Smart retailers are checking their cybersecurity lists twice to be sure they’re protecting the biggest attack vector of the season: the APIs that allow consumer apps to communicate with their e-commerce sites. What’s at risk and how can you protect yourself?
This holiday season, more than half of U.S. consumers (57%) are expected to purchase gifts online to the collective tune of $235.86 billion. For retailers, that would put receipts at a welcome 15.5% higher than those in 2021. But sellers should also keep in mind that as digital sales increase, so does the opportunity for cyber mischief and risk.
Businesses everywhere have been buckling down to defend against high-profile ransomware attacks. As they move forward with immutable data backups and other countermeasures, they’re advised not to take their eye off other types of threats.
“Ransomware protection is critical. But it also serves as a distraction that could open other doors to hackers,” warns Filip Verloy, technical evangelist, EMEA, at Noname Security. As businesses focus their attention on the threat du jour, he explains, hackers are apt to seek less visible attack vectors to exploit.
One growing target, for example, are the application programming interfaces (APIs) that allow consumer apps and e-commerce transaction systems to intercommunicate. APIs can expose valuable data that hackers are highly motivated to steal and sell, he says. “But APIs, their risks, and how to protect them aren’t yet well understood by many organizations.”
APIs are the glue that interconnects the back-end components of the world’s expanding digital business ecosystem. Verloy estimates that about 80% of APIs in use in web commerce are so-called RESTful APIs, designed specifically for open communications and interoperability across the Internet.
They consist of open software and protocols that allow consumer applications to interact with millions of web-based e-commerce transaction systems and make it possible for different businesses’ systems, such as those of supply chain partners, to communicate with one another.
Shoppers using an app on their phone or computer to make holiday purchases at Amazon, Walmart, Apple, eBay, and countless other retail sites interact with many different APIs behind the scenes. They’re blissfully unaware of the complexities of the inter-system communication that lets them check product availability, compare pricing, complete a transaction, receive a confirmation, get tracking alerts, and so forth. In this way, APIs are invaluable for creating simpler, faster experiences for users across the Internet, says Verloy.
When implemented securely, APIs play a huge role in customer satisfaction and innovation, he adds. He points to Nike, for example, which allows online shoppers to customize materials, color, laces, soles, and even placement of the Nike swoosh logo before making a sneaker purchase. Enabling such personalized services requires a variety of APIs to exchange details with ordering and inventory systems beyond those used by standard web applications.
But that also means those APIs need to have strong authentication, properly configured across their many entry points.
APIs’ openness, necessary for interoperable web commerce, means that they’re well-understood by many people. That includes bad actors on the prowl for system vulnerabilities they can exploit to steal or ransom valuable data.
It’s a growing attack vector. A study 451 Research conducted in July for Noname Security’s 2022 API Security Trends Report showed that the number of APls in use had grown 201% over the past 12 months. In addition, 41% of respondents reported having experienced an API security incident, 63% of which involved a data breach and or data loss. In fact, Gartner has suggested that APIs will become the most frequent attack vector this year and that API abuses and related data breaches will nearly double by 2024.
Retailers typically have between 15 to 20 publicly published third-party APIs, and “these are the ones that typically get attacked, usually because they lack strong authentication and access controls,” explains Verloy. An API has a lot of entry points, and customer credentials should be continually validated every time the user performs a different task, he advises.
“Each functionality in the API—account details, ordering history, inventory queries, discount status—is a different entry point,” Verloy explains. If customer authentication doesn’t occur at every point, the API is vulnerable. For example, by compromising the API at the point where a customer checks his discount status, a hacker could gain access to the customer’s discount code and use it for his own purchases.
One contributing factor to API vulnerability, he says, is that different development groups work on back-end applications and front-end user interfaces. Sometimes back-end programmers leave it up to their front-end counterparts to handle API security—though the interface developers might not realize it—creating a security gap.
The most recent Top 10 API vulnerabilities list from the Open Web Application Security Project (OWASP) identifies broken access control, with incorrect or incomplete authentication mechanisms, as the leading API exposure. Case in point: in September, Australian telco Optus put an API online that did not need authorization or authentication to access customer data, which resulted in the compromise of 10 million customer accounts. Nearly 3 million reportedly had crucial identity documents, such as passports, accessed.
Last year, a security researcher was able to access the API of Peloton (which at the time counted U.S. President Joe Biden among its 3 million customers) and glean customer information without authentication. Once alerted, Peloton restricted information requests to valid Peloton accounts; however, anyone prepared to pay for a monthly Peloton subscription could access the data.
“Not only could that result in a breach of internal data. It also put customer PII [personally identifiable information] at risk,” Verloy says.
He referenced a couple of misconfigurations found last year in farm equipment maker John Deere’s APIs that “let you query the longitude and latitude of very expensive equipment. If someone wanted to steal a tractor, they could exploit this information to physically track one down and take it.”
Locking down API authentication and access control is mandatory, but it isn’t about requiring customers to do anything additional for security purposes, Verloy explains.
“Consumers using web applications don’t know or need to know about API workings,” he says. “A normal user would never directly interact with native API unless there was malicious intent. It’s really the responsibility of the business to make sure the API is secure.”
Verloy recommends 6 primary best practices for battening down API security:
Web APIs must be publicly available to perform their essential job of enabling the connectivity that makes digital commerce possible around the globe. But without the proper security attention, they can create a path of least resistance for ambitious bad actors, who can steal the data they expose. Unauthenticated APIs might also allow hackers to piggyback on them for access to stored data where they could mount a dreaded ransomware attack.
As the holiday season kicks into high gear with potentially record digital revenues, retailers should enjoy the fruits of their labor but be “appropriately worried” about API security holes, says Verloy. “Owners of e-commerce sites should worry more than others, because they’re most profitable for hackers,” he says.