Enabling account access and payments between different platforms is the task of application program interfaces, a bit of software code that thousands of payments companies rely on. Dubbed APIs, the technology is vital to the connected payments experience consumers desire and companies want to provide. Criminals, too, desire access to these APIs. They want it so much they launched more than 16.6 billion attacks against API endpoints over a recent 23-month period. These are the points of access in an API connection, says Akamai Technologies Inc., a digital delivery network.
Cambridge, Mass.-based Akamai, in its “Financial Services-Hostile Takeover Attempts” report released Wednesday, found that criminal interest in APIs has dramatically shifted. In a nearly two-year span, from December 2017 to November 2019, Akamai counted more than 85.4 billion credential-abuse attacks, with 16.6 billion, or nearly 20%, aimed against API endpoints. Of these, more than 473.5 million targeted financial-services organizations.
Criminal fervor for accessing data held by financial-services companies exists because that’s where the money is, but this data also includes personal information associated with a victim’s financial account, says Steve Ragan, an Akamai security researcher. “Information has value, and can be sold or traded,” Ragan says.
In one instance, Akamai says a financial firm—which Akamai will not identify—experienced more than 55.1 million malicious login attempts in a 24-hour period on Aug. 7, 2019. Otherwise known as credential stuffing attacks, these attacks represent the largest spike in targeted credential abuse against financial services since Akamai began tracking the issue. The attacks failed.
If APIs hold such a powerful allure for criminals, how do organizations protect themselves against these attacks? “When criminals are targeting APIs, they’re attempting to bypass defenses and target as many accounts as possible,” Ragan says. “[Multifactor authentication] makes things harder for the criminals, not impossible, but certainly harder.”
Online criminals follow patterns similar to those they observe in the physical world. The time to commit the crime, for example, should not outweigh the perceived return on investment. “There is a time-based ROI for a lot of criminals,” Ragan says. “If an account doesn’t fall instantly to a username/password combo, they move on to a new account. Only the more dedicated one will attempt password variations or move on to phishing in order to attempt a multifactor authentication bypass.”
Payments companies can take several steps to protect their API connections, he says. Limiting the rate of access and protecting the APIs directly is a start. “Enabling and enforcing strong multifactor authentication processes is another layer of defense,” Ragan says. “In addition, educating consumers about the use of password managers, multifactor authentication tools, and phishing is [another] step.”