APIs: the new attack vector

The promise of APIs in enabling innovation is unquestionable. Open banking has transformed the traditional banking ecosystem into one that benefits consumers and banks alike. APIs have also opened up a completely new line of business for fraudsters. According to Gartner, By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.

Traditionally, the risks arising from API exposure were considered to be under the domain of the CISO. However, the emergence of digital channels and associated threats has highlighted the need for a cross-functional fraud prevention strategy – one that involves a broader discussion with product and risk teams.

Banks typically handle the risk associated with APIs with multiple layers of security. Perimeter security such as firewalls and/or endpoint protection, only protect against network layer attacks targeted towards gaining access to internal banking systems. They do not provide defense against application layer fraud attacks. What’s more, threats associated with APIs are often buried in areas that may not be monitored. Fraudsters target these unmonitored openings, automating scripts and taking advantage of weak APIs as a way to scale attacks for maximum impact.

Machine learning technology offers a way to mitigate the security threats posed by these API weaknesses. The most common approach has been through rules and recently, adoption of supervised machine learning. Unfortunately, this approach can only use historical patterns to identify known fraud patterns coming from the same API. For that reason, a more effective approach is what’s known as “unsupervised machine learning“. This approach does not require labeled input or training data to identify patterns and allows organizations to stay ahead of the game in fraud detection.

What follows are the most common attack vectors for financial fraud, and a brief explanation of the advantages of unsupervised machine learning in stemming the tide of fraud via APIs.

Vector 1: Outdated application interfaces

Existing applications on mobile devices may not be upgradable because of compatibility issues – or end users simply skip the upgrades because of performance concerns. IT teams effectively roll out newer versions of apps and web pages with better anti-fraud measures but may not be able to upgrade all outdated API versions with the latest detection capabilities like device fingerprinting, Geo or bio-signals.

Fraudsters can then intentionally target these interfaces to slip under the radar by sending only limited information.

Vector 2: Inadequate partner authentications

The adoption of third-party applications like financial tracking/ trading software is on the rise. When banks partner with these third-party providers, they have special partner API connections that may not have the same level of authentication and security measures as the banks. Many important attributes such as end user IP address, device and browser information etc. may not be collected by these APIs.

Vector 3: Unprotected testing interface APIs

Most banks and financial institutions have testing interfaces where banks or third-party vendors can test functionality. As these interfaces are designed for testing rather than real end users, they usually have no fraud detection/prevention protections. As a result, when the interface is discovered by an attacker, it can often be followed by big waves of attacks.

Vector 4: Mobile/Web emulators

Hackers can reverse engineer an app to discover the API protocol details, such as the secret API key used to communicate with the application server.

This allows them to easily craft scripts that call an API and pretend to be the legitimate app. Often the back-end servers are not aware of the malicious app and will freely interact with it.

Staying ahead of the game with unsupervised machine learning

Existing anti-fraud endpoint solutions such as device fingerprinting, behavioral biometrics, webpage obfuscation etc. effectively protect up-to-date applications, but do not offer a robust way to manage the broader threat emerging from old and retired APIs. As a result, the fraud coverage of these solutions is low.

Machine learning technology holds great promise to mitigate the security threats posed by these API weaknesses. However, the most common approach has been through supervised machine learning. The supervised machine learning approach requires multiple models to be trained to address different APIs. They are reactive, rely on historical attack patterns and can only detect fraud based on features and attributes that are already defined and trained.

DataVisor brings the next generation of AI and machine learning to fraud prevention. By expanding the view to all input traffic and correlating that traffic for suspicious activity, DataVisor is able to identify previously unknown fraud patterns coming from any API – typically before any financial damage is done.

Using a patented machine learning approach and techniques, DataVisor’s Unsupervised Machine Learning Engine™ works without requiring labeled input or training data. The detection engine also eliminates the need for frequent re-tunings, because its predictive power is not based on intelligence derived from historical experience. Unlike supervised machine learning models, which decay in effectiveness over time, DataVisor models maintain consistently high performance without the need for re-tuning.

Outdated APIs can be an open door to financial fraud. Unsupervised machine learning can shut that door.

This editorial was first published in our Open Banking Report 2018. The Open Banking Report 2018 focuses on topics such as building trust, gaining consent and improving customer experience in Open Banking.

About Fang Yu

Fang Yu is the Cofounder/CTO of DataVisor, where her work focuses on big data for security. Fang has developed algorithms for identifying malicious traffic including fake and hijacked accounts, and fraudulent financial transactions. Fang received her PhD from UC Berkeley and holds over 20 patents.

About DataVisor

DataVisor is the next gen anti-fraud platform based on cutting edge AI. Using proprietary unsupervised machine learning algorithms, DataVisor helps restore trust in digital commerce. Combining an intelligence network of more than 4B user accounts globally, the DataVisor solution is deployed across a variety of industries, including financial services.