Keep Your Organization's APIs Protected This Holiday Season

Understanding API security risks isn't just a good idea — it's a business imperative. A single API breach can lead to financial losses and reputational damage.

November 6, 2023

4 Min Read

By Benjamin Fabre, CEO, DataDome

In an increasingly Internet-connected world, application programming interfaces (APIs), software that allows computer programs to communicate with each other, are becoming increasingly prevalent. APIs enable devices and applications to exchange information, and they help developers create better and more effective user experiences more easily and efficiently. In fact, 70% of developers expected to increase API usage in 2023, so the prevalence of APIs will continue to increase.

But as API usage increases and devices communicate more, while developers are increasingly enabled to offer better, more user-friendly software, what are the security implications? How does using APIs affect a business or enterprise? And are there industries most at risk, especially as we head into the holiday season?

Unwrapping the Need to Protect Payment APIs

Research shows that attackers are becoming more sophisticated and API-specific in their tactics, and traditional protection techniques are proving to be ineffective defense mechanisms. In the first half of 2022, Americans lost a record $3.56 billion to online fraud, and the Federal Trade Commission received 800,000 fraud complaints, with 27% of cases incurring a financial loss. Attackers want a piece of the action, and payment APIs seem like an easy target.

In the e-commerce world, APIs connect merchants to payment service providers (PSPs) that complete the customer's transaction. However, insecure APIs can expose sensitive information. The money fraudsters can steal from PSPs and e-commerce websites by taking customer card information is not the only cost associated with fraud. Therefore, as bad bots become more sophisticated and difficult to thwart, it's imperative to stay ahead of them.

How Are Fraudsters on the API Naughty List this Holiday Season?

According to Adobe Analytics, consumers will likely spend $221.8 billion via online shopping between November 1 and the end of the year. With that said, during flash sales events such as Black Friday and Cyber Monday, e-commerce platforms typically face at least five times — and sometimes up to 30 times — more bot attacks than on average days. So as consumers begin crossing off their wish lists through online shopping, these fraudsters will be lurking in the shadows waiting to cash in.

Largely because of their lack of sophisticated protection, APIs are now being increasingly targeted at scale by cybercriminals using highly commoditized (and thus more accessible) tools. One tactic is the commoditization of card fraud tools and services that make credit card fraud easier for anyone to perform, particularly against front-end APIs left unprotected against advanced bad bots.

For example, attackers will steal valid credit card numbers (through carding, card cracking, or purchasing on the Dark Web) to use in their fraudulent transactions. Bots are often employed in bulk to infer ("test" or "crack") card numbers and associated cardholder information. Payment details can be easier to find behind less protected endpoints, such as an API used by the payment processor or the merchant.

Even the most inexperienced fraudster can now carry out large-scale attacks using sophisticated techniques, thus increasing potential damages to businesses.

API Payment Fraud Is Frightful, but These Best Practices Are So Delightful

An accurate and scalable bot protection solution can protect companies from API attacks across the customer journey. A successful attack can negatively impact revenue and cause irrefutable damage to a company's reputation.

On top of a bot protection solution, several strategies and tools are available to help companies protect their payment APIs from fraud and account takeover:

  • Strong authentication mechanisms: Two-factor authentication (2FA) and multifactor authentication (MFA) are commonly used to confirm user identity.

  • Data encryption and secure transmission: Data encryption using both SSL and TLS is critical to secure Internet connections and protect data in transit.

  • Monitoring and anomaly detection: Preventing fraud requires machine learning detection at the edge that identifies and adapts to changing threats and is constantly monitored by human experts.

  • Fraud detection and prevention: At the point of payment, address verification services (AVS) can be used to verify billing addresses but will not stop a fraudulent payment if the fraudster knows the right address.

Understanding these API security risks isn't just a good idea — it's a business imperative. A single API breach can result in reputational damage, financial losses, legal consequences, and worse. Because companies often neglect API security in favor of Web or mobile app security, hackers increasingly target APIs to extract data, disrupt business logic, or take down an application. The stakes have never been higher.

About the Author

Benjamin Fabre

Benjamin Fabre is the CEO of DataDome, a company he co-founded in 2015. A cybersecurity visionary, Benjamin foresaw the rise of bot-driven fraud. He understood early on that the race to block automated online threats would require an instantaneous response at the edge; static rules, no matter how quickly updated, would always be a step behind. Leveraging his deep expertise as a technologist, Benjamin set out to build a transparent and easy-to-deploy anti-bot solution that is a true force multiplier for IT security teams. Enter DataDome.

Read more about:

Sponsor Resource Center
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights