SlideShare a Scribd company logo

2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector

APIsecure_ Official, profile picture
APIsecure_ Official

The document discusses the increasing prevalence of data breaches facilitated by APIs, highlighting the various types of attacks and their consequences. It emphasizes the importance of protective measures at the API layer, including anomaly detection and behavior baselining to prevent fraud. The authors stress that modern application security must address the evolving landscape of API abuse and data exfiltration risks.

Technology
Related topics:
API Security Insights
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Data Breaches: How API’s have become the key attack vector Sudeep Padiyar Founding Member, Product Management Traceable AI Tim Davis Director of Risk, Move Money Products Chime
Agenda ● Latest Data breach Statistics ● Evolution of Fraud with modern apps and API’s ● Data exfiltration protection at the API layer ● Key tenets of API Abuse Prevention ● Product Demo ● Q&A
Data Breaches Verizon DBIR Statistics Abuse Patterns in Data breaches Data Breach Categories
Sensitive Data Exposure by Type
Data breaches consequences Customer Information is Exfiltrated: ● Data sold on dark web to fraudulent end users ● User information used to create new account in customer name at other businesses ● Customer financial accounts monetized ● New credit accounts opened in customers’ names Customer Credentials Are Stolen ● Fraudulent Actors are able to access customer accounts ● Additional customer data is extracted through customer user interface ● Purchases made in customer name ● Customer financial accounts monetized ● Rewards and/or incentive accounts monetized
APIs Control Everything Online Travel Digital Payments e-Commerce Online Brokerage
API Abuse outside of data breaches With Access to APIs, Malicious Users Can: - Increase reward program balances - Lower merchandise pricing - Manipulate inventory availability - Gift Card and Referral frauds - Bypass policies and controls
Modern cloud native architectures K8s LB, Proxy, Gateway Edge VM Serverl ess Browser Mobile 3rd Party
API’s are the attack surface for data breaches K8s LB, Proxy, Gateway Edge VM Serverl ess MicroService MicroService MicroService MicroService MicroService MicroService
Using Tracing and API patterns for anomaly detection Behavioral Baseline 1. Digital Fingerprint: User agent, GeLocation, IP category etc 2. User ID: JWT/Basic Auth, Request header etc 3. Access pattern of Sensitive data per and across sessions 4. API sequence, Inter-API time interval 5. Sensitive Data flow between API’s
11 Data Exfiltration Prevention ● Track volumes of Sensitive data traversing between API’s over time ● Highlight anomaly if sensitive data volume increases significantly over baseline for same user or across users ● Customizable Data Sets - PCI, PII, HIPAA or custom sets ● API Centric Data exfiltration view ● Sensitive data exposure to External API’s ● Categorize users accessing data through API’s - ○ Partners ○ Data Owners ○ Threat Actors ● Sensors to improve detection accuracy - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Reside ntial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts PCI HIPAA GDPR CCPA API
12 API Fraud ● Watch Materially sensitive data (account balance, price, game score etc) ● Data usage patterns via API’s by users/groups will be learnt for watched data over time ● Use User Attribution and Digital Fingerprint to correlate user behavior across API’s ● Account for Tokenization for credit cards, crypto currencies and other materially significant data. ● Sensors to bump up fraud risk - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Residen tial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts
13 Data Exfiltration Dashboard
14 Data Exfiltration Services View
15 Data Exfiltration User View
16 ➔ Sensitive data flow predominantly through API’s given cloud native app design ➔ Baselining behavior based on User, Device, API and sensitive data types are key ➔ Anomaly detection can solve a good fraction of Business logic abuse attacks ➔ Data flow and risk drives modern application security ➔ Data breaches and Fraud via API’s are on the rise and need to be stopped Recap
Sudeep Padiyar Founding Member, Product Management Traceable AI Thank you. Tim Davis Director of Risk, Move Money Products Chime

More Related Content

PPTX
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
ForgeRock
 
PDF
Privacera Databricks CCPA Webinar Feb 2020
Privacera
 
PPTX
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
Jeff Kelly
 
PDF
Single Sign On IDM Value
Karthik Ethirajan
 
PPTX
Chanchal ODSC-fraud-2017
Chanchal Chatterjee
 
PDF
Applying Innovative Tools for GDPR Success
ForgeRock
 
PDF
ForMotiv - InsurTech Innovation Award 2022
The Digital Insurer
 
PPTX
Big Data as Competitive Advantage in Financial Services
Cloudera, Inc.
 
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
ForgeRock
 
Privacera Databricks CCPA Webinar Feb 2020
Privacera
 
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
Jeff Kelly
 
Single Sign On IDM Value
Karthik Ethirajan
 
Chanchal ODSC-fraud-2017
Chanchal Chatterjee
 
Applying Innovative Tools for GDPR Success
ForgeRock
 
ForMotiv - InsurTech Innovation Award 2022
The Digital Insurer
 
Big Data as Competitive Advantage in Financial Services
Cloudera, Inc.
 

Similar to 2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector (20)

PDF
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
PDF
Digital banking Account Take Over
Laurent Pacalin
 
PDF
Security Requirements for Fantasy App Development in 2024.pdf
Andrew Mathew
 
PPTX
Ping Identity: Corporate Overview Financial Services
Benjamin Canner
 
PDF
What is Web Scraping? – A Guide On Website Data Scraping
X-Byte Enterprise Crawling
 
PDF
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
PPTX
Hadoop and Financial Services
Cloudera, Inc.
 
