The Robots Aren’t Coming: They’re Already Here (and Ripping Off Banks)

Committing financial fraud used to be a precision exercise: find a target, take aim and fire a single shot. Even with a hit-or-miss approach like this, the “numbers game” often favored the fraudster. With just a 10 percent success rate, even a hunt-and-peck fraud scheme could yield a nice payday – but the amount of legwork needed for a big score was often not worth the effort. Then the robots came and changed the calculus forever. 

Today, thousands of botnets – connected servers of scripted software robots – can perform what used to require hundreds of hours of work in just a few seconds. Suddenly, every scrap of personal information that has hit the dark web in the wake of huge consumer data breaches is now weaponized by highly sophisticated and organized digital fraud rings.

What can banks do to strengthen their defenses and stop these nefarious robot armies? The solution is two-fold: educating consumers about password hygiene and ensuring banks are using fresh, consortium-sourced data to identify risky patterns of customer transactions, both monetary and non-monetary.  

Origins

Botnets are nothing new in terms of internet piracy, but like other Internet innovations they are being weaponized by fraudsters today. Last year, there were 1,579 new known data breaches in the U.S. involving hundreds of millions of consumers. Additionally, Social Security Numbers (SSNs), dates of birth (DOBs) and credit card numbers are among the most sought-after data on the dark web. 

The role of botnets in perpetrating financial fraud is two-fold. First, data breaches perpetrated by bots account for a large portion of the more than six million personal data records that are stolen each day. The wide availability of full consumer data profiles (known as “fullz” to fraudsters), with SSNs, DOBs, addresses and even driver’s license numbers – makes it easier and cheaper for criminals to engage in fraud. 

Javelin Research estimates that nearly 17 million people had their identities stolen in 2017, up from 15 million in 2016 – the highest number since 2003. Once personal data is sold to organized fraud rings (usually for around $30 per record – even less if purchased by the thousand), botnets are again employed to use these credentials to take over customer accounts.

While some botnets operate out of sophisticated data centers, others consist of connected devices hacked by malware, making botnet attacks even more efficient for organized rings without an abundance of technical resources. One simple trojan virus or phishing scheme propagated by thousands of bots can be very effective in harvesting tens of thousands of personal information records. 

Fraud Losses

Botnets are driving much of exponential scale, scope and speed wreaking havoc on consumer privacy and boosting financial fraud losses, estimated at $2.2 billion in the U.S. for 2016 alone. Given the sheer volume of personal data records available for purchase, success is all but assured given that “fullz” cost a fraction of what fraudsters stand to gain from a single cash-out. 

The pervasiveness of personal information on the Internet, increasingly stealth malware attacks and poor password hygiene – such as using the same passwords for many online activities – are all contributing to the growth of financial fraud by bot. Before technology took over, the act of perpetrating financial fraud was a more painstaking and manual process involving tens or hundreds of accounts and in-person interactions with bank personnel. The advent of digital banking, coupled with the rise in data breaches, has created a perfect storm of highly organized, opportunistic fraud.

Using stolen personal information and thousands of combinations of automated login attempts (thanks to bots), fraudsters impersonate legitimate account-holders, change passwords and redirect all communications. When the bank calls or texts to notify the customer of these changes, everything “checks out” as far as the bank is concerned, but the bank has unwittingly removed one of their last lines of defense. Now that the fraudsters have verified the changes, it’s only a matter of time before they cash out. This is called account takeover (ATO) and today, it doesn’t take days or weeks: it can take mere minutes or hours by using bots.  

Prediction and Prevention

Cequence and Osterman Research recently published the results of a research study titled “The Critical Need to Deal with Bot Attacks,” detailing the widespread growth of botnet activity and defensive strategies to prevent account takeover fraud. More than 200 enterprise-sized companies contributed to the study, revealing that it costs an average of $175,000 per year for security teams to deal with botnet attacks. This is a perfect example of why detection – stopping attacks before they are result in fraud – is a preferable option to defensive and reactive strategies. 

One of the most effective ways to predict botnet attacks on consumer bank accounts is by looking at common behaviors associated with such attacks, namely changing customer profile data as a precursor to fraud. Predictive patterns emerge whenever another account takeover scheme is revealed, and by sharing these data patterns across a network of financial institutions, the predictive models become more refined based on new data coming from banks every day. By observing customer profile changes across hundreds of financial institutions, fraud fighters are better able to identify large fraud schemes, particularly those that involve automation.

Telltale signs of a coordinated account takeover can include changes to email addresses, phone numbers and mailing addresses. Taken one at a time, it is nearly impossible to decipher trends and detect fraud – after all, banks do not want to create friction with legitimate customers. These non-monetary transactions seem like normal account activity but taken together (and repeated across millions of customer accounts rapidly through botnets), they are essential clues to fraud patterns. 

Botnet attacks on financial institutions are fueled by today’s data- and technology-driven mindset, and financial institutions must rely on similar tools to help protect their account holders, reputation and assets. Automated solutions that protect both front-end account-opening processes and back-end customer account services – using predictive patterns and real-time data discerned from millions of transactions – can uncover otherwise hidden patterns. Why is a high-net-worth customer changing his address to a rented mailbox more than 3,000 miles away? Why did a longtime customer switch from the latest iPhone to a throwaway flip-phone from a check-cashing store? Why are so many email addresses being redirected to an address associated with an Estonian server farm? 

Botnet traffic may account for as much as 30 percent of all Internet traffic, according to recent estimates. This is a problem that will plague not only financial institutions, but nearly every enterprise for the foreseeable future. By embracing technology advancements, business can begin to map a proactive strategy for not just defending against botnet attacks, but also eliminating their frequency and impact. 

Adam Elliott is founder and president of ID Insight, providing next-generation verification, authentication, market research and fraud solutions to financial services companies, credit issuers, retailers and online merchants. Contact him at [email protected].