It should come as no surprise that banking institutions and other financial service providers are a favorite target of hackers. The quantity of attacks they face, however, is truly shocking.
A new report (PDF link) from Akamai Technologies released this week revealed some staggering figures about one kind of attack: fraudulent logins. Over a 2-year period ending in November of last year, Akamai tracked more than 85.4 billion malicious login attempts.
On August 7th of last year, however, a single financial service business was faced with a full-on assault. Akamai reported over 55 million malicious login attempts during the attack.
You read that correctly: one victim, one day, more than twice the number of fraudulent login attempts Akamai logged on an average day for each entity it monitored for such attacks.
An average of more than 22 million is logged each day. There are peaks and valleys, naturally, with malicious activity ramping up every time a new password dump makes the rounds on dark web hacking forums.
While you may think this type of activity is targeted at breaking into user accounts, that isn’t always the case. In the last few years, cyber-criminals have more and more turned their focus on API (application programming interface) endpoints.
A successful brute force attack on a single user’s account can lead to a treasure trove of sensitive data and also access to the victim’s savings. A successful attack on an API endpoint has the potential to compromise a whole business – or even multiple businesses.
Typically, the financial services sector accounts for about 10% of all API login attacks. Twice this past year, that percentage jumped significantly: in May to 80% and in October to 75%.
It’s an enormous problem and one that isn’t going to go away anytime soon. Not all APIs are created equal and many that are widely-used don’t place any limitations on login attempts. Rather, they keep allowing the attempts until the person (or bot) attempting to log in succeeds or gives up.
Businesses – especially those in the financing sector – certainly won’t need to be creating that sort of opportunity for hackers.