How to Prevent Your Retail API From Causing a Security Disaster


Making your APIs safer should be job number one. 

This has been a year of great change in the retail industry. We've all read about Whole Foods' pending sale to Amazon, the massive store closings of retail giants like Macy's and Sears, and the bankruptcies or liquidations of companies like Payless and Sports Authority. But just out of reach of the headlines, there’s another retail trend that hasn't gotten much press. It's the story of how more and more retailers are establishing application programming interfaces (APIs) on their e-comm sites.

You may already know what an API is but you may not know why they are threatening internet safety.

If your company doesn’t already have an API, it probably will. Over the last 4 years, the number of retail company APIs has grown from a 113 companies to more than 1,000.

APIs Explained

APIs are systems that expedite a seamless exchange of data. In online retail, they can connect your eCommerce app with your clients, partners, and developers. This could allow your eCommerce site to display information like real-time inventory and pricing data, without housing the data  on your website.

They also let you integrate with third-party platforms—which can really boost your sales. For instance, APIs provide 50 percent of the revenue generated by Salesforce,  60 percent of eBay revenue, and 90% of the revenue Expedia generates.

Why are APIs potentially dangerous?

Innovation is one of the primary reasons retailers are pursuing APIs. By creating an open platform for outside developers to access data from your eCommerce platform, you’re enabling a developer with the right tools to create new widgets and identify bugs on your site. As you might expect, making so much data publicly available can also generate unintended consequences, such as a lack of user privacy or IP theft. So what should you do?

Be Careful About Releasing Public Data.

Yes, providing a lot of user data can lead to an innovative user experience. But often, the majority of user data that companies disclose through an API is excessive and unnecessary.

Avast, a leading cyber security provider, released an alarming report on the ease with which their developers were able to hack the Open APIs of retailers like Target and Walgreens. The team at Avast found it hard to believe the amount of user data that each retailer left exposed, especially considering how easily the Avast hackers obtained it.

In the case of Target, Avast developers wrote a simple program that allowed them to quickly access login credentials. Once they had access to the API, the Avast team discovered a diverse array of publicly available, personal information that was available through the API, including home addresses, phone numbers, and registry items.

The Avast development team took a more cautious approach with Walgreens’ API and merely pointed out the data that was available to them, without actually breaking into the API. The mobile app API contained  such data as contacts, photos, access to the phone's mobile camera and microphone, control over the Bluetooth connection, and much more.

Knowing all this, what should you do? You can start by making sure every piece of data that your API collects and shares is necessary for promoting an innovative user experience. Be nitpicky about that data you collect, and don’t collect it just because you can.

Create a Focus on Cyber Security.

Currently, the highest  priority for many API developers is to innovate. But if your API poses even a one percent risk of disrupting your eCommerce platform, you and your development team need to do everything in your power to prevent that.  

Of course, the security risk is not worth ending your API system—they’ve proven  invaluable. However, it is worth reviewing your cyber security efforts as a part of your open API development process.

Retail API providers like Sears regularly host hackathons, in which developers from around the world are invited to develop new features. It’s worth considering doing the same with cyber security experts, by inviting them find and fix security risks in your eCommerce API.

About Ideas Made Measurable!

At IMM, creating action isn’t just what we do — it’s who we are. Our agency is built to deliver full service capabilities while also delivering measurable results. Big data is the marketing buzzword everyone talks about but few understand. We are here to explain in plain English how data-driven, bottoms-up marketing strategies can help generate leads, drive sales and build your brand. We leverage the expertise of the staff at IMM, a data-driven, full-service digital advertising agency based in Boulder, Colorado.

Let's work together

Sign up for our newsletter

What are you interested in?

How to Increase Dining Traffic Overnight & Build Loyalty Over Time

The Retailer's Guide to Acquiring & Retaining Your Best Customers

Driving sales overnight to build brands over time