How To Make APIs More Secure

by David Midgley 0

Application Programming Interface (APIs) help to aid interconnectivity between websites and improve the quality of a user’s browsing session. Furthermore, API usage by developers, particularly within the payments market, will continue to grow as more and more devices come to market and the popularity of the Internet of Things (IoT) continues to grow.

However, some of the information that would need to be shared using an API platform can be very sensitive. Therefore, as the use of APIs continues to grow, so too will the number of hackers trying to exploit any security vulnerabilities to order to gain access to this information.

Therefore, in this article, David Midgley, Head of Operations at payment gateway and merchant services provider Total Processing, outlines why it is vital to make API platforms as secure as possible and how to do this.

In its’ simplest terms, an API allows one website to use elements of another. For example, it is an API that allows you to use third-party apps, such as games, on Facebook, or share an article on your Twitter Feed.

However, APIs also have their use in the payments market too. For example, when considering payment gateway providers, we give clients access so that their website can be connected to the payment gateway we provide them and then also allow them to access the data submitted when payments are made via the gateway.

Therefore, given the personal and financial details of thousands or even millions of people are being provided via this gateway, it is important access to the gateway and the API is properly secured. For example, early last year, the self-titled ‘internet security enthusiast’ Paul Price flagged up that the API of the British greeting card website Moonpig used a hard-coded username and password to connect to their server that was easily retrievable. Thus, according to Price’s analysis, it would be very easy to build up a database in a matter of hours of the addresses and card details of over three million people who used Moonpig’s service.

Therefore, it is clear that vulnerabilities exist with APIs and the platforms need to be updated in order to keep undesirable parties from being able to access what is very sensitive information.

It’s not difficult either, and common sense actions really do go a long way. For example, a company keeping all security software used internally and externally up-to-date and making sure their privacy and spam settings are rigid will do a lot to help them keep their own systems secure. Furthermore, the method Paul Price pointed out as a viable way to access Moonpig’s database relied upon a hacker’s ability to bombard the API with an unmanageable level of requests. Therefore, limiting the data request rate would also help to prevent a hacker’s ability to bring down a site by overloading it with high-frequency traffic. API developers using Representational State Transfer (REST) principles when designing the interface would also help too. This is because REST uses at least five different commands to access data. Therefore, if an API has a RESTful implementation, it will have predictable outcomes, thereby making security simple for the implementer, but difficult to break down for an external party.

All of this is particularly pertinent given that more and more governments, including those of Australia, the UK and the United States, are now using open-access APIs to grant access to their departments’ data sets. Furthermore, the UK Government now wants banks to open up access to customer data using APIs too. They have even said they will legislate to make this a reality if they have to as well. This should be a good thing too, as it should lead to more competition in banking, which in turn will mean that financial institutions will have to work harder to innovate and stay on top. The end result, I hope, would be that this will drive up product and service levels for consumers. Furthermore, a more open publication of data will help alternative providers too as they’ll now have a new source of information to help them make better lending decisions.

The APIs used by banks being open should also force them into making their API tools as secure as possible. I say this as banks opening up access to customer data would also lead to new regulations coming in according to the Open Banking Working Group (OBWG) set up by the government and tasked with developing the framework needed to facilitate the plans.

As part of this, the OBWG has published a report has said that an independent authority would handle complaints and establish “how data is secured once shared, as well as the security, reliability and scalability of the APIs provided”. This independent authority would also be able to “vet third parties, accredit solutions and publish its outcome through a white list of approved third parties”.

Therefore, it is safe to say that safe that the use of APIs will continue to grow. This increasing use is a good thing too. Software and websites being able to use data and functionality from other software and websites helps to create a better browsing experience for users. Furthermore, the government opening up its’ own data sets helps to increase transparency and accountability. Finally, the UK Government pushing for banks to use open-access API is very good, as the implementation of open-access API will make the security of the platform data is held on even better, thereby helping to make financial institutions and eCommerce sites less vulnerable to attack.