T-Mobile data breach shows API security can’t be ignored

Enterprise security isn’t simple. Small oversights round programs and vulnerabilities can lead to data breaches that influence tens of millions of customers. Unfortunately, some of the frequent oversights is within the realm of APIs. 

Just yesterday, T-Mobile revealed {that a} menace actor stole the non-public info of 37 million postpaid and pay as you go buyer accounts through an uncovered API (which they exploited between November 25, 2022 and January 5, 2023). The vendor didn’t share how the hackers exploited the API. 

This incident highlights that API security ought to be on the prime of the agenda for CISOs and organizations in the event that they wish to safeguard buyer data from falling into the fallacious fingers. 

The pattern of API exploitation 

With cloud adoption growing dramatically over the previous few years, analysts have lengthy warned enterprises {that a} tidal wave of API exploitation has been brewing. Back in 2021, Gartner predicted that in 2023, API abuse would transfer from rare to essentially the most frequent assault vector. 

These predictions seem to be correct, with analysis displaying that 53% of security and engineering professionals reported their organizations skilled a data breach of a community or app attributable to compromised API tokens. 

In addition, only a month in the past, hackers uncovered the account and electronic mail addresses of 235 million Twitter customers after exploiting an API vulnerability initially shipped in June 2021, which was later patched. 

As menace actors look to use APIs extra usually, organizations can’t afford to depend on legacy cybersecurity options to guard this huge assault floor. Unfortunately, upgrading to up-to-date options is simpler stated than carried out. 

“Unauthorized API access can be extremely difficult for organizations to monitor and investigate — especially for enterprise companies — due to the sheer volume of them,” stated Chris Doman, CTO and cofounder of Cado Security. 

“As more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems,” Doman stated. 

Doman notes that organizations seeking to insulate themselves from incidents like T-Mobile skilled have to have “proper visibility” into API entry and exercise past conventional logging. 

This is essential as a result of logging can be sidestepped — as was the case with a vulnerability in AWS’ APIs that allowed attackers to bypass CloudTrail logging. 

How unhealthy is the T-Mobile API data breach? 

While T-Mobile has claimed that the attackers weren’t in a position to entry customers’ fee card info, passwords, driver’s licenses, authorities IDs or social security numbers, the data that was harvested supplies ample materials to conduct social engineering assaults. 

“Although T-Mobile has publicly disclosed the severity of the incident, alongside its response — cutting off threat-actor access via the API exploit — the breach still compromised billing addresses, emails, phone numbers, birth dates and more,” stated Cliff Steinhauer, director of knowledge security and engagement at NCA. 

“It’s basic information, but just enough to map out and execute a convincing enough social engineering campaign that can strengthen bad actors’ capacity for new attacks,” Steinhauer stated. 

These assaults embrace phishing assaults, id theft, enterprise electronic mail compromise (BEC) and ransomware.

Why do API breaches occur?

APIs are a main goal for menace actors as a result of they facilitate communication between totally different apps and companies. Each API units out a mechanism for sharing data with third-party companies. If an attacker discovers a vulnerability in one in all these companies, they will achieve entry to the underlying data as a part of a man-in-the-middle assault. 

There is a rise in API-based assaults — not as a result of these components are essentially insecure, however as a result of many security groups don’t have the processes in place to determine and classify APIs at scale, not to mention remediate vulnerabilities.

“APIs are designed to provide ready access to applications and data. This is a great benefit to developers, but also a boon for attackers,” stated Mark O’Neill, VP analyst at Gartner. “Protecting APIs starts with discovering and categorizing your APIs. You can’t secure what you don’t know.”  

Of course, inventorying APIs is simply the tip of the iceberg; security groups additionally want a technique to safe them. 

“Then it involves the use of API gateways, web application and API protection (WAAP), and application security testing. A key problem is that API security falls into two groups: engineering teams, who lack security skills, and security teams, who lack API skills.” 

Thus, organizations have to implement a DevSecOps-style strategy to higher assess the security of functions in use (or in growth) throughout the setting, and develop a technique to safe them. 

Identifying and mitigating API vulnerabilities 

One means organizations can begin to determine vulnerabilities in APIs is to implement penetration testing. Conducting an inside or third party-led penetration take a look at may help security groups see how susceptible to exploitation an API is, and supply actionable steps on how they will enhance their cloud security posture over time.

“For all types of software, it’s vital that companies use updated code and check the security of their systems, e.g., by arranging penetration testing — a security assessment that simulates various types of intruders … the goal of which is to elevate the current privileges and access the environment,” stated David Emm, principal security researcher at Kaspersky.

In addition, it’s a good suggestion for organizations to put money into incident response, so if an API is exploited, they will reply rapidly to restrict the influence of the breach.

“To be on the safe side when a company is faced with an incident, incident response services can help minimize the consequences, in particular by identifying compromised nodes and protecting the infrastructure from similar attacks in the future,” Emm stated.

The position of zero belief 

Unauthenticated, public-facing APIs are prone to malicious API calls, the place an attacker will try to hook up with the entity and exfiltrate all of the data it has entry to. In the identical means that you just wouldn’t implicitly belief a consumer to entry PII, you shouldn’t robotically belief an API both.  

That’s why it’s important to implement a zero belief technique, and deploy an authentication and authorization mechanism for every particular person API to stop unauthorized people from accessing your data. 

“When you have sensitive data (in this case customer phone numbers, billing and email addresses, etc.) sprawled across databases, mixed with other data, and access to that data not properly managed, these types of breaches are hard to avoid,” stated Anushu Sharma, co-founder and CEO of Skyflow. 

“The best-run companies with the most sensitive data know that they must adopt new zero-trust architectures. Bad actors are getting smarter. Adopting new privacy technology isn’t an option anymore, it’s table stakes,” Sharma stated.

Combining entry management frameworks like OAuth2 with authentication measures akin to username and password and API keys, may help implement the precept of least privilege and be certain that customers have entry solely to the data they should carry out their position.

VentureBeat’s mission is to be a digital city sq. for technical decision-makers to realize information about transformative enterprise know-how and transact. Discover our Briefings.