If you are a crook and you want to break in, you might first try the front door. If you discover the front door is locked, you might try another door or a window. Same is true for hackers.
As companies slowly improve their defenses on end user web sites, hackers discovered that the APIs behind those web sites may not be a well protected.
Akamai runs one of the largest content delivery networks in the world, so they have a lot of data and here are some statistics.
* Between November 2017 and December 2019, about 2 years, Akamai observed over 85 billion “credential stuffing” attack attempts. Credential stuffing is the term that refers to trying, using brute force, credentials obtained from a different hack on another web site. For example, you have 3 billion userid/password combinations stolen from Yahoo. Try them on Facebook or Twitter – all three billion. Then try them on a thousand other sites.
When you do the multiplication between the number of hacked passwords and the number of potential sites, you realize you have hundreds of trillions of combinations.
This means that you need a method to try those hundreds of trillions of combinations without the web site locking the account after a few failed tries.
Enter the API attack. Most of the time, APIs are used by other programs, so sometimes they have fewer security protections.
* Akamai said that they identified over 16 billion attempts to stuff credentials into something that was OBVIOUSLY an API. That means that the 16 billion number is probably low, possibly way low.
It is important to understand that only a small fraction of traffic goes through Akamai, so the 16 billion attack attempts represents a small percentage of the total attack volume.
* Then Akamai looked at which of those attacks went after financial industry web resources. That number was 475 million. Also probably a low estimate as the financial industry, like everyone else, outsources to a lot of companies and those companies likely serve many industries.
“Security teams need to constantly consider policies, procedures, workflows, and business needs – all the while fighting off attackers that are often well organized and well-funded,” Steve Ragan, Akamai security researcher, said.
While this report focused on the 475 million attacks against financial institution API interfaces, don’t lose track of the rest of the 16 billion attempts – they are dangerous too.
From a business owner’s perspective, this means that you need to make sure that any APIs that you expose are battle ready and have strong detection mechanisms in place to shut down attackers before the attackers are successful.