Let us have a look at some key facts before we analyze the situation:
• Financial services sites are targeted a lot. They should always stay ahead of attackers.
• Almost 30% of all API traffic goes to their shadow counterparts which is an increase of 89% from 2021.
• DDoS attack tools for Window are most commonly executed. Motives are either holding information for ransom or other forms of nefarious activities. THey have grown by 121% in recent years.
• Over 50% of all traffic to sites in the banking and financial services industry sadly comes from bots.
• These sites experience the highest share of account takeover attacks (ATO) at 38%.
• Popular months for consumers’ online purchasing are August and December. They are peak times for ATO attacks.
Let us now get to the bottom of the issue.
The financial services industry is consistently the most targeted industry across the world. It consists of 28% of all attack attempts tracked by most cybersecurity firms and DNS DDoS protection service providers too. The business sector accounts for 14% of all attacks faced. Yet the former still remains a lucrative target.
The reason attackers often target this sector is not one, but rather many. Among them is the potential of lucrative payouts, as well as valuable data for either use or resale. They are the most common goals of attackers when it comes to attacking financial institutions and service providers.
However, any insecure banking data as well as that pertaining to crypto wallets, passwords, or weak points in internal systems provide attackers the key access points needed to empty accounts and transfer key information.
As an alternative, attackers can also hold random websites hostage, in the hopes that the business or company or site owners will pay the ransom instead of risking damage to reputation. A lot of financial services websites often need the personal information of extremely high importance and value, especially the following:
• Tax numbers.
• Citizenship identity numbers.
• Social security numbers.
• Credit card numbers.
• Passport numbers.
The above information is instrumental in the creation of or accessing of, accounts and other relevant information. Unless and until it is properly secured, attackers can either easily access them for wrongful use or sell them to the highest bidder.
Application programming interface security – can attackers affect this?
The industry relies a lot on APIs to help connect together numerous systems and applications. The APIs also help enable things like banking app widgets, as well as other digital services on the phone. Though they are helpful in making things easy for developers, they also introduce a whole new world of problems.
They are designed to be accessible, and this is the very reason APIs are open by nature and have the ease of use factor. Making an API is a chance for hackers and attackers to access backend databases.
A common security threat relevant to API is API violations. This is something a lot of cyber security experts have been tracking and they are calls that do not reflect the purpose and essence of an API. Experts believe that API is by essence and purpose (definition) through the way customers provide them, or through observation of API traffic and understanding the various definitions over time.
At this point, most DDoS service providers and cybersecurity companies detect calls that are not in line with the intended definitions. They are hence defined and proven as attacks.
Yet, the majority of attacks on API sites were basically API violations, or security violations such as suspicious calls, incorrect data entered, and the like. At the same time, Remote code execution was the second most common kind of attack, at around 9% of all attacks happening.
Shadow APIs – what are they?
Shadow APIs are undocumented versions of official APIs. No normal IT team would maintain or manage them and their security processes. However, normal APIs can become shadow APIs when they are deprecated but not removed.
Additionally, it can also be the outcome of a developer publishing an API without proper documentation or inventory. There can also be an instance when developers unintentionally make amendments to hidden APIs that exist and they later become exposed. It is true that APIs can be quite tricky.