Page 17 - Cyber Warnings
P. 17
OPEN ACCESS APIs
WHAT NEEDS TO BE DONE TO MAKE THE PLATFORM MORE SECURE
By David Midgley, Head of Operations, Total Processing
I’m sure if you’re reading this, you already have a reasonable idea of what an API is and how it
works. For anyone who may have stumbled upon this article though, an API lets one website
use elements of another. In its’ simplest terms, an API is what allows third-party apps to run in
Facebook.
For example, it is an API that allows you to share an article on a national newspaper’s website
via your social media accounts and then show on the national newspaper’s website how many
people have shared that article.
APIs also have their use in the payments sector too. For example, in the case of Total
Processing and other payment gateway providers, we give our clients access to data so they
can connect their website to the payment gateway we provide them and then also allow them to
access data when payments are made via the gateway, and I’m sure this is also the case for
other payment gateway providers.
Therefore, given that an individual’s personal and financial details are being provided on the
website and via these gateways, it is important this access is properly secured and cannot be
easily worked out or hacked into by malicious parties.
For example, in January 2015, the self-titled ‘internet security enthusiast’ Paul Price flagged up
that the API of British greeting card manufacturer Moonpig used a hard-coded username and
password to connect to their server that was easily retrievable.
This meant that, according to Price’s analysis, it would have been very easy to build up a
database of the addresses and card details of over three million people who used Moonpig’s
service in a matter of hours.
Thus, it is evident that vulnerabilities that can be exploited exist in APIs. This means patches
and other updates still need to be developed in order to firm up the integrity of the firewalls put
in place to prevent undesirables from being able to access what is very sensitive financial and
personal information that can be used to access a person’s bank account or steal their identity.
It’s not difficult to sure up the security of an API either, and no one should feel unconfident or
overwhelmed at the prospect of doing this.
As a start, a company should keep all security software used internally and externally up-to-date
and make sure their privacy and spam settings are rigid to help prevent a hacker from gaining
access via a company’s own systems.
17 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide