Cyberlands.io - API Penetration Testing
APIs have numerous benefits: it allows businesses to communicate between numerous applications, avoid the development of solutions that already exist, and access all functionality they need within one platform.

APIs became extremely popular not only among organizations but among hackers as well. Companies use numerous APIs nowadays, significant amping of which are public ones, but they rarely care about the security of this connection. That is how APIs become an easy target for hackers: there are numerous entry points that exchange very important data.

The current data proves the trend of API attacks. As for 2021, API attacks increased by 348% in 6 months. Gartner foresees that APIs will become the main target of attackers by 2022.

In FinTech, where lost data usually means lost money, the problem of API security is as acute as ever. Numerous regulations such as European Banking Authority Guidelines on ICT and security risk management 2019 started to focus on API security. In this article, we will explore different API breaches in the FinTech and finance industry overall so that you can avoid the same mistakes and PCI DSS and PSD2 Directive violations in the future.
1. Venmo
In 2017, Venmo breached more than 207 million transactions because of its app's API. In the breached data, hackers could find the full names of users, the memos related to all transactions, and the transaction values. While some leaked transactions did not really cause any harm to the users, some revealed private information about medical conditions and private activities.

The problem was that the API was not secured at all. The company thought that this kind of data cannot really hurt anyone but it turned out otherwise. You can actually get some sensitive information in such a way and track the behavior patterns of users.
2. Russian Central Bank
In 2021, the Russian Central Bank sent a letter to all the banks warning them about a new money stealing scheme through APIs. Hackers enter a mobile application with real login and password, go to debug mode, and later learn about the order and structure of call to bank APIs. After that, they would steal money from the user's bank accounts. Notably, no business lost money, only the regular clients suffered from the breach.
3. Binance
Binance is one of the biggest cryptocurrency exchanges. In 2018, the exchange saw a suspiciously big amount of buy orders for ViaCoin and numerous withdrawals. The users who relied on APIs for managing their accounts (trade bots, for example) were the ones who got compromised. The system of the crypto exchange itself was secure. It led to Bitcoin's price drops, unauthorized withdrawals, and a new wave of mistrust towards cryptocurrencies.
4. Ledger
Ledger is a hardware wallet provider. It has faced a big data breach in 2020. Hackers hacked the API to marketing tools that were used for email marketing. Just like that, 1 million email addresses were exposed. Moreover, more sensitive data of 9,500 customers were compromised: full names, phone numbers, postal addresses, etc. The API was immediately deactivated after the incident revealed itself but it was a good lesson about API security. Hackers can choose the most unexpected ways.
5. GateHub
GateHub is yet another cryptocurrency wallet that got compromised. This time, the losses were way bigger. In 2019, the funds of 80 or 90 users were stolen from their wallets. GateHub noticed a suspicious amount of calls from APIs with valid access tokens. After that, 23.2 million Ripple coins (XRP) or $9.5 million were stolen from private users.

6. DX.Exchange
DX.Exchange, a cryptocurrency and tokenized securities trading platform, have been leaking sensitive information of its users due to poor API security. Anyone was able to get other users' tokens and invoke the APIs on their behalf. This means that the sensitive information of over 600k platform users could have been easily accessed by hackers.
7. Experian
Experian is a credit bureau. In 2021, it exposed the credit scores of almost every American citizen. It happened through Experian Connect API for FICO-score queries automation that was left unsecured on the website. A sophomore student found the API and was able to check his eligibility just by filling in his name, address, and date of birth (which is publicly available information). He could see risk factors and even build a command-line tool for automatic lookups.
8. MobiKwik
MobiKwik is an Indian company for online recharge and bill payment. In 2021, they experienced a massive data breach that affected 3,5 million users. Their credit and debit card information, phone numbers, emails were leaked and later ended up on the dark web where anyone could buy the data. MobiKwik denied all allegations but it is evident that it was their fault. Well, more likely it was because of their API. Attackers are likely to get hold of internal APIs and mine data from them. Fun fact: attackers deleted all the data and backups later and claimed that the user's data is safe now. The reasoning behind it was that they did not want MobiKwik to dig themselves a deeper grave by denying the breach.
9. CapitalOne
Capital One specializes in credit cards. In 2019, they faced a massive breach: 100 million credit card applications and thousands of social security numbers and bank account numbers were leaked. It happened not because of a single reason but because of the string of unfortunate events. One part of the problem was an API that connected AWS and Capital One: AWS has not provided the best security for its API and Capital One forgot to update one part of its protection.
10. Equifax
Equifax is an American credit bureau. In 2017, it experienced the largest breach in history which affected 147 million users or 56% of Americans. Social security numbers, names, dates of birth, credit card numbers, and driver licenses got leaked.

Why did the breach happen? Attackers exploited Apache Struts CVE-2017-5638 vulnerability: the system did not enforce formats on incoming API calls. The breach cost the company $700 million in compensation.


Conclusion
We might underestimate API security while we do not think that someone will be interested in our API. However, attackers are interested in everything that can compromise your system, supplying them with data for further selling and account balances for stealing. In order to avoid huge financial losses and reputational damage, you should take care of your API as well.

Particularly vulnerable are FinTech main hubs: London, Singapore, and Baltics (Estonia, Lithuania). After Estonia implemented crypto-friendly law and Lithuania made regulatory sandbox they became top FinTech destinations but they're still lagging behind London and Singapore in terms of financial services cybersecurity regulation. So if you're not required to make a security audit or penetration test before going live, consider doing it for the purpose of business resilience and brand sustainability. Remember - both London (FSA) and Singapore (MAS) require this. If you already have a successfully operating product in FinTech, make sure to constantly analyze the state of its security infrastructure and apply improvements if needed.
Cyberlands.io Team