Customers choose a bank or payment card for many reasons–a points scheme, convenience, discounts–and expect that when they use it, their personal information is protected. Cyberattacks, however, are as frequent as the rain in London and increasing. According to one report, firms in the financial services sector are 300 times likelier than other companies to be targeted by a cyberattack. Another report showed a new incident of financial fraud was being identified every 15 seconds.
The gravity of the cybercrime problem has driven financial institutions to invest heavily in tackling it, with over $800 million spent annually on dedicated employees who combat fraud and money laundering amongst other financial crimes. But there is a new game in town where account information is being stolen by bots and sold on the deep web. And you may not even know it.
Bot infiltration poses a significant threat to the financial services industry. Methods for stealing customer data and accessing accounts are becoming increasingly sophisticated as bot activity often appears as legitimate behavior, making it difficult to spot. The accessibility of mass data dumps and proxy servers are a breeding ground for automated bot attacks, including credential stuffing and carding attacks, making the potential for exposure of stolen data a rapidly growing concern.
Credential Stuffing and Card Cracking
Account takeovers (ATO) have become a widespread problem as perpetrators use sophisticated attack techniques to gain access to online accounts. When attackers have unlimited access to account and transaction details, they can use them to apply for loans and other credit cards, carry out bank transfers, or exploit your business in other ways.
Credential stuffing is one, very common, ATO technique: Because an account is worthless unless it can be accessed, hackers spend considerable time and resources to gain unauthorized access to account credentials and determine the correct user ID and password combinations. If they don’t use those credentials themselves, they can sell them on the dark web. The more account information they steal, the more they can charge. Volume is an enticement. Today, data dumps of millions of unique combinations of usernames and passwords are readily available at scale and at little-to-no cost.
Although a portion of the data collected and sold is likely to be stale, poor customer password hygiene and password reuse across multiple sites means that even old data can be valuable to attackers who are looking for Personally Identifiable Information (PII) for malicious gain. Once obtained, this PII is used via automated web injections to carry out login attempts against a targeted online account. When an attacker has one password for a user, the greater the opportunity to find another account belonging to the same user and exploit it too. This is credential stuffing.
Success rates for basic combination testing are typically low – unless the hackers are using bots. A bot can attempt multiple combinations in a fraction of a second versus a human. By automating the attempted logins with a bot, hackers can credential stuff quickly and cheaply. Today, there are more than 15 billion stolen credentials in circulation, up 300% since 2018.
Another ATO bot tactic is card cracking. This is used to test the validity of stolen debit or credit card numbers. Automated bots test out card numbers against a website’s payment processing systems. Sometimes it involves verifying full card details, other times it is just filling in missed values such as the expiration date or a CVV code. Card cracking attacks are often mistaken as a DDoS attack, as they generate thousands of requests per second. This leads to businesses paying massive amounts for resources needed to keep their websites and payment gateways open to real customers.
There are direct and indirect costs associated with card cracking. Not only does the activity force businesses to control the amount of incoming and outgoing traffic to or from a network (rate limiting), but it can also create customer frustrations. In addition, customers can be penalized for reporting an increased level of fraud and continual fraudulent activity can lead to significant reputational damage.
A successful carding attack may also leave a business facing chargebacks from a payment provider. In extreme cases, a business may even lose its ability to process payments due to high levels of fraud. This is a surefire way for financial institutions to lose the trust of their customers.
Genesis Market Bots
You would think only highly sophisticated cybercriminals would have the knowledge to use bots. The reality, however, is that bots are readily available on the Genesis Market, an invite-only deep web marketplace dedicated to the sale of bots. Genesis Market bots collect data – stolen “fingerprints” (information gathered via browsers to identify unique users), cookies, saved logins and autofill form data from infected consumer devices – and then package that data and sell it.
Buyers are provided with a custom browser where the data is loaded, giving them the ability to browse the internet masquerading as the individual whose credentials they have purchased. This allows attackers to remain undetected by traditional “client-side” anti-fraud mechanisms. At any one-time, the Genesis Market has hundreds of thousands of bots readily available and easy to use. This represents millions of dollars of illegal transactions passing from criminal to criminal.
Early Detection is Key
Because attackers often want to appear as real users, they will use a variety of techniques that makes it extremely difficult to identify. For example, they might emulate human behavior on websites or use a residential IP which tends to not raise a red flag and allows the attacker to behave in stealth mode (unbeknownst to the IP address’ real owner).
Combatting them requires approaches specifically targeted toward discovering this activity so that you are able to prioritize real transactions and block automated abuse.
You can’t, however, shut down every transaction. You have to know what is good and what isn’t. Therefore, static rules of behavioral checks simply don’t work as well. You must instead employ complex algorithms that analyze web traffic in a way that detects sophisticated evasion techniques and provides constant visibility and control of any attacks. Advanced machine learning, for example, can help spot some of the less obvious nuances used in account takeover attacks such as when large amounts of fake account creations are used to camouflage a takeover or hide the attack itself.
Netacea’s Intent Analytics™ engine, powered by machine learning, helps card issuers and payment processors analyze millions of user requests and identify signals and patterns that spot automated attacks in real-time. Analytics that help you pick out the real from the fake allow you to quickly cut off potential carding attacks and protect your business with speed and accuracy.
Clearly, credential stuffing and card cracking attacks expose financial institutions to varying degrees of fraud and theft, creating an urgent need for banks and payment processors to take proactive measures to minimize the risk. Losses from ATO will continue to cost the financial services industry millions of dollars a year unless institutions get savvy about the use of bots and implement proactive measures to stop their infiltration.
Keep in mind that cybercriminals are smart businesspeople, and their marketplace is as competitive as yours. They will continue to do whatever it takes to gain access to accounts and steal information to sell. It’s how they prosper. In other words, you need to up your game if you want to come out on top. Your brand and customer safety are at stake – as is the confidence your customers have in the security of your products. Every time an account gets taken over; your reputation gets taken down with it.
