Page 16 - GS200302
P. 16
Views
to accommodate thousands of transactions per second.
The very point of salery point of sale Consumers and merchants who are conscious of where
The ve
these attacks will likely occur can protect vulnerable
endpoints and minimize exposure, he noted, adding that
people don't have any idea of how easily a hacker can crack
usernames and passwords.
"The challenge is that this type of vulnerability is often
Passwords are so passé considered low risk because it is up to the user to have
a good password, change it regularly, include special
characters, etc.," Kent said. "In this case it's easy to see that
By Dale S. Laszig even though the user has some responsibility, the system
shouldn't be built in such a way that an attacker can test
credentials and later construct and automated attack that
ost mobile app users know passwords alone isn't noticed."
are insufficient protection against automated
attacks, but old habits die hard. The recent To further illustrate mobile app vulnerability, Kent recalled
M attack on J. Crew is one more wake-up call in that API layers were originally created for internal traffic,
a litany of worst case scenarios that highlight the need for before mobile traffic became widespread. During this
multilayered security, according to Jason Kent, hacker in simple jump from internal to external use, developers
residence at Cequence Security. Kent told The Green Sheet weren't looking at the vulnerabilities of high-speed
that he sees automated attacks on mobile applications transaction models. Failure to follow security basics in an
every day. architecture that supported a huge transaction load gave
automated attackers a great environment for efficient
These attacks typically throw massive swaths of usernames testing, he said.
against an application to see if the application prompts
for a password. When the app recognizes a username, How can we be safe?
hackers begin the second attack phase by trying different Kent noted that mobile app developers and deployers can
password combinations. "Eventually the attacker learns take steps to build more secure apps and detect anomalous,
the usernames and passwords of several accounts and in automated attacks. He provided the following guidelines:
the next phase they attack," Kent said. "Both the testing and
the attack are noisy but often we find organizations aren't • Know your network: The first step is having a
instrumented to see the testing and attack phases." thorough knowledge and updated inventory of all
network endpoints and APIs to figure out what is
As mobile app adoption grows, we need stronger needed, Kent stated. This includes APIs that have
authentication methods. A recent Harris Poll conducted by recently been changed or up-versioned and old APIs
Ondot Systems showed 64 percent of U.S. consumers believe that are left on. Just adding security to new API
technology companies can significantly improve financial endpoints doesn't go far enough because attackers
products and services. Survey respondents between the look at all the old applications to see which APIs are
ages of 18 and 44 would consider purchasing a financial still on or have changed.
product from a tech company for the following reasons:
tech companies make products that are more convenient • Understand API resilience: Next, understand what
to use (35 percent), have built-in tools to control budget/ abuse the API can take. Can I login 500 times in a
spending (30 percent) and provide better technology/ row? Can I take my session tokens and use them to get
digital features (28 percent). another user's information? What does registration
and password resetting look like? Attackers can
"Technology companies have spent years and billions of and will exploit these simple mechanisms to attack,
dollars designing customer-centric platforms that deliver Kent said. Familiarity with abuse cases can mitigate
an easy user experience, Apple Card's instant issuance attacks.
feature being a recent example," said Vaduvur Bharghavan,
CEO of Ondot Systems. "As a result, consumers have • Watch out for bots: Organizations that detect
incredibly high expectations of the companies with which anomalous behavior and bot activities can mitigate
they do business, including financial institutions." numerous attacks because they will understand if a
request is coming from a known bad actor or location,
High expectations, high crimes or trying to use an old session, such as Consumer
A using a token assigned to Consumer B. Having
Kent pointed out that their agile and user-friendly design this type of intelligence can make the difference
makes mobile app APIs particularly vulnerable to massive, between exposing an API for attackers to play with
orchestrated attacks, and such automated attacks can be at will and having a protected application that takes
difficult to detect because APIs are designed to be fast and attackers on a journey they weren't expecting, Kent
16
