In this report, we examine application programming interfaces, or APIs, that criminals target with credential stuffing attacks. When it comes to credential stuffing, the APIs we’re examining use REST and SOAP to access resources. This includes account summary pages with personal information, account records, and balances, as well as other tools or services within the platform. While they’re not directly comparable, both REST and SOAP are essentially methods of communication between applications. REST can be implemented in different ways, depending on the project. SOAP is a standard for data exchange.
APIs are everywhere. Employees and customers in the financial services sector are exposed to them constantly, especially REST, since it is frequently used in website and mobile application development. However, SOAP is another popular option in the enterprise space — particularly in banking. SOAP offers a higher degree of flexibility when dealing with client and server relationships that require precision and accuracy when it comes to database transactions. As far as criminals are concerned, REST and SOAP architectures are just targets. They’re things to be bypassed in order to obtain sensitive data or financial assets.
The inconsistency in development methods using APIs has led to many of the problems we’ve seen over the past few years. For example, some APIs allow as many password guesses as needed to successfully authenticate, while others throttle attempts. Criminals take advantage of the lack of limitation and process tens of thousands of credentials in minutes. For APIs that are throttled, criminals use threading, taking a low and slow approach to achieve their goals.
Another API development practice that leads to problems is related to error checking. Criminals leverage APIs to validate their lists and confirm that a username actually exists on a service. Depending on how the application or platform was developed, the error responses can be used to sort and validate lists, which enables a higher degree of targeting.
Finally, API usage and widespread adoption have enabled criminals to automate their attacks. This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.
Vi bygger bro med stærke vidensmedier, relevante events, nærværende netværk og Teknologiens Jobfinder, hvor vi forbinder kandidater og virksomheder.
Kalvebod Brygge 33. 1560 København V
Christina Blaagaard Collignon
Trine Reitz Bjerregaard