There has been a 62 percent increase in the number of API (application program interface) attacks on the Indian financial sector as on June 30, 2023, when compared to 2022, said the Indian Computer Emergency Response Team (CERT-In), in a recent white paper it published along with Mastercard and CSIRT-Fin (Computer Security Incident Response Team - Financial Sector).
The report ‘API Security: Threats, Best Practices, Challenges, and Way forward using AI’ directly attributes this rise to the increase in the usage of API in the financial sector. The report was released in August.
APIs are software that act as intermediaries between two applications. For instance, Google Maps API allows developers to embed Google Maps into their websites or apps.
The finding in the white paper highlights the increasing threat that APIs pose in the cybersecurity landscape at a time when this piece of technology has proved to be crucial in the rise of fintech and open banking systems in India.
Security misconfiguration
While the increase in API attacks on the financial sector from 2021 to 2022 was 25 percent, it saw more than a two-fold increase in 2023, at 62 percent.
A majority of the API attacks, around 57 percent, was because of security misconfiguration. "Security misconfiguration happens when security options are not defined in a way that maximises security, or when services are deployed with insecure default settings," the report read.
Next, APIs in the Indian financial sector were targeted by distributed denial of service attacks (DDOS; 34 percent), the white paper said. In DDOS attacks, attackers disrupt the working of servers by flooding traffic on the APIs.
"DDOS attacks are very common and during one well-known incident, the system of the affected entity was hit by a volume of traffic ranging up to 1.35 terabits per second and the attack lasted for over 20 minutes, which was launched by tens of thousands of unique end points orchestrated by more than a thousand different autonomous systems (ASNs)," the report said.
Other types of API attacks included cross-site scripting (1 percent), excessive data exposure (3 percent), SQL Injection (3 percent), MiTM (2 percent), the report added.
As a recommendation, the joint white paper said that the usage of artificial intelligence and machine learning can be deployed to secure APIs, with real-time monitoring capabilities. "In addition to this, improvement in logging standards and automation can fill security gaps," it read.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
