In an increasingly Internet-connected world, application programming interfaces (APIs), software that allows computer programs to communicate with each other, are becoming increasingly prevalent. APIs enable devices and applications to exchange information, and they help developers create better and more effective user experiences more easily and efficiently. In fact, 70% of developers expected to increase API usage in 2023, so the prevalence of APIs will continue to increase.
But as API usage increases and devices communicate more, while developers are increasingly enabled to offer better, more user-friendly software, what are the security implications? How does using APIs affect a business or enterprise? And are there industries most at risk, especially as we head into the holiday season?
Unwrapping the Need to Protect Payment APIs
Research shows that attackers are becoming more sophisticated and API-specific in their tactics, and traditional protection techniques are proving to be ineffective defense mechanisms. In the first half of 2022, Americans lost a record $3.56 billion to online fraud, and the Federal Trade Commission received 800,000 fraud complaints, with 27% of cases incurring a financial loss. Attackers want a piece of the action, and payment APIs seem like an easy target.
In the e-commerce world, APIs connect merchants to payment service providers (PSPs) that complete the customer’s transaction. However, insecure APIs can expose sensitive information. The money fraudsters can steal from PSPs and e-commerce websites by taking customer card information is not the only cost associated with fraud. Therefore, as bad bots become more sophisticated and difficult to thwart, it’s imperative to stay ahead of them.
How Are Fraudsters on the API Naughty List this Holiday Season?
According to Adobe Analytics, consumers will likely spend $221.8 billion via online shopping between November 1 and the end of the year. With that said, during flash sales events such as Black Friday and Cyber Monday, e-commerce platforms typically face at least five times — and sometimes up to 30 times — more bot attacks than on average days. So as consumers begin crossing off their wish lists through online shopping, these fraudsters will be lurking in the shadows waiting to cash in.
Largely because of their lack of sophisticated protection, APIs are now being increasingly targeted at scale by cybercriminals using highly commoditized (and thus more accessible) tools. One tactic is the commoditization of card fraud tools and services that make credit card fraud easier for anyone to perform, particularly against front-end APIs left unprotected against advanced bad bots.
For example, attackers will steal valid credit card numbers (through carding, card cracking, or purchasing on the Dark Web) to use in their fraudulent transactions. Bots are often employed in bulk to infer (“test” or “crack”) card numbers and associated cardholder information. Payment details can be easier to find behind less protected endpoints, such as an API used by the payment processor or the merchant.
Even the most inexperienced fraudster can now carry out large-scale attacks using sophisticated techniques, thus increasing potential damages to businesses.
API Payment Fraud Is Frightful, but These Best Practices Are So Delightful
An accurate and scalable bot protection solution can protect companies from API attacks across the customer journey. A successful attack can negatively impact revenue and cause irrefutable damage to a company’s reputation.
On top of a bot protection solution, several strategies and tools are available to help companies protect their payment APIs from fraud and account takeover:
Understanding these API security risks isn’t just a good idea — it’s a business imperative. A single API breach can result in reputational damage, financial losses, legal consequences, and worse. Because companies often neglect API security in favor of Web or mobile app security, hackers increasingly target APIs to extract data, disrupt business logic, or take down an application. The stakes have never been higher.
About the Author
Benjamin Fabre is the CEO of DataDome, a company he co-founded in 2015. A cybersecurity visionary, Benjamin foresaw the rise of bot-driven fraud. He understood early on that the race to block automated online threats would require an instantaneous response at the edge; static rules, no matter how quickly updated, would always be a step behind. Leveraging his deep expertise as a technologist, Benjamin set out to build a transparent and easy-to-deploy anti-bot solution that is a true force multiplier for IT security teams. Enter DataDome.