APIs are a gateway for credential stuffing attacks, exposing banks and fintechs to fraud and theft. Andy Still explains what makes financial services particularly vulnerable to bot attacks, which bots to look out for, and how businesses can better understand the way API traffic behaves.
Still is CTO at the Manchester-based cybersecurity firm Netacea, a server-side bot management solution that protects websites, mobile apps and APIs from automated threats by deploying its intelligent detection engine, Intent Analytics.
In this guest-authored piece for The Fintech Times, Still divulges why open APIs are so susceptible to bot attacks, what the business cost of such attacks is, as well as offering insight into how companies can better protect themselves and the interests of their customers.
Financial institutions hold more data on their customers than any other industry. This sensitive data, aka personally identifiable information (PII), means that financial services need to be even warier of the threat of data breaches – they risk fines from the Financial Conduct Authority (FCA) and significant damage to their reputation.
Bank accounts, both personal and business, have long been a prime target for cybercriminals as they can gain both PII and financial rewards for their exploits. APIs are a requirement of recent open banking and PSD2 regulation and make for a compelling new target for hackers. Ninety–seven per cent of financial service businesses report attacks to an API in 2020, and Gartner predicts that API attacks will become the most-frequent attack vector in 2022.
Open APIs facilitate the exchange of data between banks and third-party organisations. Anyone who has added their credit card balance to their personal banking app has used one. But the uses go beyond this – they can improve competitive offerings and customer experience, and make data accessible to third-party aggregators and brokers.
Many providers outsource their API and mobile app development, meaning that the same code is used by multiple customers. Any vulnerabilities are likely to be common to more than one provider, and so APIs quickly become the perfect target for account takeover bots and credential stuffing attacks.
What should financial services look out for?
Attackers are always looking for the easiest point of access. The APIs used to share data between banks and third parties are at particular risk of new threats. Attackers will attempt to gain entry to the vulnerable API layer via its three access points: the browser, mobile applications and the API server.
One of the biggest risks is the use of the API by account checker bots. These take lists of leaked username and password pairs (aka combo lists) and test them to see if anyone is reusing a password for their online banking – this is also known as a credential stuffing attack.
Automated bots are used to ‘stuff’ stolen usernames and passwords into log-in pages at high velocity to gain fraudulent access to accounts. Once in, attackers have unlimited access to account and transaction details that can be used to apply for fraudulent loans, credit cards, bank transfers or to exploit financial organisations.
Seventy-one per cent of financial services reported attacks from account checker bots in 2020.
To understand how dangerous an attack is, financial organisations should look out for:
- Scale of the attacks: a high number of attempts to attack within a short time frame.
- How sophisticated the attacks are: is the attack global or local, is it across multiple access points?
- Sustained attacks: an abnormally high number of attempts to log in or validate details over a long period of time.
What can these breaches cost?
Automated bots operated by malicious actors cost businesses an average of 3.6 per cent of their annual revenue. For the biggest businesses, this could mean anything up to a quarter of a billion dollars lost to serving bots every year.
Financial service providers are already under attack from all kinds of fraud and hacking. £650million is spent in the UK to combat fraud in finance every year, yet four incidents of fraud were reported every minute, and bank account fraud reached its highest level for more than three years in 2021.
Despite the competition, credential stuffing was reported as the biggest bot threat by 85 per cent of fintechs in 2021 – understandable given just how lucrative a successful attack can be. We’ve seen these attacks increase dramatically over the last few years as the cyber threat landscape has shifted and the accessibility of mass data dumps and proxy servers have created a breeding ground for credential stuffing attacks.
Understanding and managing API traffic
Most financial services have little to no visibility of what constitutes human vs. automated bot traffic to their API, let alone understand the user intent. According to our research, only four per cent of financial organisations considered their API their number one threat risk, yet 97 per cent reported attacks on their API in 2020.
For fintechs in particular, their core functionality relies heavily on APIs, so access to it must be restricted to regulated third parties. Creating a resilient API environment is crucial to maintaining a truly secure and highly functioning ecosystem in which both the fintech and the third party are protected.
Financial organisations should not just seek to monitor the traffic across their mobile apps, websites and APIs, but to understand its intent. Without bot management technology in place to identify anomalies in traffic patterns and behaviour, automated traffic threats often go undetected, opening up financial service providers to the threat of data breaches, risk to customers and cost to the business.