Locking down APIs? Traditional authentication tips apply

T-Mobile’s SEC filing—an announcement of a “bad actor” pulling data from a single application programming interface (API)—highlighted two dates…and a curiously long time span between them.

The report stated:

• “On January 5, 2023, T-Mobile US…identified that a bad actor was obtaining data through a single application programming interface (‘API’) without authorization.”
• “We currently believe that the bad actor first retrieved data through the impacted API starting on or around November 25, 2022.”

While holiday-hungry employees are known to tune out from Thanksgiving to New Years, the 41-day blind spot noted in the filing reveals a striking lack of oversight of an increasingly targeted application component: the API.

“The fact that it went on for five weeks suggests no monitoring was in place,” said Chester Wisniewski, field CTO of applied research at the security software company Sophos.

As hackers search for customer information via APIs (the T-Mobile actor had access to addresses, phone numbers, and birthdates), the defensive measures required to secure the interfaces are familiar ones used for traditional authentication: Take care of keys and watch for anomalous activity.

“We have all kinds of tools that monitor how frequently a user is logging in, what hours they’re logging in, and what country are they logging in from…The same exact technology should be applied to API endpoints,” Wiesniewski told IT Brew.

API don’t get it. APIs extend access from one computer program to another.

The computers at a mall kiosk selling phones (are those still a thing?), for example, may need to connect to a provider’s system to enact credit checks or phone number transfers. API transactions are (hopefully) authorized with password-like API keys.

And those tokens must be protected like passwords, said Mike Hamilton, co-founder and CISO at the computer and network-security provider Critical Insight: Use multiple tokens to limit access and place tokens in an encryption-management system like a vault.

“If you want to compromise APIs, you need those keys…... So, getting those somehow and preventing anyone from getting them is your best defense,” said Hamilton.

According to a November 2022 report from cybersecurity provider Akamai, API attacks are up year over year by 257%. Recent API attacks include a Sept. 2022 breach at the Australian telecom Optus and an Aug. 2022 report of applications leaking Twitter API keys.

Technologies like API protection tools detect anomalous behavior. Without third-party options, a developer may have to custom-build the monitoring themselves.

What to watch for:

• Lots of activity: An application should have an expected number of logins. The shack at the mall, for example, shouldn’t have a flood of 10,000 queries. A major spike in logins would be suspicious, said Wisniewski.
• Impossible travel: A user with the same token logging in from geographically distant locations is a red flag and can be monitored on the network level.

“The same things we would be doing to monitor regular logins for users are the same ideas that we need to apply to the API security around,” Wisniewski told IT Brew.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].