The IRS Breach and the Importance of Adaptive API Security
The recent Internal Revenue Service data breach, which used the “Get Transcript” API to access the agency’s data, highlights the increased sophistication of cyber attacks that aim to profit from taxpayers’ personal information. The API in question was used by the IRS’ browser-based app to remotely access IRS systems and was implemented to deliver line-by-line tax return information, account details (marital status and income adjustments, for example), and wage and income statements.
In the United States, tax data is very valuable to cyber criminals, as it can be abused to receive phony refunds (this kind of fraud costs the U.S. approximately $6 billion annually) and commit mortgage fraud, identity theft, and other crimes. The IRS wasn’t able to detect and block this latest attack because its back-end application was authorizing users using personally identifiable information (PII) such as social security numbers, which can be gathered through other channels, phishing attacks, or from black markets that sell PII data. So the agency’s intrusion detection system wasn’t able to distinguish a legitimate taxpayer access request from a fraudulent request.
The trouble with knowledge-based authentication
The IRS could have employed stronger authentication schemes, such as two-factor authentication using smartphones, but this entails higher implementation and support costs, and can potentially impede user adoption due to a degraded user experience and a lack of phone capabilities such as SMS. Instead, the IRS used a simple authentication mechanism that has a very low barrier to adoption. Unfortunately, it also made it much easier for bots and cyber criminals to steal taxpayer data, and it did so with a 50% success rate.
So how do you verify that the user who claims to be John Doe is indeed John Doe, when your mode of authentication is a simple username and password combination? Is combining this with an additional layer of authorization based on user attributes such as knowledge based user attributes enough to keep cyber thieves at bay?
The short answer is “no.” This type of knowledge-based authentication is becoming less relevant in today’s world, where the knowledge is no longer a secret. It has become pretty easy for cyber criminals to dig up relevant PII and assume a taxpayer’s identity.
So how can organizations protect their crown jewels while making it easy for users to access their data or transact in a secure way? How can you instill confidence and trust in consumers who are eager to access government, commerce, financial, and healthcare services using smart phones and personal computers?
The adaptive security approach
Organizations have to adopt an adaptive security approach—one that learns consumer behavior and automatically detects and blocks any cyber criminal or bots that may have gained access to consumer usernames, passwords, and other personal attributes used for knowledge-based authentication.
Using machine learning and statistical models, an adaptive security system constantly learns “good behaviors,” which helps it distinguish”bad behaviors” and enforce dynamic policies that block bots from accessing a protected resource (the web, an API, or a datastore).
Bad behaviors manifest in the form of anomalous activities, including:
Systematic walk-throughs of the application resource paths by bots
Requests originating from a bot network or low-reputation IP address or ISP or compromised proxies and devices (rooted Android devices or PCs with malware, for example)
High rates of access from certain IP addresses or end points
High rates of access to URIs (resources) that are infrequently accessed by end users (password or home address changes, for example)
High rates of form submissions with slight variations in the input parameters (bots using brute force techniques with authentication API calls using random user IDs, for example)
High error rates on access to resources, especially those that are available to privileged users or applications
Gaining visibility into API access anomalies by way of bot activities is an important consideration when implementing API security and fraud protection program. Bots, also commonly referred to as content scrapers or spiders, are increasingly targeting retailers, e-commerce service providers, and anyone who has valuable content.
Studies show that bot activity represents more than half of overall Internet traffic. Bots are known to target retailers with dynamic pricing, loyalty programs, financial services, services with copyright materials, and intellectual property such as visual designs. They can have a major load impact on a website and API backend infrastructure, create performance headaches for operators, and hurt a company’s brand and bottom line due to content theft or competitive information scraping.
Advanced API analytics
At Apigee we’ve implemented an adaptive security system using the advanced API analytics capabilities of the Apigee Edge API management product and our Insights predictive analytics product. This advanced analytics functionality provides our customers visibility into bot activities or brute-force attacks against APIs using stolen keys or user account details.
For example, if an API key is breached and abused by hackers to access the APIs in an unauthorized fashion, the bot detection system will detect the anomaly and flag the end points as bots. Furthermore, a full bot protection architecture can be implemented in Edge using an API that automatically imports blacklists from the bot analytics system. Using this closed loop mechanism, bots can be blocked or throttled by Edge, protecting the origin servers from bot traffic.
This adaptive API security system is designed to protect consumers and enterprises to thwart dynamic threat vectors that are hard to detect otherwise using static policies.
In summary, an effective API security program requires a layered security approach that combines traditional security controls (authentication, authorization, auditing, encryption, and threat protection) with an adaptive security control that continuously learns and protects APIs from malicious bots. Organizations that invest in the adaptive security approach protect their brand image, reduce fraud and content theft, and safeguard their customer data from malicious bots on the internet.