Government bodies are clamping down heavily on institutions and organizations that handle sensitive customer data. For APIs, tokens are used to authenticate users.

We live in an era dominated by cloud-native and cloud-first solutions that rely on these services to provide dynamic data storage capabilities and overall computing  capabilities  for more accurate and actionable insights.

Whether it’s to ingest data across your Snowflake Snowpipe or share data with dozens of microservices within your organization, reliance on APIs has skyrocketed in the last decade. Companies with 10,000+ employees have stated that they have at least 250 APIs actively deployed. In a recent McKinsey report it was forecasted that the number of APIs in open banking is set to increase 100% by the end of 2027.    

As a result, it has become critical that these APIs are secure and impervious to attacks. The proliferation of APIs has increased the threat landscape which has painted a metaphorical bullseye for potential cyberattacks. 

Many Fortune 500 companies have experienced API breaches of varying degrees in the last two years. Telecom provider T-Mobile has faced eight such breaches since 2018. Their latest breach occurred  in January 2023, when personal data (names, DOB, email address,billing, personal details, etc.) of over 37 million customers were exposed. While the company ensured sensitive data wasn’t leaked, personal data alone could be advantageous  for hackers planning credential-stuffing attacks or phishing attempts.

Government bodies are clamping down heavily on institutions and organizations that handle sensitive customer data such as medical history, financial records, insurance records, social security numbers, credit card information etc. Regulations and mandates such as HIPAA (USA), GDPR (EUR), and PCI-DSS enforce stringent API authentication and robust cybersecurity protocols and frameworks.

For APIs, tokens are typically used to authenticate users and grant them access to internal data management systems and microservices. If a token is compromised, unauthorized parties may have gained access to it either through theft or interception. If these compromised tokens are not promptly blocked, attackers could use them to impersonate legitimate users and gain unauthorized access to sensitive data or resources.

4 different methods to block compromised tokens

1. Token Revocation Lists (TRL): These lists contain identifiers or metadata associated with invalid tokens. In the case of token-based authentication systems like OAuth or OpenID Connect, TRLs serve as a central repository of tokens that are no longer considered legitimate or valid. When a user attempts to use a compromised token, authentication servers cross-check the TRL and deny access.  TRLs require diligent management and  careful consideration to avoid operational burdens, since they enhance security, their maintenance can introduce overheads within large-scale systems and create hurdles for disparate ecosystems. 

2. Token Blacklisting: The concept is straightforward, as it involves a mechanism where compromised tokens are blacklisted within an authentication system or server. When such tokens are detected, they are added to a blacklist that prevents further usage. Similar to TRLs, the difference with token blacklisting is that the compromised token is deemed useless after. 

3. Token Expiry & Renewal: For businesses that cannot manage complex IT infrastructure that can blacklist and whitelist tokens, it’s a good idea to set expiry time periods for critical tokens. Thus, users are required to renew tokens to continue accessing systems and services, thereby blocking malicious actors from gaining control over them. 
   
4. Token-based Access Controls: This system is more robust than the previous traditional methods because the implementation of access control based on tokens adds a layer of security, as opposed to merely validating a token! Whether Role-based access controls or Attribute-based access controls, users are authenticated and issued a fresh token that is applicable across an ecosystem. These tokens can be revoked just as easily as they are issued, eliminating the possibility of misuse.

These strategies can be used individually or in combination to effectively block compromised tokens and bolster the API security of authentication systems and resources. The choice of these methods depends on factors such as the specific requirements of the system, the nature of the tokens used, and the level of security posture desired.

If you wish to learn more about API abuse or talk to an expert because you’re just starting out, get in touch with Wallarm’s in-house experts today.