It should come as no surprise that banks and other financial service providers are a favorite target of hackers. The volume of attacks they face, however, is truly shocking.
A new report (PDF link) from Akamai Technologies released this week revealed some staggering figures about one kind of attack: fraudulent logins. Over a two-year period ending in November of last year, Akamai tracked more than 85.4 billion malicious login attempts.
On August 7th of last year, however, a single financial service business was faced with a full-on assault. Akamai reported over 55 million malicious login attempts during the attack.
You read that correctly: one victim, one day, more than twice the number of fraudulent login attempts Akamai logged on an average day for every entity it monitored for such attacks.
An average of more than 22 million are logged every single day. There are peaks and valleys, naturally, with malicious activity ramping up whenever a new password dump makes the rounds on underground hacking forums.
While you might think this sort of activity is aimed at breaking in to user accounts, that’s not always the case. Over the past few years cybercriminals have increasingly turned their attention to API (application programming interface) endpoints.
A successful brute force attack on a single user’s account can lead to a treasure trove of sensitive data and even access to the victim’s savings. A successful attack on an API endpoint has the potential to compromise an entire business — or even multiple businesses.
Normally, the financial services sector accounts for about 10% of all API login attacks. Twice last year that percentage jumped dramatically: in May to 80% and in October to 75%.
It’s a huge problem, and one that’s not going to go away any time soon. Not all APIs are created equal and many that are widely-used don’t place any limitations on login attempts. Instead, they keep allowing the attempts until the person (or bot) attempting to log in succeeds or gives up.
Businesses — especially those in the finance sector — certainly don’t need to be creating that sort of opportunity for hackers.