Earlier this month (January 2023, if you’re reading this in the future), T-Mobile revealed that it had been hacked and had the information of 37,000,000 customers stolen.
The company filed an 8-K form with the Securities and Exchange Commission (SEC), which is a document that companies must file if there is a development that shareholders should be aware of.
The form stated that the company had “…identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization.”
Data breaches that exploit API security flaws are not new. Last year, a leading cybersecurity journal, SC Media, reported that API security incidents affected 95% of the surveyed organisations in 2021-22.
In a more recent article, the magazine discusses how re-evaluating the cybersecurity stack of the company might be essential for stopping API breaches.
If you aren’t sure what an API is, this article might be difficult to follow. So, to answer your question (and feel free to skip to the next section if you already know)…
What’s an API?
An API is a bit of software that helps two different applications “talk” to each other. APIs can be very useful in application and software development because they save you the time and effort of building a tool when something already exists.
Simply use an API to get that tool to show up within your application and you’re done.
It’s like when you want to show your location on the map on your website. Why code your own map when you can use Google Maps and have it show up on your website using an API?
Why Are APIs Vulnerable to Attacks?
The problem is, with so many applications being built, the use of APIs has increased exponentially.
Since APIs are programs that transfer information between two entities, they are prime targets for those who want access to that information.
As a result, cyberattacks that exploit APIs are on the rise.
According to the SC Media article, the rate at which APIs are being developed makes them difficult to secure.
On top of that, most companies don’t even know how many APIs they have, let alone a complete list. So, they have no idea how many of their APIs can access sensitive information.
Finally, the biggest problem APIs are facing is attacks using bots. Malicious automation is used to find vulnerabilities in the APIs as well as to exploit these vulnerabilities to gain access.
That means bots can quickly—at a much, much faster rate than a human—get access to a company’s database and grab information that can then be used for nefarious purposes.
Now, don’t get me wrong. It’s not like developers aren’t doing anything to secure their APIs. API management best practices include a discussion about security. However, regular security tools, like WAFs and API gateways, can be inadequate for bot attacks.
Is Re-Evaluating Your Cybersecurity Stack the Answer?
In the article, SC Media cites a report by Forrester (Planning Guide 2023: Security and Risk) which says companies must evolve their defences to keep up with the evolving threats.
That might mean reviewing your current cybersecurity stacks and removing tactics and solutions that don’t work. CISOs should also be focusing on API security and bot management in 2023, the article advises.
Another thing to keep in mind is that the bot defence should be “proactive and dynamic”. Companies should be aware of the potential vulnerabilities of their products and plan their defences accordingly, and not rely on a one-size-fits-all approach.
As the bots evolve and change their attack methods, your API security should be smart enough to block them from every direction. If it’s not, then it might be time to take a look at it with a critical eye.