We live in a world where billions of login credentials have been stolen, enabling the brute-force cyberattacks known as “credential stuffing”, reports CSO Online. And it’s being made easier by APIs: New data from security and content delivery company Akamai shows that one in every five attempts to gain unauthorized access to user accounts is now done through application programming interfaces (APIs) instead of user-facing login pages. According to a report released today, between December 2017 and November 2019, Akamai observed 85.4 billion credential abuse attacks against companies worldwide that use its services. Of those attacks, around 16.5 billion, or nearly 20%, targeted hostnames that were clearly identified as API endpoints.
However, in the financial industry, the percentage of attacks that targeted APIs rose sharply between May and September 2019, at times reaching 75%.
“API usage and widespread adoption have enabled criminals to automate their attacks,” the company said in its report. “This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.”
APIs also make it easier to extract information automatically, the article notes, while security experts “have long expressed concerns that implementation errors in banking APIs and the lack of a common development standard could increase the risk of data breaches.”
Yet the EU’s “Payment Services Directive” included a push for third-party interoperability among financial institutions, so “most banks started implementing such APIs… Even if no similar regulatory requirements exist in non-EU countries, market forces are pushing financial institutions in the same direction since they need to innovate and keep up with the competition.”