with ordering and inventory systems beyond those used by standard web applications. 

But that also means those APIs need to have strong authentication, properly configured across their many entry points.

What’s the Vulnerability?

APIs’ openness, necessary for interoperable web commerce, means that they’re well-understood by many people. That includes bad actors on the prowl for system vulnerabilities they can exploit to steal or ransom valuable data. 

It’s a growing attack vector. A study 451 Research conducted in July for Noname Security’s  2022 API Security Trends Report showed that the number of APls in use had grown 201% over the past 12 months. In addition, 41% of respondents reported having experienced an API security incident, 63% of which involved a data breach and or data loss. In fact, Gartner has suggested that APIs will become the most frequent attack vector this year and that API abuses and related data breaches will nearly double by 2024. 

Such predictions, plus recent high-profile API breaches at companies like Australian telco Optus and home fitness company Peloton are making good API hygiene a priority for digital merchants.

Retailers typically have between 15 to 20 publicly published third-party APIs, and “these are the ones that typically get attacked, usually because they lack strong authentication and access controls,” explains Verloy. An API has a lot of entry points, and customer credentials should be continually validated every time the user performs a different task, he advises. 

“Each functionality in the API—account details, ordering history, inventory queries, discount status—is a different entry point,” Verloy explains. If customer authentication doesn’t occur at every point, the API is vulnerable. For example, by compromising the API at the point where a customer checks his discount status, a hacker could gain access to the customer’s discount code and use it for his own purchases.

One contributing factor to API vulnerability, he says, is that different development groups work on back-end applications and front-end user interfaces. Sometimes back-end programmers leave it up to their front-end counterparts to handle API security—though the interface developers might not realize it—creating a security gap.

APIs Gone Awry

The most recent Top 10 API vulnerabilities list from the Open Web Application Security Project (OWASP) identifies broken access control, with incorrect or incomplete authentication mechanisms, as the leading API exposure. Case in point: in September, Australian telco Optus put an API online that did not need authorization or authentication to access customer data, which resulted in the compromise of 10 million customer accounts. Nearly 3 million reportedly had crucial identity documents, such as passports, accessed.

Last year, a security researcher was able to access the API of Peloton (which at the time counted U.S. President Joe Biden among its 3 million customers) and glean customer information without authentication. Once alerted, Peloton restricted information requests to valid Peloton accounts; however, anyone prepared to pay for a monthly Peloton subscription could access the data. 

“Not only could that result in a breach of internal data. It also put customer PII [personally identifiable information] at risk,” Verloy says.

He referenced a couple of misconfigurations found last year in farm equipment maker John Deere’s APIs that “let you query the longitude and latitude of very expensive equipment. If someone wanted to steal a tractor,  they could exploit this information to physically track one down and take it.”

 API Security Best Practices

Locking down API authentication and access control is mandatory, but it isn’t about requiring customers to do anything additional for security purposes, Verloy explains. 

“Consumers using web applications don’t know or need to know about API workings,” he says. “A normal user would never directly interact with native API unless there was malicious intent. It’s really the responsibility of the business to make sure the API is secure.” 

Verloy recommends 6 primary best practices for battening down API security:

1. Build an inventory of all the APIs you have so you know what to protect. Verloy says businesses are typically unaware of 20% to 30% of their APIs. “Some may have been put in by developers on software components that didn’t move forward, for example, or an API function might be upgraded without removing the API for the previous function,” he explains.
2. Monitor the OWASP Top 10 API vulnerabilities list to stay abreast of the latest exposures and suggested fixes. 
3. Implement strong API security controls. These include authentication/authorization that continually validates users behind the scenes every time they perform a different task. “More often than not, once you’re in you’re in,” says Verloy, which leaves systems vulnerable.
4. Introduce API security early into the development process. “Hackers are looking at development, staging, testing, and QA environments, which tend to be poorly protected, and seeing which are easiest to exploit,” Verloy says. By shifting security testing earlier in the development process, catching and fixing vulnerabilities is not only much easier but also much less expensive than doing it in production after the fact. This article highlights how the cost of remediation in production can be as high as 640x the cost vs remediation while coding.
5. Continuously monitor how people are using your applications. This helps identify exposures that can be rectified before they turn into a breach.
6. Whenever possible, implement AI and machine learning to abstract complexity and integrate tools. Managing cybersecurity manually is becoming impractical, because “there’s so much noise” from endpoint alerts, firewalls, and elsewhere, says Verloy. “It’s like looking for a needle in a haystack.” He adds that there are many security startups and tools that are creating islands of security. He calls for a model “where integration is standard, rather than islands. Islands exacerbate the problem.”

Awareness with a Cup of Cheer

Web APIs must be publicly available to perform their essential job of enabling the connectivity that makes digital commerce possible around the globe. But without the proper security attention, they can create a path of least resistance for ambitious bad actors, who can steal the data they expose. Unauthenticated APIs might also allow hackers to piggyback on them for access to stored data where they could mount a dreaded ransomware attack.

As the holiday season kicks into high gear with potentially record digital revenues, retailers should enjoy the fruits of their labor but be “appropriately worried” about API security holes, says Verloy. “Owners of e-commerce sites should worry more than others, because they’re most profitable for hackers,” he says.