Bank account takeovers – lets change the record from who to why

by Jeremy Gidlow, CEO and Co-Founder, Netacea

Financial institutions are in a catch 22.

Almost every week we see a new corporation fall victim to a data breach, with thousands of confidential consumer details made public and cyber attackers ‘walking away’ with a treasure trove of usernames and passwords. In the days before automation, manually ‘breaking into’ accounts by inputting these leaked credentials into a login page was as likely to achieve success as looking for a needle in a haystack. But today, with automation and bots able to check thousands of accounts every minute, hackers can quickly take over accounts and sell them on—a practice known as credential stuffing.

With research revealing that more than 50% of internet users reuse the same password for multiple accounts, there’s a good chance that once a hacker has verified a username and password combination, they can unlock multiple accounts. But while hackers have the potential to access lots of accounts, from Yahoo to Netflix, they are only really interested in one type of account—the ‘gold mine’ bank account.

‘Stuffing’ up financial institutions

Once a hacker gets access to a bank account, they become the puppeteer of that account and can move money, purchase anything they desire and even set up direct debits. The challenge to financial institutions is, this is completely legitimate user behaviour. That makes it difficult to spot the malicious intent behind the activity; the hackers’ presence.

Ultimately, both the account holder and the financial institution pay the price. The former is paying for goods and services they neither wanted nor will they ever receive and having money moved out of their account. While the financial institution must investigate a potential account takeover, and if it has been proven that the account has been compromised by a hacker, they must reimburse the account holder for the loss of money. Insurance might cover some charges, but as in the case of the COSMOS Bank in India, where malware software was used to steal customer credit card information, banks can’t solely rely on insurance—in fact, COSMOS lost roughly $11.5 million as a direct result of the attack.

The cost to financial institutions doesn’t end there, either. Account holders are less likely to trust the organisation after a hack, which can lead to account holders switching over to competing institutions and a loss of income.

Financial institutions are in a catch 22. Not only do they need to ensure accounts are secure and difficult for hackers to access, they also need to make the banking experience as frictionless as possible for the account holder. But by making logins, transactions and refunds easier for account holders, they are simultaneously making it easier for hackers to use automated techniques such as credential stuffing to takeover accounts.

Changing the record

So, what options are open to financial institutions? A few years ago, financial institutions would have been able to deploy traditional bot mitigation methods to solve this challenge—identifying bot activity from human activity and putting processes in place to stop all bots. But bot operators have become increasingly sophisticated in their approach and traditional bot mitigation isn’t able to identify and stop complex attacks that are often bots mimicking human behaviour.

To successfully detect and mitigate these attacks, financial institutions need to ask a different question. Rather than asking “is this a human or a bot?” they need to focus on intent and ask “what is this visitor doing?”. Machine learning is key here—not in learning what human behaviour looks like, but in identifying what good behaviour looks like.

Furthermore, through web log analysis, it has become possible to build a profile of the way users interact with their online bank account to determine their intent. While an attacker can mask their behaviour to appear human-like, they cannot easily disguise their intention.

When we reframe the question to focus on intent, we no longer need to invade a user’s privacy by introducing additional intrusive code to a website. This means we can be more accurate in stopping highly sophisticated attacks, whilst also giving users a better experience.

Setting the record straight

For every action there is an equal and opposite reaction, and as technology evolves to enhances the banking user experience, so do the technology and techniques to compromise account holders. It’s important to note that a data breach needn’t take place on your website for it to affect your customers; once the credentials are out there, they’re out there to be exploited.

Hackers are continually looking for new ways to compromise user accounts, and to protect their customers, and themselves, financial institutions need to match the sophistication of today’s hackers. By staying one step ahead and reframing the question from who to why, financial institutions can ensure that they stop themselves and their customers, from paying the price of data breaches.