Feb 28, 2020

Attacks on APIs are accelerating

API attacks

New data from Akamai, a cybersecurity and cloud service provider, showed that one in every five attempts to gain unauthorized access to user accounts is done through APIs.

That’s a notable shift from more traditional methods that use user-facing login pages, and indicates the growing importance of APIs in modern development—and security.

APIs are targeted more frequently. Between 2018 and 2019, Akamai observed 85.4 billion credential abuse attacks against companies that use its services. Many attacks involved credential stuffing—a brute-force attack using a list of leaked credentials to try to gain access to accounts.

About 20% of those attacks, roughly 16.5 billion, specifically targeted API endpoints.

Why APIs? Getting user information from user-facing apps and web pages can be tedious or cumbersome for malicious actors. APIs, however, return data in a structured and standardized format, making it easy to automate large-scale attacks.

API usage and adoption is growing, too. More companies are building APIs as core parts of their development stacks, potentially opening up new ways to gain unauthorized access to company data.

Financial services are particularly vulnerable. In Europe, regulation requires that financial institutions make their customers’ data accessible through APIs, according to the Payments Services Directive (PSD2). Combine the value of banking data with the convenience of APIs, and financial institutions become obvious targets. By some estimates, financial services were exposed to a staggering 473 million credential stuffing attacks over the last two years.

What to do? Developers should add rate limiting to products for authentication attempts. Developers can also make sure that error responses from APIs don’t disclose information about an account—especially whether or not an account actually exists.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.