APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
API Abuse - How data breaches now and in the future will use API's as the attack vector
Sudeep Padiyar, Product Manager at Traceable
Tim Davis, Director of Product Management at Chime
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector
1. Data Breaches:
How API’s have become the key
attack vector
Sudeep Padiyar
Founding Member, Product Management
Traceable AI
Tim Davis
Director of Risk, Move Money Products
Chime
2. Agenda
● Latest Data breach Statistics
● Evolution of Fraud with modern apps and API’s
● Data exfiltration protection at the API layer
● Key tenets of API Abuse Prevention
● Product Demo
● Q&A
3. Data Breaches Verizon DBIR Statistics
Abuse Patterns in Data
breaches
Data Breach
Categories
5. Data breaches consequences
Customer Information is Exfiltrated:
● Data sold on dark web to
fraudulent end users
● User information used to
create new account in
customer name at other
businesses
● Customer financial accounts
monetized
● New credit accounts opened in
customers’ names
Customer Credentials Are Stolen
● Fraudulent Actors are able to access
customer accounts
● Additional customer data is
extracted through customer user
interface
● Purchases made in customer name
● Customer financial accounts
monetized
● Rewards and/or incentive accounts
monetized
7. API Abuse outside of data breaches
With Access to APIs, Malicious Users Can:
- Increase reward program balances
- Lower merchandise pricing
- Manipulate inventory availability
- Gift Card and Referral frauds
- Bypass policies and controls
8. Modern cloud native architectures
K8s
LB, Proxy,
Gateway
Edge
VM
Serverl
ess
Browser
Mobile
3rd Party
9. API’s are the attack surface for data breaches
K8s
LB, Proxy,
Gateway
Edge
VM
Serverl
ess
MicroService
MicroService
MicroService
MicroService
MicroService
MicroService
10. Using Tracing and API patterns for anomaly detection
Behavioral Baseline
1. Digital Fingerprint: User agent, GeLocation, IP category etc
2. User ID: JWT/Basic Auth, Request header etc
3. Access pattern of Sensitive data per and across sessions
4. API sequence, Inter-API time interval
5. Sensitive Data flow between API’s
11. 11
Data Exfiltration Prevention
● Track volumes of Sensitive
data traversing between API’s
over time
● Highlight anomaly if sensitive
data volume increases
significantly over baseline for
same user or across users
● Customizable Data Sets - PCI,
PII, HIPAA or custom sets
● API Centric Data exfiltration
view
● Sensitive data exposure to
External API’s
● Categorize users accessing
data through API’s -
○ Partners
○ Data Owners
○ Threat Actors
● Sensors to improve detection
accuracy -
○ GeoLocation
○ IP reputation
○ Cloud/Hosted/Reside
ntial IP
○ Tor/Botnet/Proxy
● Co-relate with increases in
ATO/Excessive login
attempts
PCI
HIPAA
GDPR
CCPA API
12. 12
API Fraud
● Watch Materially sensitive data
(account balance, price, game
score etc)
● Data usage patterns via API’s by
users/groups will be learnt for
watched data over time
● Use User Attribution and
Digital Fingerprint to
correlate user behavior
across API’s
● Account for Tokenization for
credit cards, crypto
currencies and other
materially significant data.
● Sensors to bump up fraud risk -
○ GeoLocation
○ IP reputation
○ Cloud/Hosted/Residen
tial IP
○ Tor/Botnet/Proxy
● Co-relate with increases in
ATO/Excessive login
attempts
16. 16
➔ Sensitive data flow predominantly through API’s given cloud native app design
➔ Baselining behavior based on User, Device, API and sensitive data types are key
➔ Anomaly detection can solve a good fraction of Business logic abuse attacks
➔ Data flow and risk drives modern application security
➔ Data breaches and Fraud via API’s are on the rise and need to be stopped
Recap
17. Sudeep Padiyar
Founding Member, Product Management
Traceable AI
Thank you.
Tim Davis
Director of Risk, Move Money Products
Chime