Why robust API security is crucial in eCommerce
In today’s modern eCommerce world, consumers have more digital-first and convenient ways of shopping than ever before. Among the critical technologies that have made this possible are Application Programming Interfaces (APIs) which give retailers the ability to transform their systems and processes in quick and efficient ways. Retailers need to reach as many users as possible and to facilitate this they need a well-constructed interface between the eCommerce site and the consumer.
Amazon arguably kicked off the API explosion with Jeff Bezos’ instructions in 2002: "All teams should expose their data and functionality through service interfaces and communicate with each other through these interfaces which should be designed from the ground up to be externalisable."
APIs enable retailers to be more accessible
Fast forward to the present day and APIs are enabling retailers to be more accessible to their customers with services, such as buy online, pick-up in-store (BOPIS), curb-side pickup, fulfillment of orders through delivery partners, and personalized online shopping recommendations. These capabilities have been especially important for consumers over the last couple of years, as the world changed at a rapid pace, fueled by the pandemic.
APIs not only play a pivotal role in helping retailers personalize digital experiences and streamline their operations, they also create a seamless engagement for customers which is essential as today’s consumers demand an exceptional customer experience. Additionally, retailers leverage APIs to experiment and connect teams for faster collaboration, helping them to use data for revolutionary experiences that increase customer engagement. Behind the scenes, APIs interconnect between the store and consumer data, business intelligence, and application security to bring innovative experiences to life.
APIs are the top attack vector in 2022
However, owing to their prolific use, APIs are also attractive to bad actors with Gartner stating that in 2022 API attacks would become the most-frequent attack vector, causing data breaches for enterprise web applications. With the escalating threat landscape, every business website owner should be worried about being hacked, but owners of eCommerce websites should worry about the safety of their website more than others. These websites are much more profitable for hackers than non-commercial sites.
Consumers enter Personally Identifiable Information (PII) on eCommerce sites, such as credit card details, emails, passwords and phone numbers, as well as transaction data such as balances, bonuses and rewards. This creates an opportunity for hackers to steal that data and use it for their own benefit.
As a result, in recent years breaches have become commonplace. For example, just two weeks after retail giant Target agreed to a $39 million settlement relating to a 2013 data breach, the retailer faced a data leak from the Target app, which stemmed from a major API weakness. However, it is not just external actors that threaten APIs. Misconfigurations are also a risk, as was the case when the PII of around 100 million users of business listing platform Justdial was put at risk after an API was left unprotected for over a year.
Publishing third-party APIs
API security is challenging for retailers to manage because they need to open their business to the world and integrate with third parties such as payment and shipping systems. Many build specific APIs that give access to those third-parties and are published externally so that sellers, for example, understand how to leverage APIs to undertake promotions. While APIs are fundamental, they are also a challenge, which means that retailers must ensure their services are exposed securely and that only authorized parties can access their APIs.
Retailers will typically have anywhere between 15 to 20 publicly published third-party APIs and these are the ones that typically get attacked. We are working with a UK retailer that provides a shopping basket API, which is attacked more than 1,000 times a day as it provides an entry point into the business. The retailer sees these attacks increase ten-fold when special promotions are running.
Smaller retailers are the backdoor for hackers
Unfortunately, a lot of the smaller retailers provide an easy entry point for hackers, as many have relationships with the bigger players but are not as stringent with their security. Often, they outsource API security to third-party developers as they don’t have the resources in-house. Unfortunately, you only need one API to be problematic and this can lead to the eCommerce supply chain being breached.
There has been a lot of debate around password-less authentication. Vulnerabilities in authentication mechanisms allow hackers to compromise users and their data. Therefore, strengthening passwords with two-factor authentication and other approaches is important. Likewise, SQL injections and XSS vulnerabilities allow hackers to steal user accounts.
A lot of recent data breaches have enabled hackers to build huge lists of credentials to take over accounts and steal balances. Any outdated software enables hackers to automate all the exploitable vulnerabilities and execute arbitrary code to scan and hack services.
Equally, zombie APIs are also a threat. Recent research found that APIs thought to be deprecated but were still running were one of the top three most-cited pain points, with 36 percent of respondents stating this.
Scaling for eCommerce spikes
Large eCommerce platforms invest in resources to scale for peak times and hackers take control of this by using RCE and injections to mine cryptocurrency. With all-year-round deals and the volume of eCommerce growing this is increasing application-level DoS attacks. API calls are growing twice as fast as HTML traffic, meaning that malicious or malformed API requests are diluted in the larger volume of calls; 35 percent of organizations cited DoS attacks as a primary API security pain point.
With growing volumes of API traffic, many security tools lack context and find it hard to differentiate between what is good and what is malicious. It is hard to protect against these attacks which exploit the logic of eCommerce search engines during peak times and cause customer churn. Retailers don’t want to bring an API offline during Black Friday and hackers know that the focus will be on uptime, not taking a service offline for a couple of hours to figure out why an API is being misused. Additionally, during these peak times retailers often run discount and promotion APIs and bad actors will look to manipulate these.
What can retailers do to better protect their APIs and have a more robust approach to API security?
- Firstly, understanding what they have in their API landscape is critical and external APIs should be the priority to secure. However, you can’t secure what you don’t know about, so having an inventory of all APIs including undocumented APIs is essential. You probably have a broad set of retail APIs but what adjacent APIs do you have and how do they change your security posture?
- Practicing shift-left and bringing API security earlier into the development process is important. Hackers are looking for all the sweet spots among which development, staging, testing and QA environments are easiest to exploit because normally they are poorly protected.
- Turn off zombie APIs. When you deprecate certain APIs make sure they are turned off after the last customer stops integrating with them.
- Understand the business logic behind the APIs you are providing since that is where the most advanced attacks will take place.
- Implement advanced role-based access controls so you do not accidentally expose more data than you were planning to.
- And finally, if you are publishing documentation about APIs externally make sure that it is valid and tested and you are not publishing a potential vulnerability.
Filip Verloy is Technical Evangelist EMEA, Noname Security.