75% of credential abuse attacks on financial services targeted APIs

The study, ‘Akamai 2020 State of the Internet / Security: Financial Services’, observed over 85 billion credential abuse attacks from December 2017 through November 2019.

16.5 billion (almost 20%) of these targeted APIs in attempts to bypass security measures, with just over 473.5 million being attacks on financial services.

Akamai’s findings showed a significant rise in API-focused attacks from May 2019.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, the report’s principal author and Akamai security researcher. “Criminals targeting the financial services industry pay close attention to the defences used by these organisations, and adjust their attack patterns accordingly.”

Is there an answer to the onslaught of cyber attacks faced by financial services firms?

Shannon Simpson, cyber security and compliance director at Six Degrees, suggests an outsourced approach as one way to address security challenges. Read here

Additionally, August 2019 saw the largest credential attack against a financial service provider in Akamai’s history, which consisted of over 55 million login attempts, although this was not completely directed at APIs.

The same culprits of that incident caused another later that same month, this time targeting APIs directly and produced over 19 million attacks.

The most frequent type of attack on financial services, according to the report, was Local File Inclusion (LFI), which targets scripts running on servers to force the leak of sensitive information; this accounted for 47% of observed traffic.

SQL injection (SQLi) also made up a prominent proportion of attacks on financial services (36%).

The sector also faced a noteworthy amount of Distributed Denial of Service (DDoS) attacks; it ranked third in attack volume compared to other industries, coming in behind gaming and high-tech, but a leading proportion of 40% of unique DDoS targets were in financial services.

DDoS attacks: why size isn’t everything

Today’s DDoS attacks have evolved to become far more deceptive, complex and frequent than the simple, volumetric technique which gave the attack its name. Read here

“Security teams need to constantly consider policies, procedures, workflows, and business needs – all while fighting off attackers that are often well organised and well-funded,” Ragan continued. “Our data shows that financial services organisations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

APIs