Skip to main content
Learning Center
API Abuse & Business LogicAPI & Business Logic 101: How Systems Really Work

API & Business Logic 101: How Systems Really Work

Understanding APIs, HTTP requests, and business logic from the ground up - explained for fraud analysts with no technical background

API & Business Logic 101: What Your Computer Is Really Doing

A fraud analyst's guide to understanding the invisible world behind every app and website

The Story: When Maria's $500 Transfer Became a $5 Million Heist

When Maria clicked 'Transfer $500' in her banking app, she thought the app was moving her money. After all, the money left her account and arrived in her daughter's account exactly as expected. What Maria didn't know was that her phone can't access bank vaults, can't move money between accounts, and can't actually do any banking at all.

So what really happened when Maria tapped that button?

Understanding this invisible process is the key to catching a new generation of fraud that traditional investigators have never seen before. Because while Maria was clicking buttons on her phone, someone else was sending direct messages to her bank's computer, messages that bypassed every security control she thought was protecting her money.

At 2:47 AM on a Tuesday, Alex Chen discovered he could send a message that said "Transfer -$500" (negative five hundred dollars) to the same bank system that processed Maria's transfer. Due to a programming error, the bank's computer interpreted this as "Add $500" to Alex's account.

Over the next 6 hours, Alex sent 10,000 of these messages. By morning, he had stolen $5 million from the bank, not by stealing anyone's password, not by hacking into any system, and not by tricking any bank employees. He simply found a mathematical error in the bank's business rules and exploited it.

Alex understood something that most fraud analysts don't: the app on your phone is not reality. It's just a messenger.

What Is An API? (Explained So Anyone Can Understand)

The Restaurant Analogy

Imagine you're at a restaurant:

You (Customer) → Waiter → Kitchen → Food comes back
Your App       → API   → Server → Data comes back

Here's what happens:

  • You: See a menu and order food (you never go to the kitchen directly)
  • Waiter: Takes your order to the kitchen and brings back your food
  • Kitchen: Cooks your food (you never see this happening)
  • Food: Arrives at your table through the waiter

In technology, it works exactly the same way:

  • Your App: Shows buttons and forms (the "menu")
  • API: Carries your request to the server (the "waiter")
  • Server: Does the actual work (the "kitchen")
  • Results: Come back through the API to your app

The Critical Insight for Fraud Analysts

The app on your phone CANNOT transfer money, access databases, or perform any real actions. It can only send messages (through APIs) to computers that can do those things.

This means criminals don't need to use your app at all. They can send their own messages directly to the server, messages that might say things your app would never allow you to type.

HTTP Requests: The Language Computers Use

What Really Happens When You Click "Transfer $500"

What Maria sees: Clicks a "Transfer $500" button
What really happens:

  1. App creates a message: "POST /transfer"
  2. Message contains: "From account 123, to account 456, amount $500"
  3. App sends message to bank's server through the internet
  4. Server checks: Does Maria have permission? Enough money?
  5. Server moves the money (or rejects the request)
  6. Server sends back: "Success" or "Failed"
  7. App shows Maria the result

Types of Messages (HTTP Methods)

  • GET: "Give me information" (like checking your account balance)
  • POST: "Do something" (like transferring money)
  • PUT: "Update something" (like changing your address)
  • DELETE: "Remove something" (like deleting a payment method)

Why This Matters for Fraud Detection

Criminals can send these messages directly without using your app or website. They can:

  • Create their own messages with different amounts
  • Send requests faster than humanly possible
  • Try combinations your app would never allow
  • Send malformed requests to test for programming errors

Traditional fraud detection often misses this because it focuses on user behavior, not on the technical messages being sent to servers.

Business Logic: The Rules Your App Is Supposed to Follow

What Are Business Rules?

Simple definition: The instructions that tell the computer what to allow and what to reject.

Example business rules in banking:

Rule 1: Only allow transfers if balance >= transfer amount
Rule 2: Only allow transfers from accounts you own  
Rule 3: Don't allow transfers over $10,000 without extra verification
Rule 4: Don't allow more than 3 transfers per day
Rule 5: Don't allow negative transfer amounts

Where Business Logic Actually Lives

NOT in the app on your phone (apps can be modified by anyone)
NOT in the website (anyone can view and change website code)
IN THE SERVER (the "kitchen" that actually does the work)

The Critical Fraud Problem

Business logic flaws happen when these rules have gaps, contradictions, or edge cases that criminals can exploit.

In Alex's case, Rule 5 said "Don't allow negative transfer amounts," but the programmer forgot to actually check for negative numbers. The rule existed on paper but not in the actual code.

Why The UI Lies: The Biggest Misconception in Fraud Investigation

What Fraud Analysts Often Think

"If the app shows a $10,000 transfer limit, then the system enforces a $10,000 transfer limit."

The Reality

The app is just a suggestion. The real rules are on the server, and they might be completely different from what the app shows.

Real Example of UI vs. Reality

App shows: "Maximum transfer: $10,000"
Server rule: "Check if transfer_amount < max_limit"
Problem: Programmer never actually set the max_limit value
Result: Criminal can transfer $1,000,000 even though app says $10,000 limit

Why This Disconnect Happens

  • Development teams work separately: Frontend (app) and backend (server) teams make different assumptions
  • Business requirements change: Rules get updated in one place but not the other
  • Mistakes happen: Programmers are human and make errors
  • Testing is incomplete: Edge cases and error conditions aren't always tested
  • Security is an afterthought: Business functionality gets built first, security gets added later

The fundamental insight: What you see on the screen has almost nothing to do with what's actually happening on the server that processes your request.

How This Creates New Fraud Opportunities

Traditional Fraud vs. Business Logic Fraud

Traditional Fraud (What You Already Know)

  • Method: Criminal steals Maria's login credentials
  • Action: Criminal logs into Maria's account
  • Result: Criminal transfers Maria's money to their account
  • Investigation: Follow the money trail, find the stolen credentials, interview the victim

Business Logic Fraud (The New Challenge)

  • Method: Criminal creates their own legitimate account
  • Discovery: Criminal finds a flaw in transfer rules (e.g., negative amounts)
  • Action: Criminal sends API request: "Transfer -$500"
  • Result: System adds $500 due to programming error
  • Investigation: Analyze system logs, understand business rules, find the logic flaw

Why Traditional Fraud Detection Fails

Traditional systems look for:

  • Stolen credentials → But criminal uses their own account
  • Unusual login locations → But criminal operates from their own location
  • Victim complaints → But there are no direct victims
  • Suspicious money movement → But money appears to be legitimately earned
  • Social engineering patterns → But no humans were tricked

Business logic fraud is invisible to traditional fraud detection because it exploits the system's own rules rather than breaking them.

The Data: Business Logic Fraud Reality Check

Business logic exploitation represents a rapidly growing category of fraud that most financial institutions are unprepared to detect or investigate.

Financial Impact Statistics

Verified data breach costs from industry reports:

  • Global average data breach: $4.88 million per incident¹
  • Financial services breaches: $6.08 million average - 22% higher than global average¹
  • Healthcare industry breaches: $9.77 million average - highest of all industries for 14 consecutive years¹
  • Detection time impact: Organizations detecting breaches in under 200 days save $1.12 million vs. longer detection¹

Detection Challenge Statistics

Why business logic attacks are particularly dangerous (verified sources):

  • 74% of all breaches include the human element - error, misuse, stolen credentials, or social engineering²
  • 86% of web application attacks involve the use of stolen credentials²
  • Average global detection time: 194 days to identify, 64 days to contain¹
  • Credential-based attacks: Take longest to detect at nearly 10 months on average¹

Attack Sophistication Evidence

Why traditional fraud detection struggles with business logic attacks:

  • Legitimate credentials: Business logic attacks typically use valid, authenticated accounts
  • Normal user behavior: Actions appear routine to traditional monitoring systems
  • API exploitation: Criminals manipulate business rules rather than breaking into systems
  • Scale and speed: Automated tools can execute thousands of requests faster than human detection

Common Business Logic Vulnerabilities (From a Fraud Perspective)

1. Mathematical Errors

Negative Number Handling:

  • System treats -$100 as +$100 due to poor validation
  • Rounding errors accumulate fractions of cents into large amounts
  • Integer overflow causes numbers too big to "wrap around" to small numbers

Real Example: Cryptocurrency exchange allowed negative withdrawal amounts, resulting in $5.2M loss in 3 hours.

2. Workflow Bypassing

Step Skipping:

  • Going directly to checkout without adding items to cart (free purchases)
  • Completing transactions without payment verification
  • Accessing admin functions by manipulating URL parameters

Real Example: E-commerce site allowed users to skip payment step by modifying browser requests, resulting in $1.8M in unpaid merchandise.

3. Rate Limiting Bypass

Speed Limits That Don't Work:

  • System says "maximum 3 transfers per day" but doesn't actually enforce it
  • IP-based limits bypassed by rotating IP addresses
  • Time-based limits reset at predictable intervals

Real Example: Banking app's "3 transfers per day" limit could be bypassed by sending requests every millisecond, allowing unlimited transfers.

4. Authentication/Authorization Flaws

Permission Escalation:

  • Regular users gaining administrative privileges
  • Accessing other users' accounts by changing account numbers in requests
  • Bypassing verification steps by manipulating session data

Real Example: Investment app allowed users to access any account by changing a single number in the API request, exposing $47M in customer funds.

Red Flags Every Fraud Analyst Must Recognize

Mathematical Impossibilities

What to look for:

  • Rewards exceeding spending: Customer earned $10,000 cashback on $500 purchases
  • Negative transaction amounts: Transfer amounts showing as negative numbers
  • Perfect timing patterns: Transactions occurring at exact time intervals (indicating automation)
  • Unrealistic ratios: Conversion rates or exchange rates that don't match market reality

Alert threshold: Any transaction or account activity that violates basic mathematical rules or business logic.

