Spotting & avoiding API scams

How to Avoid API Scams

Even as they sidestep browser precautions, APIs permit us access to sensitive client data. XSS and SQL injection issues focus is not enough. Rather, your efforts’ concentration should be geared towards malafide actors with demonstrated ability to execute pagination through all your clients’ data, plus related data. Correct trading is prevented as the process itself is hijacked by scammers, including the cloning of the trading partners’ profiles. Spotting & avoiding API scams becomes, therefore, imperative. 

Per plan, APIs have to deal with many API calls for each client. Browser fingerprinting and Captchas would not be of any use. How do you place a competent preventive mechanism? You have to think the way a hacker does. Subsequently, you will be orientating your APIs to find out and block common attacks – besides unknowns – for zero-day adventures. 

Assaults on pagination 

The majority of APIs give access to resources that are entities’ lists, namely /widgets or /users. Limiting the number of items sent back to a client, a client – for instance, a browser – would generally paginate post-filtering through this list. 

A hacker could get a dump of all database entities. A hacker would nudge that endpoint, provided the entry has worthwhile PII. This could potentially be damaging in case those entities by chance divulged PII. Also, this could be very risky in allowing rivals access to usage and adoption stats. To crown it all – scammers could potentially find they have access to big email lists. 

A greenhorn solution would involve checking the take account, throwing an aberration if greater than 100 or 1000. You can find faults with this on two counts – 

With regard to data APIs, genuine clients may have to synchronise records through cron jobs. Diminishing general throughput, artificially small pagination limits may well coax the APIs into chattiness. Security guarantees are not the competence of max limits. Rather, these allow that scalability and memory requirements are satisfied. 

A hacker is thus afforded no protection. 

Pagination security measures 

The first business order would be to track the number of single resource items accessed inside a specific time window for each user and API key, and only at the request level. If you track user-level API resource access, you can successfully block a user/API key post their nudging a threshold. This is an API use case contingent. In a very Captcha-like manner, this could potentially impede the hacker’s speed. 

This would be especially obtainable if the hacker has to come up with a new user account manually to make a new API key. 

JWT protection 

A large number of APIs are shielded by a kind of API key or JWT. This points out a hassle-free way to track and shiel your API. In addition, API security tools are able to locate aberrational API behaviour, blocking access to an API key instantaneously. Nevertheless, hackers readily circumvent these mechanisms by yielding up and making use of a large API key pool extracted from many users. This is much in the vein of the manner in which a web hacker would use a large IP address pool to sidestep DDoS protection. 

Dealing with API key pools 

Having a human sign up for your service and generate API keys is the simplest security measure you could come up with. 2FA or two-factor authentication and Captcha are surefire ways to prevent bot traffic.   

Provided there’s a genuine business case. New subscribers ought not to have the competence to generate API keys thru programming. Only loyal, trustable clients ought to have this competence. You must make sure that any abnormal behaviour aberration detection is done at the user and account level. Doing this for each API key will not suffice. API scams need you to be cautious.

Unforeseen key exposure

APIs are frequently used in a way that could possibly precipitate probability credentials leaks – 

APIs have to be accessed over unspecified time periods, thus accelerating the probability that a hacker gets hold of a valid API key that’s still functional. So it is in a server environment variable you tend to save API keys like that. API keys like that. This is not obtainable in the case of a user logging into an interactive site where the sessions last the shortest while. 

An API consumer has unhindered access to said credentials, for instance, when there’s a debugging thru CURL and Postman. You would not want an API key containing a CURL command to be copied and pasted onto Stack Overflow or GitHub issues. 

API keys generally bear tokens without needing more identifying information. Leveraging two-factor authentication or one-time use tokens is beyond the competence of APIs. Proper use of API key or token can prevent from API scams.

There’s no point in blaming the API provider when a key is exposed owing to user error. Instead, contracting surface area and risk, you can provide security by adding guards that render accidental key exposure unlikely. 

Preventing accidental key exposure 

The simplest way to avert key exposure is by leveraging two tokens instead of one. A refresh token can only be used to yield short-lived access tokens. Those able to access resources with these short-lived tokens are time-limited. 

The refresh token having been stored with other API keys, your SDK will yield access tokens on SDK init or upon the expiration of the last access token. A hacker would have to use the CURL command within hours if it gets pasted into a GitHub issue. 

DDoS attacks

Clients can access API platforms thru programming, thanks to new business models. This could potentially compromise DDoS protection. The majority of DDoS protection aims to absorb and reject many requests from mala fide actors during attacks. The good ones pass the check. Fingerprinting is needed to check against what is apparently bot traffic. However, the traffic does not come from a browser where there might be cookies, but all traffic does look like bot traffic. Thus, fingerprinting and accompanying processes are much harder for APIs. API scams are, therefore, always likely.

Averting DDoS attacks 

Close to every access needs an API key. If we consider a request that lacks an API key, it would be possible to instantaneously reject it. This does not stress your servers all that much. You have to make sure. Nonetheless, that authentication is short-circuited very early, before something like JSON parsing arrives. 

Dealing with authenticated requests involves leveraging rate limit counters for every API key. This would include dealing with any number of requests per minute, cancelling those above the threshold with a 429 HTTP response. 

Getting your measure of server security 

The hygiene that impacts APIs is not so much different to one that affects web servers. Permitting non HTTPS traffic and irregular SSL certificates leads to data leaks. Accepting non HTTPS requests is a big ‘no-no’ with all modern applications. Still, a client could by mistake issue a non HTTP request from their application or CURL. APIs lack browser protection. Redirect to HTTPS or HSTS afford no protection. 

Placing the right SSL

Test your SSL implementation. You ought also to block all non HTTP requests, doable within the load balancer. You ought also to do away with any HTTP headers, deleting any error messages that could leak implementation details. Cross-origin REST APIs Resource Sharing contains further tips in this direction. 

Caching headers 

Each API key has dynamic data scoped to it, and APIs give access to the same. A caching implementation ought to have the competence to scope to an API key, thus averting cross pollution. Regardless of whether you have cached anything in your architecture, you could still expose clients to security risks. Cross-pollinated would be viewable in the case of a proxy server enabled client using several API keys, like one for production and one for development. 

Guaranteeing no caching 

Cache-Control headers have to be correctly configured. Many APIs neglect the standard Authorisation header. Rather, they use X-API-Key or some such custom header. Caching servers opt to cache the request, lacking any knowledge of request authentication. 

Are logging and monitoring sufficient?

An OWASP top 10 API security concern, inadequate logging and monitoring could lead to data breaches that usually take 200+ days to detect. Hackers will keep homing in on such susceptibilities time after time. All the more reason, you ought to have standard API logging and monitoring in place. 

Adding in API logging 

The API login has to track API requests. This is used in user behaviour analytics and stored for a minimum of one year. Data ought not to be deleted by accident or retired before time. 

CCPA and GDPR give API audit logs exemptions for security purposes. API monitoring suites and API product analytics are rendered by a number of companies, helping you to be on your way in a blink. Another sound measure against API scams!

Internal endpoints 

External and internal endpoints may characterise the same API service. A hacker can size up an endpoint even though it is not documented. An authentication and authorisation scheme is the first order of business. Next, the API Gateway or load balancer has to make sure that the endpoint is not exposed to the public internet. Multiple security layers are a preventative measure by themselves.  


Spotting & avoiding API scams require you to be vigilant. While trading, please make sure your trading partners’ profiles are complete with the right information. Third-party browser extensions and phishing websites are to be avoided. Depending on the website concerned, you may lose not more than activity log confidentiality. But you simply have to implement methods that guarantee online account safety.

Related Articles