Financial Services — Hostile Takeover Attempts

Opret en gratis Insights-profil hos Ingeniøren og få direkte og nem adgang til whitepapers, webinarer og e-magasiner.
Når du tilgår dette materiale, accepterer du, at sponsoren af materialet kan kontakte dig på din oplyste e-mailadresse og telefonnummer med markedsføring af ydelser, der relaterer sig til emnet, som materialet omhandler.

In this report, we examine application programming interfaces, or APIs, that criminals target with credential stuffing attacks. When it comes to credential stuffing, the APIs we’re examining use REST and SOAP to access resources. This includes account summary pages with personal information, account records, and balances, as well as other tools or services within the platform. While they’re not directly comparable, both REST and SOAP are essentially methods of communication between applications. REST can be implemented in different ways, depending on the project. SOAP is a standard for data exchange.

APIs are everywhere. Employees and customers in the financial services sector are exposed to them constantly, especially REST, since it is frequently used in website and mobile application development. However, SOAP is another popular option in the enterprise space — particularly in banking. SOAP offers a higher degree of flexibility when dealing with client and server relationships that require precision and accuracy when it comes to database transactions. As far as criminals are concerned, REST and SOAP architectures are just targets. They’re things to be bypassed in order to obtain sensitive data or financial assets.

The inconsistency in development methods using APIs has led to many of the problems we’ve seen over the past few years. For example, some APIs allow as many password guesses as needed to successfully authenticate, while others throttle attempts. Criminals take advantage of the lack of limitation and process tens of thousands of credentials in minutes. For APIs that are throttled, criminals use threading, taking a low and slow approach to achieve their goals.

Another API development practice that leads to problems is related to error checking. Criminals leverage APIs to validate their lists and confirm that a username actually exists on a service. Depending on how the application or platform was developed, the error responses can be used to sort and validate lists, which enables a higher degree of targeting.

Finally, API usage and widespread adoption have enabled criminals to automate their attacks. This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.