By Uriel MaimonOne of the biggest changes that came unexpectedly from the COVID-19 pandemic was more people swapping their city lives for an escape to the country. Employees were no longer going into offices, or taking advantage of the 24-hour city life. In response, many packed up and sold their condos or gave up apartment leases, replacing them with suburban homes and country living.
However, the effects of this “great pandemic migration” were far bigger than just updates to address books. In fact, banks came directly into the firing line, because the trend offered cyber criminals new avenues to deceive financial fraud models and to target banks with credential stuffing and account takeover attacks.
Deceiving fraud models through automated attacks
When the COVID-19 pandemic first broke, the first businesses to feel its impacts were brick and mortar organizations, forced to close their physical doors and start operating as online organizations.
For banks, this meant moving more services online and closing physical branches, while working with an almost entirely online customer base. Of course, this shift to online has been occurring for many years, but the pandemic gave a push to those last few customers who still preferred to do their banking only in person.
To continue serving customers, banks moved nearly their whole portfolios of services to digital platforms, catering to all their customers’ needs, with vastly reduced physical interaction.
As banks offered more of their services online, they opened new gateways for cybercriminals to target them. This, tied with the fact that so many people were moving homes, caused major problems as not only was the attack surface of banks growing, the accuracy of location-based customer authentication was significantly decreasing.
Cybercriminals saw the opportunity and flooded bank websites with credential stuffing and account takeover attacks.
Security versus convenience
Banks have always been the a top attack target for criminals. Today, the primary threat is automated bots that have been hired by criminals to hammer bank websites with rapid-fire log-in attempts into customer accounts. Once attackers have secured valid credentials and gained access to accounts, they can then carry out fraudulent transactions, transfer funds from accounts or initiate new credit applications.
The threat is costing banks millions. To put it into perspective, Aberdeen Group discovered that 84 percent of financial services companies have reported that a portion of their online users have experienced a successful account takeover in the last 12 months, while the average cost of an attack can be up to 6.4 percent of the revenue generated from their monthly active users.
This means preventing these credentials stuffing attacks must be a high priority for all banks.
The traditional ways for banks to prevent these automated and fraudulent login attempts was through the location of customers to identify if they were genuine. If a customer typically connects to a bank from Manhattan, but suddenly her account sees a login from Dubai, this will raise alarm bells and will result in queries being raised. Banks will contact the customer directly to confirm identity before committing to a transaction. However, with many people moving addresses, this has affected the accuracy of fraud models and made it difficult to determine which customers had moved and which had stayed put.
The most obvious solution to counter this threat is for banks is to delay transactions until customers are physically contacted to verify them. But this adds additional security layers, delaying important transactions and ultimately causing customer friction—risks banks want to avoid.
The alternative solution can be down to banks enforcing the use of multi-factor authentication and user verifications such as captcha. But these can also frustrate customers who want easy access to their banking information. While both security measures reduce the risk of credential stuffing, MFA and captcha can create user friction, increasing abandonment and negatively impacting the customer experience.
Today, the most sophisticated and user-friendly method for blocking credential stuffing attacks is to use behavior-based detection and blocking. This goes beyond just signature-based approaches, and it uses advanced machine learning techniques and iterative feedback loops to build predictive models, which can proactively block a wide range of automated attacks that would pass through signature detection.
Behavior-based approaches go beyond the “declarative” identifiers. They look for patterns in network data, client-side device and user data (screen resolution, rendering engines) and user interaction events to spot qualitative and quantitative differences between bots and live human users, to name a handful of data types. Behavior-based detection can factor in hundreds of elements and see patterns where human operators would not. Accurate real-time behavior-based detection can learn on the fly, constantly updating its models. This allows banks to automatically reject the overwhelming influx of traffic from unauthorized bots.
Traditional detection methods through location-based authentication have taken a hit as a result of the pandemic, while MFA can cause friction in the customer experience that can damage relationships and result in banks losing clients to competitors.
As a result, advanced bot detection and mitigation solutions that leverage machine learning and behavioral analysis are important and contemporary ways to reduce the effectiveness of automated credential stuffing and account takeover attacks. Thus, allowing banks to put behind them worrying about account fraud as they instead prioritize innovating and delivering value to their customers.
Uriel Maimon is senior director of emerging technologies at PerimeterX, a provider of solutions that detect and stop the abuse of identity and account information on the web.