The T-Mobile Data Breach and Mitigating API Security Risks
In late August, T-Mobile announced that data for more than two million T-Mobile customers was accessed in a coordinated exploitation of an improperly secured API. While they state that no banking or social security numbers were exposed, the following types of personally identifiable information (PII) were breached: name, billing zip code, phone number, email address, account number, account type (prepaid or postpaid), and/or date of birth.
In 2017, T-Mobile had a similar issue with their "wsg" API, and a video was created showing that very little technical skill was needed to query the API for customer data, as one simply needed to change the phone number parameter of the API to look up the details of any customer. The fact that these vulnerabilities were implemented in production is indicative of a lack of a mature API gateway to enforce policy rules for identity authentication and authorization at the edge of the network in front of the physical API servers and the application and data tier.
Ensure API security
This is one of the areas where the Akana API Gateway shines. Leading enterprise customers around the globe in financial services, government, healthcare, and other industries rely on Akana to secure their most sensitive applications.
|M1||Establish and maintain control over all of your inputs.|
|M2||Establish and maintain control over all of your outputs.|
|M3||Lock down your environment.|
|M4||Assume that external components can be subverted, and your code can be read by anyone.|
|M5||Use industry-accepted security features instead of inventing your own.|
|Use libraries and frameworks that make it easier to avoid introducing weaknesses.|
|Integrate security into the entire software development lifecycle.|
|Use a broad mix of methods to comprehensively find and prevent weaknesses.|
|Allow locked-down clients to interact with your software.|
The CWE Top 25 list is also organized into three categories of vulnerabilities:
- Insecure Interaction Between Components
- Risky Resource Management
- Porous Defenses
Clearly the T-Mobile APIs that were breached had issues with Porous Defenses and Insecure Interaction Between Components.
Our recent whitepaper, Securing the edge API and the microservices mesh, suggests additional ways to leverage a mature API Gateway platform to implement ways to deny anonymous API requests, require Mutual TLS protocol layer trust domains, authenticate and authorize all API requests especially from public cloud networks, and mediate and filter request parameters for potentially malicious content such as the number one CWE vulnerability that results in a data breach: SQL injection.