What You Need to Know
E-commerce brands are accustomed to spikes in volume—whether it’s the holiday shopping season, a promotional campaign, or a new must-have product. However, panic-buying and everyone moving their lives and work online during the lockdown has generated sustained levels of high traffic. Hiding in this traffic are cybercriminals, putting your APIs at greater risk of attack than ever. Protecting your APIs from attack is not optional, it’s imperative. Here’s a quick update on how you can protect your brand, revenue, and valuable data from attack while providing a safe and enjoyable shopping experience for your customers.
A Look at the Trends
People are spending 10-30% (1) more online and the number of unique digital shoppers has risen 40% year over year. (2) Increased web traffic is leading the way for a surge in account fraud as fraudsters take advantage of the lockdown that forced more people online.
Even before the global pandemic, APIs were a preferred attack point. Cybercriminals attack APIs because they know they are vulnerable.
45% of companies do not feel confident in their ability to detect malicious use of their APIs and 51% of companies are not confident that their security team is even aware of all the APIs that exist in their organization. (3)
The Business Impact
- Poor customer experience as fake shoppers jam the site and degrade performance, forcing genuine shoppers to give up or go elsewhere
- Tied-up inventory, making stock unavailable to legitimate customers
- Corporate espionage by competitors who then offer price-sensitive deals to win customers
- Takeover of customer accounts, loyalty points theft, and credit card and gift card fraud
- Ad fraud where bots deliberately use links in ads to access a website
Malicious actors have four primary goals with account takeovers:
- Sell validated login credential pairs on the Dark Web
- Get access to account data such as stored credit card data and personally identifiable information
- Leverage the account for their own gain to transfer money, purchase goods, spread an agenda, or abuse website functions
- Gain a competitive advantage through price scraping
On average account takeover fraud tripled in 2018 reaching an estimated $5.1 billion. (4)
When measuring how quickly a price change on one site would be matched by competitors, 80% of the time the price was matched within 1-4 hours.
What Can You Do?
- Identify all of your APIs
- Gain a clear understanding of how many APIs you have and what they are being used for (one of the primary reasons APIs are so vulnerable is that security teams do not know about them).
- Create and implement a protection plan for your APIs.
- Lock down access to your APIs
- Authenticate both end users and applications.
- Make sure that access policies and authentication mechanisms are set up correctly.
- Monitor and log everything
- Use continuous logging and monitoring to track and respond to suspicious activity.
- Gain visibility into API activity to rapidly mitigate damage from an attack.
- Implement rate limiting
- Defend against brute force attacks by setting rate limits for your APIs.
- Impose rate limits such as the number of requests per user and number of requests per user within a defined timeframe.
While following the recommendations above is a great first step, they won’t be enough to protect your business against more sophisticated attacks. Particularly for APIs that handle sensitive information (such as those involved in authentication and account creation), you need more layers of protection, including a solution that fights bad automation with good automation.
How Kasada Can Help
Kasada mitigates and neutralizes malicious automation that can inflict serious damage to your business. Using proprietary techniques, our solution presents myriad obstacles to frustrate and disrupt the operating model of bot operators, preventing hackers from leveraging automation and challenging critical aspects of their attack process.
What makes Kasada unique:
- Delivers a time-to-value in less than 30 minutes
- Stops malicious automation from the first page load request
- Exhausts bot operators’ CPU resources using innovative technology
- Scales with traffic growth
- Prevents unwanted downtime
- Builds on the knowledge, enthusiasm, and track record of Kasada employees
Would you like to learn how Kasada can help your business defeat automated attacks? Please request a demo today.
Operating globally since 2015 and trusted by enterprises worldwide, Kasada gives internet control and safety back to human beings through its category-defining web traffic integrity solution. With Kasada, even the stealthiest cyber threats are foiled, from login to data-scraping across web, mobile, and API channels. Scalable up to multi-billion-dollar companies, onboarding in just minutes and designed to deliver clear ROI in multiple departments, Kasada’s solution invisibly defends and enhances critical business assets while ensuring optimal online activity, with immediate and lasting web traffic security. Kasada is based in New York and Sydney, with offices in Melbourne, San Francisco, and London. For more information, visit Kasada.io.
Copyright 2020, Kasada, Inc. All rights reserved.
(1) “COVID-Consumers: Pessimistic, but spending more online,” Greg Sterling, March 2020
(2) “COVID-19 thrusts e-commerce into the spotlight,” Brian Solis, CIO, April 2020
(3) “The Absolute Musts of API Security,” Jordan Griffith, Product Marketing Manager, March 2019
(4) “Account Takeover Fraud a Growing Problem for Ecommerce,” Armando Roggio, August 2018