We're Hiring!

Zero-Trust Alone Proves Inadequate for Securing APIs

Cybersecurity concept; open padlock surrounded by keys

The disclosure of three significant API security incidents in the first two months of 2023 serves as a reminder that, as the use of APIs continue to rise, so too does the number of API related security breaches.

At the beginning of January, T-Mobile US revealed that it was the victim of a cyberattack which resulted in the theft of data relating to approximately 37 million postpaid and prepaid customer accounts. The company said that it had identified unauthorized data access via an Application Programming Interface (API) and was able to trace the malicious activity and stop it within 24 hours. While no payment card information or other financial account information was compromised; the attackers were able to obtain customer information such as name, billing address, email, phone number, date of birth and T-Mobile account numbers.

Just a few weeks later, security researchers reported the discovery of API security flaws in over a dozen car manufacturers. Attackers could remotely control and track vehicles, compromise millions of car manufacturers' and dealers' accounts, gain administrative access to internal systems, and access customer and employee information. Severe API security flaws were discovered in luxurious car manufacturers, including Ferrari, BMW, Rolls Royce, Porsche, and Mercedes-Benz. The incident was so widespread because car manufacturers rushed to implement applications to secure a spot in the smart car industry, leading to nearly identical systems with similar functionality. The discovery suggests that car manufacturers didn’t sufficiently pentest their applications before release.

In February 2023, Trustwave reported that the ‘Money Lover’ finance app had been leaking user transactions and associated metadata, including wallet names and email addresses. The vulnerability was discovered by a security researcher at Trustwave who used a Man-in-the-Middle (MitM) attack to analyze the app's traffic and found that he could see email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets. The vulnerability was caused by broken access controls, which allowed an authorized user to view data that should have been kept outside of their permissions. Although the app leaked no actual bank account or credit card details, the potential danger to customers' accounts could affect both the financial vendor and the customer monetarily.

The recent breaches at T-Mobile, in the automotive industry, and in the Money Lover finance app highlight the importance of securing APIs to prevent API abuse, which can take many forms, including account takeover, fake account creation, denial of service, credit fraud, app impersonation, MitM attacks, data breaches, and data scraping.While zero trust is an important approach to cybersecurity, a Gartner report points out that it's not a one-stop-shop solution, as cyberattacks can still target areas that are not or cannot be protected by zero-trust controls, such as public-facing APIs and social engineering scams. Organizations need to supplement the controls offered by zero trust with additional security measures to optimize their cyber-resilience and mitigate the risks associated with API exploitation and protect their apps and users from API abuse.

A recent report from Salt Security Labs found a 400% increase in unique attackers, with over 80% of attacks happening over authenticated APIs. While behavioral techniques can be useful in detecting and preventing attacks, they are not foolproof and can suffer from false positives and false negatives. So user authorization is not enough - it's important to authenticate the client software before using behavioral techniques.

Approov Mobile security helps protect your backend APIs and services from various types of attacks, including API abuse, credential stuffing, fake botnet registrations, and DDoS attacks. Approov achieves this by performing an ongoing, deep inspection of your mobile app and the device it is running on to ensure the authenticity of requests to your backend APIs and services.

By using Approov, you can prevent unauthorized access to your APIs and services, reduce the risk of data breaches and other security incidents, and protect your users from various types of fraud and abuse. Approov also provides protection for third-party APIs that your mobile app may be using, ensuring that all API requests are legitimate and coming from a trusted source.


Shona Hossell