PPTX
Relying on Data for Strategic Decision-Making--Financial Services Experience
Cloudera, Inc.
 
PDF
Super data-charging your corruption reviews with integrated analytics
Jim Kaplan CIA CFE
 
PPTX
The digital transformation of retail
Cloudera, Inc.
 
PDF
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
PPTX
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
Cloudera, Inc.
 
PDF
Unraveling the GDPR Compliance
CleverTap
 
PDF
Understanding the impact of your fraud strategy
European Merchant Services
 
PDF
MSME NEO Banking Platform
Souvik Chaki
 
PPTX
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
Jeremy Brown
 
PDF
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j
 
PDF
Reach targeted audience segments with top-quality 3rd party data.
reklamajans
 
PDF
Increase online growth: In 4 steps optimal data orchestration
OrangeValley
 
PPTX
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Digital banking Account Take Over
Laurent Pacalin
 
Security Requirements for Fantasy App Development in 2024.pdf
Andrew Mathew
 
Ping Identity: Corporate Overview Financial Services
Benjamin Canner
 
What is Web Scraping? – A Guide On Website Data Scraping
X-Byte Enterprise Crawling
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
apidays
 
Hadoop and Financial Services
Cloudera, Inc.
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Cloudera, Inc.
 
Super data-charging your corruption reviews with integrated analytics
Jim Kaplan CIA CFE
 
The digital transformation of retail
Cloudera, Inc.
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
Cloudera, Inc.
 
Unraveling the GDPR Compliance
CleverTap
 
Understanding the impact of your fraud strategy
European Merchant Services
 
MSME NEO Banking Platform
Souvik Chaki
 
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
Jeremy Brown
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j
 
Reach targeted audience segments with top-quality 3rd party data.
reklamajans
 
Increase online growth: In 4 steps optimal data orchestration
OrangeValley
 
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
Ad

More from APIsecure_ Official (20)

PPTX
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
PDF
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
PDF
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
PDF
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
PDF
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
PDF
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
PDF
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
PPTX
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
PPTX
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
PDF
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
PPTX
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
PDF
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
PPTX
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
PDF
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
PDF
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
PDF
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
Ad

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector

  • 1. Data Breaches: How API’s have become the key attack vector Sudeep Padiyar Founding Member, Product Management Traceable AI Tim Davis Director of Risk, Move Money Products Chime
  • 2. Agenda ● Latest Data breach Statistics ● Evolution of Fraud with modern apps and API’s ● Data exfiltration protection at the API layer ● Key tenets of API Abuse Prevention ● Product Demo ● Q&A
  • 3. Data Breaches Verizon DBIR Statistics Abuse Patterns in Data breaches Data Breach Categories
  • 5. Data breaches consequences Customer Information is Exfiltrated: ● Data sold on dark web to fraudulent end users ● User information used to create new account in customer name at other businesses ● Customer financial accounts monetized ● New credit accounts opened in customers’ names Customer Credentials Are Stolen ● Fraudulent Actors are able to access customer accounts ● Additional customer data is extracted through customer user interface ● Purchases made in customer name ● Customer financial accounts monetized ● Rewards and/or incentive accounts monetized
  • 6. APIs Control Everything Online Travel Digital Payments e-Commerce Online Brokerage
  • 7. API Abuse outside of data breaches With Access to APIs, Malicious Users Can: - Increase reward program balances - Lower merchandise pricing - Manipulate inventory availability - Gift Card and Referral frauds - Bypass policies and controls
  • 8. Modern cloud native architectures K8s LB, Proxy, Gateway Edge VM Serverl ess Browser Mobile 3rd Party
  • 9. API’s are the attack surface for data breaches K8s LB, Proxy, Gateway Edge VM Serverl ess MicroService MicroService MicroService MicroService MicroService MicroService
  • 10. Using Tracing and API patterns for anomaly detection Behavioral Baseline 1. Digital Fingerprint: User agent, GeLocation, IP category etc 2. User ID: JWT/Basic Auth, Request header etc 3. Access pattern of Sensitive data per and across sessions 4. API sequence, Inter-API time interval 5. Sensitive Data flow between API’s
  • 11. 11 Data Exfiltration Prevention ● Track volumes of Sensitive data traversing between API’s over time ● Highlight anomaly if sensitive data volume increases significantly over baseline for same user or across users ● Customizable Data Sets - PCI, PII, HIPAA or custom sets ● API Centric Data exfiltration view ● Sensitive data exposure to External API’s ● Categorize users accessing data through API’s - ○ Partners ○ Data Owners ○ Threat Actors ● Sensors to improve detection accuracy - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Reside ntial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts PCI HIPAA GDPR CCPA API
  • 12. 12 API Fraud ● Watch Materially sensitive data (account balance, price, game score etc) ● Data usage patterns via API’s by users/groups will be learnt for watched data over time ● Use User Attribution and Digital Fingerprint to correlate user behavior across API’s ● Account for Tokenization for credit cards, crypto currencies and other materially significant data. ● Sensors to bump up fraud risk - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Residen tial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts
  • 16. 16 ➔ Sensitive data flow predominantly through API’s given cloud native app design ➔ Baselining behavior based on User, Device, API and sensitive data types are key ➔ Anomaly detection can solve a good fraction of Business logic abuse attacks ➔ Data flow and risk drives modern application security ➔ Data breaches and Fraud via API’s are on the rise and need to be stopped Recap
  • 17. Sudeep Padiyar Founding Member, Product Management Traceable AI Thank you. Tim Davis Director of Risk, Move Money Products Chime