This has been a year of great change in the retail industry. We've all read about Whole Foods' pending sale to Amazon, the massive store closings of retail giants like Macy's and Sears, and the bankruptcies or liquidations of companies like Payless and Sports Authority. But just out of reach of the headlines, there’s another retail trend that hasn't gotten much press. It's the story of how more and more retailers are establishing application programming interfaces (APIs) on their e-comm sites.
You may already know what an API is but you may not know why they are threatening internet safety.
APIs are systems that expedite a seamless exchange of data. In online retail, they can connect your eCommerce app with your clients, partners, and developers. This could allow your eCommerce site to display information like real-time inventory and pricing data, without housing the data on your website.
They also let you integrate with third-party platforms—which can really boost your sales. For instance, APIs provide 50 percent of the revenue generated by Salesforce, 60 percent of eBay revenue, and 90% of the revenue Expedia generates.
Why are APIs potentially dangerous?
Innovation is one of the primary reasons retailers are pursuing APIs. By creating an open platform for outside developers to access data from your eCommerce platform, you’re enabling a developer with the right tools to create new widgets and identify bugs on your site. As you might expect, making so much data publicly available can also generate unintended consequences, such as a lack of user privacy or IP theft. So what should you do?
Be Careful About Releasing Public Data.
Yes, providing a lot of user data can lead to an innovative user experience. But often, the majority of user data that companies disclose through an API is excessive and unnecessary.
Avast, a leading cyber security provider, released an alarming report on the ease with which their developers were able to hack the Open APIs of retailers like Target and Walgreens. The team at Avast found it hard to believe the amount of user data that each retailer left exposed, especially considering how easily the Avast hackers obtained it.
In the case of Target, Avast developers wrote a simple program that allowed them to quickly access login credentials. Once they had access to the API, the Avast team discovered a diverse array of publicly available, personal information that was available through the API, including home addresses, phone numbers, and registry items.
The Avast development team took a more cautious approach with Walgreens’ API and merely pointed out the data that was available to them, without actually breaking into the API. The mobile app API contained such data as contacts, photos, access to the phone's mobile camera and microphone, control over the Bluetooth connection, and much more.
Knowing all this, what should you do? You can start by making sure every piece of data that your API collects and shares is necessary for promoting an innovative user experience. Be nitpicky about that data you collect, and don’t collect it just because you can.
Create a Focus on Cyber Security.
Currently, the highest priority for many API developers is to innovate. But if your API poses even a one percent risk of disrupting your eCommerce platform, you and your development team need to do everything in your power to prevent that.
Of course, the security risk is not worth ending your API system—they’ve proven invaluable. However, it is worth reviewing your cyber security efforts as a part of your open API development process.
Retail API providers like Sears regularly host hackathons, in which developers from around the world are invited to develop new features. It’s worth considering doing the same with cyber security experts, by inviting them find and fix security risks in your eCommerce API.