Automation Patterns

What to look for:

  • Superhuman speed: Actions completed faster than humanly possible
  • Perfect repetition: Identical actions repeated with millisecond precision
  • No hesitation: Zero time between page load and action completion
  • Batch processing: Multiple identical requests submitted simultaneously

Alert threshold: User actions that occur faster than 100ms intervals or show perfectly repetitive timing patterns.

Account Behavior Anomalies

What to look for:

  • New account, high value: Large transactions on recently created accounts
  • Single-purpose accounts: Accounts created only to exploit specific features
  • Minimal legitimate activity: Accounts that only perform profitable actions
  • Geographic concentration: Multiple accounts from same location performing identical actions

Alert threshold: Accounts less than 30 days old performing transactions >$10,000 or showing automated behavior patterns.

What You Should Do as a Fraud Professional

When you suspect business logic exploitation in your systems, here's your investigation plan:

Immediate Response (First 30 Minutes)

  1. Preserve system logs - Capture all API requests and responses from suspected timeframe
  2. Identify the exploit method - Determine which business rule is being violated
  3. Calculate exposure - Assess total potential loss if exploit continues
  4. Implement temporary controls - Add manual approval for high-risk transactions

Investigation Priorities

  • API log analysis: Review all requests made by suspicious accounts
  • Business rule verification: Test if system rules work as intended
  • Pattern identification: Look for similar exploitation attempts across other accounts
  • Code review: Work with developers to identify the specific vulnerability

Working with Technical Teams

What to ask developers:

  • "Can you show me the actual code that validates transfer amounts?"
  • "What happens if someone sends a negative number in this field?"
  • "Are there any rate limits on this API endpoint?"
  • "How does the system handle edge cases like zero amounts or extremely large numbers?"

Documentation Requirements

Evidence to preserve:

  • Complete API request/response logs
  • Account creation timestamps and patterns
  • Transaction sequences and timing analysis
  • System configuration and business rule documentation

Building Your Technical Fraud Skills

New Tools You'll Need to Learn

API Testing Tools:

  • Request manipulation tools: Send custom requests to test business logic
  • Traffic analysis software: Intercept and modify web traffic
  • Browser Developer Tools: View actual requests sent by websites

Log Analysis Software:

  • Enterprise search platforms: Search through millions of server records
  • Database query tools: Find patterns in large datasets
  • Custom SQL queries: Direct database analysis

Business Logic Testing:

  • Boundary value testing: Try maximum, minimum, and edge case values
  • Workflow analysis: Map out every step in a business process
  • Parameter manipulation: Change request data to test validation

Questions You'll Learn to Ask

Instead of traditional fraud questions like "Who was the victim?" and "How was the identity stolen?", you'll ask:

  • What API requests were made during this timeframe?
  • Do the business rules have any mathematical edge cases?
  • Can this workflow be completed in an unintended order?
  • Are there rate limits, and can they be bypassed?
  • What validation checks are performed on input data?

Career Development Path

Entry Level (0-2 years): Learn to read API logs and identify basic business logic flaws
Intermediate (2-5 years): Conduct complex business logic testing and coordinate with technical teams
Senior Level (5+ years): Design business logic fraud detection systems and lead technical investigations
Expert Level (10+ years): Architect secure business logic frameworks and train other investigators

The Bigger Picture: Why This Matters for Your Career

Business logic fraud represents the future of financial crime. As security systems get better at detecting traditional fraud, criminals are moving to more sophisticated attacks that exploit the fundamental design of computer systems.

Understanding these technical concepts isn't optional anymore, it's essential for every fraud professional. The criminals already understand how systems work. They're using mathematical precision, automated tools, and deep technical knowledge to steal at unprecedented scale.

Your role as a fraud analyst is evolving. You're not just following money trails and interviewing victims anymore. You're becoming a technical investigator who must understand business logic, API security, and system design to catch the next generation of financial criminals.

The fraud professionals who learn these skills now will be the ones who catch the big cases, advance their careers, and protect their organizations from the most sophisticated threats.

The next module shows you real-world examples of business logic attacks and teaches you the specific investigation techniques used to catch these technical fraudsters.

Ready to test your understanding of APIs and business logic? Take the quiz below to see if you can identify business logic vulnerabilities before criminals exploit them.

References and Sources

¹ IBM Security. (2024). Cost of a Data Breach Report 2024. IBM Corporation. https://www.ibm.com/reports/data-breach

² Verizon. (2023). Data Breach Investigations Report (DBIR). Verizon Communications. https://www.verizon.com/business/resources/reports/dbir/

³ OWASP Foundation. (2023). API Security Top 10 2023. Open Web Application Security Project. https://owasp.org/www-project-api-security/

Note on Educational Examples: The specific case studies of "Maria's $500 transfer" and "Alex Chen's $5M exploitation" are fictional scenarios created for educational purposes to illustrate business logic attack concepts. While the attack methods described are based on real-world vulnerabilities, the specific names, amounts, and company details are illustrative examples designed to help fraud analysts understand these technical concepts.

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.