In an effort to provide a fast yet feature-rich experience, developers make heavy use of APIs within the mobile applications. Fraudsters and bad actors are well aware of this shift, making it increasingly important for financial services and e-commerce organizations to proactively prevent fraud and theft caused by automated account takeover (ATO) attacks targeting their APIs – regardless of whether they are used to support the mobile or the web application.
Taking a highly systematic approach, bad actors decompile the application and analyze how it works and how the APIs are used. Then using attack tool kits, Bulletproof Proxies and stolen credentials, they will execute account takeovers to commit fraud or theft. By targeting the API rather than scripting a form fill, bad actors are leveraging the same efficiency and flexibility that APIs provide developers.
Recent research from Aite Group points to the mobile APIs that underpin financial services applications as particular points of vulnerability, exploited by bad actors to automate ATO attacks. The Aite Group report found that 27% of FSI applications hard-code the API keys and private certificates in the apps or store them in files on the file system, thereby simplifying the execution of an automated attack.
Findings data published in the a recent update by the CQ Prime Threat Research Team on Bulletproof Proxy vendors further confirmed Aite’s findings and showed that more than 98% of the automated attacks across financial services customers targeted their mobile application APIs. Attack traffic flowing across multiple Bulletproof Proxy networks targeted the mobile APIs 98% of the time, with 88% of the attack traffic originating from residential IP addresses owned by Cogent Communications.
Bad actors targeting a financial services customer with an account takeover leveraged the mobile application account login. Had that account takeover been successful, the bad actor would have transferred funds to their own (fake) account using the OFX API – the financial services funds transfer protocol.
The retail sector is at similar risk. Research from the Bulletproof Proxy update showed that attack traffic was skewed more toward the web application, with the bulk of the attack traffic originating from Cogent Communications. Interestingly, the mobile IP address sources for the API attack traffic was more evenly distributed across several ISPs with Verizon Fios most heavily used.
The attackers were executing account takeovers with the lucrative loyalty points program as the target. The revenue impacts and costs of over provisioning the infrastructure were in the millions. The impacts on loyalty and reputation were harder to measure, but were certainly real.
