How Big Banks Fight Online Fraud

Three top strategies fraudsters use against banks — and how they can be defeated.

When it comes to cybercrime, banks have a target on their back. In fact, financial institutions in general are one of the prime hunting grounds for hacking organizations. In 2017 there were 134 data breaches in the banking industry, resulting in 3.1 million compromised records. Equifax, one of the three largest credit agencies in the U.S., suffered a breach involving as many as 143 million consumers.

While the exploits that hit major brands make the news, small institutions are by no means safe. In 2016, banks and credit unions with less than $35 million in annual revenue accounted for 81 percent of hacking and malware breaches at financial institutions, up from 54 percent the year before.

Shape protects three of the top four banks in the U.S. Working with them has given us important insights into the current threats that banks are most likely to encounter, and the defensive strategies that work. After tackling the biggest threat, account takeover via credential stuffing, the most common online fraud problems stem from man-in the browser attacks, relationships with financial aggregators, and manual attacks using stolen identities.

Man-in-the-Browser

Man-in-the-browser (MITB) attacks are initiated by client desktops, laptops, smartphones and other devices that have become infected with malware inadvertently downloaded by a user — typically by clicking on a malicious link in an email. Once in place, the malware continuously watches all the web traffic on the user’s device. When the user’s browser downloads a page from a bank that’s been targeted for attack, the malware interposes itself between the bank’s web application and the user’s browser.

Sitting between the two, it can do whatever it wants and remain undetected. It can pretend to be the user and send unauthorized transactions. It can modify transactions, e.g. by changing the beneficiary details on a payment. It can also scrape PII and user credentials.

One of the most difficult problems with MITB exploits is the fact that they originate from the client’s device, over which banks have no control. Many banks believe that multi-factor identification (MFA) can foil MITB. This is not always the case, as digital wallet start-up Zelle learned the hard way. When that company was attacked, the malware allowed the fraudsters to loiter until end users authenticated themselves using MFA, and then manipulated their transactions.

Financial Aggregators

By consolidating information from multiple financial accounts in one place, financial aggregators make it easy for their customers to get a global picture of where they stand and easily track their spending. But with this convenience comes a significant security risk.

Shape has observed that aggregators make up 20% of a typical bank’s traffic and log in 2.5 times as often as real users. Furthermore, banks themselves often relax their security procedures when dealing with an aggregator. As a result, bad actors use aggregators as a backdoor into banks because they know their traffic is much less likely to be blocked.

For large banks, tracking login patterns is a key weapon against aggregator-based fraud. The trick is to distinguish between good and bad traffic. Shape Security solutions achieve this through the use of real-time statistical analysis and pattern recognition. When a suspicious pattern reveals an exploit in progress, this information can be used to trigger a defensive response.

Manual Fraud

Fraudsters typically use manual methods to apply for credit cards using stolen identities. They buy “fullz” files on the dark web that include a credit card number, CVV and expiration date, plus the cardholder’s name, address, email address, SSN and even security question responses. With this information, fraudsters could easily indulge in an online shopping spree, or apply for new cards, changing only the physical and email addresses. Fraudsters can typically apply for a few dozen cards per day, or they can use human farms and complete several hundred card applications per day. Once they get approvals, they can have access to thousands of dollars per card.

Learn How Shape Fights Fraud

Join our live threat briefing: How 3 of the Top 4 US Banks Defeat Account Takeover & Manage Aggregators as we go into detail about the tactics big banks use to protect their customers, and how all banks can leverage this knowledge to fight fraudsters and win. Sign up now

Originally published at blog.shapesecurity.com on April 19, 2018.