BACKGROUND:
Brian Krebs’ report that Experian API Exposed Credit Scores of Most Americans says: “Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address… Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.”
<p>Brian Krebs once again did a great service to the IT security industry by revealing the flaw in the Experian API. His mission to improve the security posture of the internet is valued. An important takeaway on this is just how vulnerable all data is with ubiquitous on-line scanning an penetration efforts. It is no longer an option but a must that our systems be re-evaluated to insure that not only data but users and user privileges are validated, with a zero-trust concept in mind – to insure that the only access that is allowed is what is intended.</p>
<p>If this isn’t an argument for more and better DevSecOps, then nothing is. The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle. Unsecure API’s are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data. Such bad coding practices not only hurt everyone financially but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm.</p> <p> </p> <p>The fact is that application security is becoming so much more important, as is careful talent acquisition – cyber criminals are now actually seeking to obtain legitimate cyber and tech-related positions in companies.</p>
<p>The credit score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive – just the sort of data cyber criminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API? Shame on you Experian!</p>