Building APIs in the Age of Equifax and Uber?—?A Solution to the Madness

One of the reasons we are so excited about Hydrogen, is the massive opportunity REST APIs and global cloud technology have to disrupt the financial ecosystem. But, we recognize there are bad actors out there that have exploited vulnerabilities in this new ecosystem. Among those effected have been Equifax and Uber, both showing poor security protocols and poor business leadership in the process. In this post we will examine both of the hacks and position a new technology developed by Hydrogen that can stop this from happening again.

On July 29th 2017, Equifax, a 118 year old U.S. credit reporting agency, was hacked. 143 million consumers had their PII exposed, such as their Social Security Numbers, and 209,000 customers had their credit card data compromised.

What was the cause of this breach?

It starts with one of the backend technologies utilized by Equifax. Struts is an open source framework for developing web applications in the Java programming language, built by the Apache Software Foundation. CVE-2017–9805 is a vulnerability in Apache Struts related to using the Struts REST plugin with the XStream handler to handle XML payloads. If exploited, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. This was patched by Apache two months before the Equifax breach.

Apache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely de-serializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler’s toObject() method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities.

But even if this REST plugin was compromised, should it have mattered? Is there a way to use new technologies to secure the financial information of these 143 million customers while still relying on REST API and Java based systems?

In October 2016, Hackers stole personal data from 50 million Uber riders, including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States from. According to Bloomberg, Uber actually paid a blackmail amount of $100,000 to the hackers to keep their hack quiet. The public, or any government body, wasn’t made aware of the hack until November 2017, violating nearly every state and federal privacy law!

Given what little we know of the Uber hack, it is safe to say it was a simple case of a database breach. No private data like social security numbers or credit cards were taken (according to Uber), which we assume are encrypted.

The public has little faith in large corporations to keep their data safe. The average piece of Personally Identifiable Information (PII) can sell on the ‘Dark Web’ for as little as $1. Hydrogen believes there is a new technology that can forever solve the two core issues with data hacks in APIs and databases:

1. Hacking the data in the first place
2. Alerting customers there has been a hack (over 1 year in Uber’s case, and 5 months in Equifax’s, according to Bloomberg)

That new technology is BLOCKCHAIN. The Hydrogen team has been hard at work developing a game changing application on the blockchain that will do public decentralized authentication in private APIs. This makes it increasingly hard to hack into systems (built on Hydrogen or elsewhere), and provides a transparent layer on top of every database. The world knows exactly who is accessing your data, who is attempting to access your data, and where that data is, no 5 month or 1 year delay needed.

More to come on this exciting new development in a follow up post soon!

Mike is the Co-Founder of Hydrogen and the Hydro blockchain - the public ledger for financial services.