The Confluence Of Fraud Prevention and AppSec Through API Security

APIs have become the primary way applications exchange data amongst each other. The origins of API security lie in the birth of the modern internet and the rise of web applications. As these applications used APIs for communication, concerns around unauthorized access and abuse of these interfaces began to emerge.

The early 2000s saw increased focus on web application security through standards like OWASP that drove awareness around API vulnerabilities. High-profile data breaches tied directly to API vulnerabilities, such as the Equifax breach (2017), significantly elevated the importance of dedicated API security measures.

Today, API security has gone from a niche concern to a mainstream priority within organizations adopting API Security tools to safeguard against OWASP API Top 10. This unlocks a huge potential for organizations to consolidate their bot and fraud mitigation efforts within the AppSec umbrella through API Security platforms. However, this would require streamlining the efforts that are typically shared across different teams often with different economic buyers.

The Economics of Fraud

Fraud is a business. Services such as CapSolver are commercializing fraud by enabling fraudsters to have continuous access to fake accounts. These services incur typical costs associated with a business such as infrastructure, hiring, etc. To be successful, they need to achieve fraud at scale.

Such scale can be obtained in two ways: (1) constantly attack platforms that enable micro transactions such as BNPL, E-Commerce, etc. (2) cautiously and patiently de-fraud high value platforms such as fake financial loans, insurance scams, social security paycheck fraud, etc. where ticket sizes can easily topple hundreds of thousands of dollars.

Additionally, fraudsters aren’t always after the money. They abuse platforms for spreading propaganda, clickjacking, crypto mining, etc.

Because of the vastness of the attack surface, the complexity of attack scenarios, and the involvement of humans and thereby complex human behavior, it’s extremely difficult to build leading indicators to comprehensively cover these frauds. Additionally, due to the low barrier to entry because of commercialization of fraud tools, the market is flush with more innovative fraud than ever before.

APIs: The Gateway and The Telltale of Fraud

To achieve scale, fraudsters automate direct interaction with the platform’s APIs, instead of manually browsing through the web pages.

The OWASP API Top 10 acknowledges this through Unrestricted Access to Sensitive Business Flows and Unsafe Consumption of APIs. Typically pureplay bot & fraud detection use cases, these are now first-class citizens within OWASP. Ultimately, attackers abuse the API vulnerabilities such as BOLA or BFLA to commit fraud.

However, just like APIs enable fraudsters, they give them away too. Fraudsters operate with an agenda in mind, and automate their systems accordingly. And APIs, at its core, interact with different systems to fulfill a consumer’s request. Hence, the API access patterns are a perfect telltale of fraud.

A typical customer on an E-Commerce site will explore various items, read descriptions, reviews, and then potentially add the item to the bag. They may or may not complete the purchase in one go. Whereas, a sophisticated fraudster will try to look like they are exploring items, reading descriptions and reviews but will most likely look at the same number of items every time before completing a purchase, or spend the same amount of time on reviews before going for the next action.

Everything is captured through the APIs and this behavior can be modeled to single out fraudsters. In fact, APIs are so robust in identifying fraudster’s behavior API Security platforms can make it immensely difficult for fraudsters to continue to exploit web applications.

Synergies On Both Sides

API Security platforms should acknowledge their data leverage and combine fraud mitigation with the broader API Security platform to provide a comprehensive API Cataloging, Testing, and Protection suite for businesses. Not only does this reduce the time to market for these platforms, businesses now can vastly simplify their procurement operations.

Consolidation of API Security and Fraud Management can reduce the number of vendors businesses use. They can tighten the integration via two-way traffic – businesses creating a feedback loop for API Security platforms improve the detection algorithms which, thereby, help businesses detect more fraud accurately and improve good user throughput.

Fraud Management operations, typically existing outside CISO, can now be folded within the security organization. This provides a comprehensive view of all-things security to the CISO. This also helps track the entire attack chain – businesses will now have complete visibility into how attackers are navigating through their applications once they exploit an API vulnerability.

Finally, businesses can limit their overall sensitive data exposure and improve security postures. As part of API security, businesses already let the vendors see and manage sensitive data. Such consolidation can limit the number of vendors accessing sensitive data and thus, the business can reduce overall risk.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API protection in a cloud-first, API-driven world. Traceable is the only contextually-informed solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, visit https://www.traceable.ai/.