New Threat to Payments: API Vulnerabilities

In the new digital era, payments service providers must embrace digital transformation. While each company will opt for a different variety of features and functionalities, there is one tool that everyone should be exploring: API integration. 

APIs (Application Programming Interfaces) are a focus area for many payments companies because they enable valuable third-party microservices. Through APIs, a company can integrate a more diverse range of solutions within their own platform, creating a comprehensive customer experience in a singular customer journey. 

But this capability can carry risks. APIs are difficult to secure and threat actors know this. Understanding the vulnerabilities of APIs and working to address them is critical if a business wants to protect its customers and its data in 2021 and beyond.

Digital Payments: Getting Down to the Brass Tacks

Where there are risks, there are also great rewards. Digital is quickly becoming customers’ preferred format, as consumers utilize web and mobile platforms at greater rates than ever before. Online retail is one of the best examples of this growth; the US Department of Commerce reported that e-commerce sales in Q1 2021 were up 39% from Q1 of 2020. As the pandemic continues to influence shopping behaviors, the upcoming holiday season will likely follow this trend.

To take advantage of the market, companies need to make sure their payments services are digitally savvy and, most importantly, API-supported. Mobile capabilities will be particularly important, with Statista forecasting that m-commerce will account for 72.9% of e-commerce sales in 2021. If a business is strategic, it can utilize APIs to achieve more than just credit card processing, but also order tracking, customer list maintenance, and additional services like installment payments.

Customer expectations have shifted and companies cannot delay implementing these kinds of solutions. But this high volume of engagement is expected to draw the attention of scammers and other fraudulent actors, who will hope to hide amongst verified behavior and target APIs. 

The Challenge of API Vulnerabilities

Some of the biggest internet security breaches in recent times have been tied to API vulnerabilities, from the Cambridge Analytica data breach to the mass scraping of data from Venmo. To protect both a business and its customers, these areas need to be reviewed:

Flaws in Implementation — APIs connect multiple solutions together, which is where a lot of the risk stems from. Developers and tech teams are working on very tight deadlines, with unfamiliar products that were not designed in-house, which can lead to tiny errors in implementation. As each company’s use of a solution will vary, there may not be a single correct approach to securing this API and so every instance must be individually tested and deployed. If a team is stretched too thin, mistakes could occur which will lead to big problems down the line.

Lack of Security Component Integration — The API-supported solution may have built-in protections but they are only useful if they are successfully integrated into the internal components, as part of a collaborative security system. If there is a disconnect, important information will not be transferable between components, leaving both vulnerable to breach. Software that automatically syncs and verifies these security integrations could help prevent countless threats.

Inadequate Data Validation — API protocols are set by each company, so they can maintain control over exactly what should be included in the input and output. However, if this data validation is inadequate, there is a risk of the API both admitting hostile inputs (like SQL injections) and leaking private information, which could then be used to inform future attacks. Access restrictions must allow necessary data flows only.

Configuration Issues — When an API is successfully configured, it allows access only to the groups of people who need to interact with it. This ensures functionality without opening up exposure to unnecessary, risky levels. However, configuration issues may arise from creating too few access restrictions, leaving the API vulnerable to breach. Another misconfiguration might result in sharing too much information in the error message so that the hacker discovers sensitive user or system details that could aid future attacks.

Insufficiently Hardened Infrastructure — The API is only one layer in a much more complex ecosystem, so it stands to reason that the infrastructure should include several layers of security and not just API protections. When done sufficiently, a hardened infrastructure involves applied security for web servers, application servers, identity & access management solutions, and database systems. Without it, there is a weakened link in the security chain that puts all segments at risk.

And finally, APIs are also subject to nearly all of the same risks as any classic web application, in addition to the specific measures addressed above.

Getting API Security in Order

One thing is certain: APIs introduce additional vulnerabilities to your platform. There are several actions payments service providers can take to reduce their risk, while maintaining their quality of service. The first step should be to comprehensively test all existing security protocols, to detect any glaring issues and identify key vulnerabilities.

Long-term, best practices for API security include using data encryption and tokens to protect both the information itself and the accessibility of the API. The tokens are assigned to identities to establish trusted control access, without exposing user credentials. Introducing rate limiting may also be a valuable strategy; this limits the number of times and in what way an API can be “called,” which protects against DDoS attacks and usage spikes that may hinder performance. Lastly, an API gateway channels traffic through one point which enforces traffic authentication, while also providing useful analysis on how the API is currently working.

A more comprehensive approach might mean working with a managed service provider who can offer oversight and direction on all the points named above. Each API will require a specific configuration and this can create burdens on development teams, particularly if you are hosting multiple third-party services. By utilizing an experienced provider, companies can pinpoint an efficient and effective strategy that will target their specific vulnerabilities — without draining resources.