BLOG

Combat Account Takeover Fraud with Real-Time API Security

Beth McElroy Miniature
Beth McElroy
Published February 09, 2024

According to a recent Google Cloud research report, half of the organizations surveyed have experienced an API security incident in the past 12 months.1 The rise of account takeover attacks through APIs increases business risk—leading to potential loss of revenue and customer trust—and adds stress to the application teams responsible for product releases by disrupting delivery, deployment, and maintenance processes.

Discuss pressing API security issues to better navigate the threat landscape

As organizations grapple with the reality of API-based security incidents, many are looking for straightforward, practical approaches to get ahead of threats without destroying their operational workflows. They're asking, "What steps are we taking to analyze API traffic, detect bots and abuse, and prevent unauthorized access that could result in fraud or data theft?"

Recently, several app developers and security experts joined F5 and Google Cloud for a conversation focused on thwarting the account takeover menace that can wreak havoc through their applications' numerous APIs.

This webinar—Thwart the Account Takeover Menace – Join the API Security Conversation—was designed to help DevOps and InfoSec teams join forces to address these API security challenges successfully. Topics included:

  • The current threat landscape targeting APIs
  • Why legacy bot detection techniques have become ineffective
  • Ways to mitigate potential brand and reputational damage

If you couldn't attend the live session, don't worry; you can catch some of the highlights in this blog post and also access the on-demand recording.

Prepare, protect, and respond

As the conversation unfolded, our panel shared how APIs can create security risks and what  organizations can do to prevent API-based account takeovers. They emphasized that the digital attack surface has expanded exponentially due to the vast number of APIs now in use, and many organizations simply lack the visibility required for effective protection. To gain adequate visibility, our experts encouraged organizations to answer the following questions:

  • What APIs exist in our environment?
  • What resources can be accessed by those APIs?
  • Who utilizes the APIs?
  • What specific business vulnerabilities are exposed by those APIs?

To effectively battle API-enabled cyberthreats, organizations must figure out the best ways for their DevOps, InfoSec, and business teams to come together to implement protections before the bad actors succeed in their attempts to take over user accounts. An effective cybersecurity program requires a comprehensive strategy that includes the right tools and intelligence, a robust cross-functional plan, effective team collaboration, the ability to assess and measure progress and posture, and the confidence to honestly report to leadership and to the organization as a whole how the strategy is working.

To improve defenses, our experts recommend adding protections during application development and delivery and incorporating real-time monitoring following delivery, which allows teams to respond expeditiously before something terrible happens. This comprehensive, multi-layered approach allows for the scalable capture of a mix of multicloud network traffic and distributed application and API data while automatically discerning good versus bad behavior and activity.

Ultimately, API security boils down to getting the best visibility possible and having real-time runtime intelligence to handle each scenario properly.

Scale and protect API-enabled growth

The discussions held during the webinar highlighted that many DevOps and InfoSec experts already understand the importance of API security and recognize the value of balancing a frictionless customer experience with advanced protection from automated, bot-enabled account takeover. But while the recognition exists, many still struggle to find effective, scalable ways to tackle these challenges.

To address these difficulties, the panel presented some use cases and case studies highlighting best practices for communicating with the key stakeholders responsible for protecting the app-driven growth their organizations expect. These tactics include asking strategic, targeted questions such as:

Application Development: How are you currently securing APIs against account takeover attacks? How are you ensuring APIs don't expose customer data or create compliance risks?

Security Operations: Do you have complete visibility into which accounts may be vulnerable? Are you able to monitor API traffic for signs of abuse or compromise?

Network Operations: How are you securing API traffic across your network infrastructure? Do you have concerns about malicious bots or scripts abusing APIs?

Business Management: Account security is critical for maintaining customer trust and preventing revenue loss from fraudulent transactions. What metrics are you tracking regarding breaches?

Google and F5 Bring Real-Time Runtime API Protections to Life

Most API-driven threats are now automated, rapidly adapting to dynamic changes in the environment and evolving to become even more clever at bypassing protections and avoiding detection. Effective API security depends on an organization's ability to integrate advanced, automated protections into its continuous integration/continuous delivery (CI/CD) pipeline, operations, infrastructure, and workflows without introducing friction into the delivery process or user experience.

Google Cloud and F5 have the solutions and expertise to help organizations combat account takeover fraud in a unified way across every environment—data centers, clouds, and architectures. Real-time runtime API protections make it easier for DevOps and InfoSec teams to come together to:

  • Automatically discover endpoints mapped to applications
  • Define and apply allow lists or deny lists for unwanted connections
  • Analyze network, device, and environmental telemetry
  • Detect anomalous behavior in real time

We invite you to learn about the API security challenges others have encountered and the solutions they have employed by accessing the full on-demand recording of the webinar, Thwart the Account Takeover Menace – Join the API Security Conversation. We're confident you'll find answers to many of your questions regarding your own account takeover protection measures as you seek to define and implement a more effective API security program.

If you have any additional questions, we welcome a follow-up conversation. Contact one of the API protection experts on our F5 Distributed Cloud team, and be sure to try the F5 Distributed Cloud Web App and API Protection (WAAP) simulator here: https://simulator.f5.com/s/waap