Retail


Protection


through the killchain


James Sherlow, director field services engineer, EMEA, for Cequence Security discusses how tech retailers can use the ecommerce killchain to protect their APIs.


O


nline sales have risen four fold in the last ten years and are set to overtake instore purchasing by 2028, according to Retail


Economics. Tis is in no small part due to retailers embracing a digital-first strategy that prioritises the use of Application Programming Interfaces (APIs), using these to access backend systems and tie multiple ecommerce systems together to create new products and services. It’s these APIs that deliver browsing or search


results, by handling calls to the backend database. Tey verify inventory status at the click of a mouse, loading a digital shopping cart. And they generate the checkout process, complete with credit card validation and email and shipping confirmation of purchase via third party APIs. In fact, they’re now seen as so fundamental that APIs have been described as key to creating and supporting significant revenue opportunities. Te flip side of this explosion in API use is that they are also


increasingly attracting the attention of attackers. Te same characteristics that developers love about APIs – flexibility, speed, ease of use – are also loved by attackers who either find coding errors to exploit, or use bots to attack perfectly coded APIs, or a combination of both. API attacks have surged over recent years, with attackers using tactics, techniques and procedures (TTPs) to abuse API functionality


34 | November/December 2023


with these types of attack documented in the OWASP API Security Top Ten Treats.


Automated attacks Attacks against retailers are usually automated or carry out business logic abuse which sees the functionality of the API used against itself. Tis means that even securely coded APIs can be subjected to attack. Tese can lead to Account Takeover (ATO) which sees the attack carried out against log-in APIs and can lead to card or points theſt, fraudulent purchases, or items being resold for profit. Or it might result in content scraping for attack reconnaissance or data exfiltration purposes,


whereby APIs are used to call inventory and pricing databases enabling the extraction of the desired content, such as pricing, part numbers, product descriptions. Te business impact of content scraping includes loss of intellectual property, increased competitive pressure on sales margins, and compute resource cost overruns. Technology retailers are a prime target for online fraud and scalpers


due to the high-value items they ship. APIs have made it much easier for these retailers to spin up APIs to launch special promotions and flash sales which naturally lead to traffic spikes. ‘Te API Protection Report’ found that there was a 550% increase in the unique TTPs used by attackers against sites during the second half of the year, rising


www.pcr-online.biz


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52