Orange Developer and Fraud prevention

Fraud is a vast topic which includes various aspects like:

• Identity theft to access a service using another person’s user ID;
• Using a service without paying;
• Using a service beyond what is authorized (scope, contractual perimeter, quotas);
• Manipulating data to lead users to a fraudulent service;
• And much more…

Even though the Orange Developer platform cannot prevent fraud issues caused by weaknesses inherent to the services accessed by the APIs it offers, it can contribute on many levels to fight against fraud.

The Orange Developer platform, acting as an intermediary between the consumer of a service and the service itself, naturally offers protection against API access fraud.

The access to an API is strictly monitored, and the access right is granted to an application by the API provider after a process designed by the provider and during which some additional elements might be asked to make the decision. The Orange Developer platform also uses the international industrial norm OAuth (supported by the Internet Engineering Task Force or IETF), which enables it to verify, for each API access attempt, the authorization of the caller and limit the access to the data it can use (scope). This is called protection against access fraud.

Beyond access control, once the application is linked to the service through an API, fraud can come from the application, for instance the abuse of a service that can lead to overconsumption or even data leaks.

This type of breach falls under the jurisdiction of the service’s control systems, and not the Orange Developer platform. However, this risk can be limited by the implementation, on the Orange Developer platform, of access quotas restricting the number of consecutive accesses to an API by an application over a period of time. This is called protection against application fraud.

Finally, each API can get new users to approve the terms and conditions of the service, before subscribing to the API.

To properly fight against fraud, you need a set of tools or measures specific to this risk. As we saw, the Orange Developer platform contributes to it in different ways, whether at API or application level, or during the API subscription.