The Anatomy of Account Takeover Attacks in Banking and Fintech

COVID-19 has already proved its substantial impact on online-based fraud. According to recent analyses of real user sessions and attack patterns on my company’s fraud and abuse prevention network, digital attack rates rose by 20% in the first quarter of this year, with payment attacks up by 49% compared to the end of 2019. Over the past six months, our network recorded double the volume of attacks since the second half of 2019, with a 25% attack rate across all online transactions.

Fraudsters are proving to be exceptionally nimble and determined, quickly adapting to ever-changing realities and turning new situations such as the pandemic into an opportunity to widen their reach and maximize profits. To overcome the prevalence of anti-fraud and security solutions in the highly regulated industry of banking and fintech, fraudsters are planning and orchestrating attacks more diligently than ever before, and taking advantage of the new socio-economic context to carry out successful fraud as a result. In fact, financial institutions on the Arkose Labs network saw attack levels rise notably in Q2 of 2020, after an initial dip in April.

To navigate this new era of online fraud and realistically stand a chance at combating persistent fraudsters, organizations need to familiarize themselves with common attack vectors. Knowledge and proactivity are especially critical for organizations within the banking and fintech sector, as the potential gain for fraudsters is higher.

Common Attack Vectors and ATO Use Cases

Two common attack vectors for harvesting credentials in fintech and banking include phishing and malware. With phishing attacks, customers receive emails that appear to come from a trusted organization. They’re asked to click a link and login because there’s “an important message” or “issue that requires immediate attention.” Few will notice that the link isn’t safe, and once they log in to the fake website, their credentials are recorded into the attacker’s database and customers are redirected to the real login page. With malware attacks, customers are enticed to install malware on their computer, which listens for keystrokes as the customer logs in to various web sites. Any credentials collected are reported to a database owned by the attacker.

Once credentials are acquired via phishing or malware, attackers may use a botnet or automated attack tool such as Sentry MBA to carry out their account takeover (ATO). They may also leverage cheap human labor as part of the ATO attack process to remain under the radar. Attackers will then use the compromised accounts to commit fraud or simply resell them to the highest bidder. Accounts that have been taken over are exploited as follows:

• Account Draining: Fraudsters use stolen identity credentials to take complete control of financial accounts. The accounts are drained of funds and the money is often laundered, making it difficult to trace.
• Money Laundering: Dirty money (i.e. the proceeds of crime) is passed through a complex series of bank transfers, obscuring the origins of the funds to make it appear legitimate. The then “clean” money returns indirectly to the fraudster.
• Money Muling: Money muling is a form of money laundering where fraudsters either recruit legitimate customers to transfer dirty money or take control of legitimate active or dormant accounts and use them to transfer funds.
• Credit Applications: Stolen identity data is used to make fraudulent credit applications. Compromised account data might be held for months before fraud is committed, making it difficult to identify the source of the breach.

User-Friendly, Naturally Evolving Defense Strategies are Key

Ultimately, all online accounts are at risk and fraudsters will leverage any number of techniques to achieve their goals. Don’t wait for an ATO attack to occur before deciding to protect a login endpoint. Protect all login endpoints equally whether they handle web or mobile traffic. Continuously re-evaluate resilience levels and assess where new attack points could emerge across various customer touchpoints. Given the financial hardships already brought on by COVID-19 in addition to the sensitive collateral involved, fintech and banking organizations can’t rely on their customers to be sufficiently security savvy. Investing in user-friendly fraud protection and defense strategies that are capable of naturally evolving with emerging attack patterns is paramount, now more than ever.

David Senecal, Vice President of Product Platform at Arkose Labs