Security has always been a top priority in the financial industry. But proven IT protection mechanisms such as web application firewalls, two-factor authentication or CAPTCHAs can no longer adequately fend off modern attack methods. This is because cybercriminal attackers are increasingly exploiting inherent vulnerabilities that arise from current business processes and cannot be patched in a traditional sense. This requires new approaches to solving the problem.
By Dan Woods, vice president of the Shape Security Intelligence Centre at F5
F inancial service providers are among the most frequently attacked companies worldwide. As administrators of accounts and transactions, they form a particularly attractive target for sophisticated and well-equipped cybercriminals. In order to identify and defend against new and increasingly complex attacks, it is becoming more and more important for the entire company to work together.
This is because attackers exploit inherent vulnerabilities that cannot be patched in the traditional sense because they arise from central and often critical business processes.”
Credential stuffing
One example of this is the attack method of credential stuffing. In the first step, hackers obtain several hundred thousand or even billions of login data such as user name and password from the dark web or from poorly secured companies. They then try them out on other companies’ login pages in an automated way. Since many consumers use the same login credentials for different offers, hackers are often successful with this method. For a bank, entering the correct data looks like a legitimate login of the real customer. Therefore, other data such as IP address, device ID, or the use of a proxy for obfuscation must be analyzed to detect identity theft by cybercriminals.
Another method, which is used more and more often, is the attack via third parties. This works similarly to the infamous ransomware attacks on IT service providers Kaseya and Solarwinds. Via their software systems, the infiltrated malware was distributed to more than 1.000 customers distributed. In finance, this often works through FinTech companies such as loyalty program providers or payment service providers.
To use their often free services, customers must first enter their bank account. Then link the account to login credentials at other providers such as retailers, hotels, airlines or telecom providers. This involves customers sharing their username and password with the FinTech for each user account. FinTechs then attempt to programmatically log into each account. If the subscriber has entered the correct username and password, the link will continue. After an account is linked, the rest happens automatically:
The fintech repeatedly logs into the account and retrieves the content – sometimes more than a thousand times a day.”
If cyber criminals overcome the security mechanisms of any provider, they can also use the automated processes to access the user’s bank account through the user account at FinTech. This is done, for example, by installing appropriate malware such as Trojans to manipulate the transactions. Since the access looks like a legitimate, automated request from the third-party provider, the attack can only be detected by taking special precautions.
Attacks on accounts
Another attack technique is to just try an application to see if a valid account exists for a username. If this is not the case, the attacker does not even need to try the associated password. If the username is valid but the password is not, an input screen often appears along the lines of “request new password”.
Then the attacker makes sure that the new password is redirected to one of his mail addresses.”
However, cyber criminals also exploit the ability to create a completely new account. This is especially true for financial service providers, which are abused to launder money and create and maintain synthetic identities. These are fake accounts that are not associated with any real owner or company, in order to disguise the true owners and thus evade law enforcement agencies.
Here’s why traditional defenses no longer work
Dan Woods is vice president of the Shape Security Intelligence Center at F5 (website ). He previously served as assistant chief special agent of special investigations in the Arizona attorney general’s office, where he investigated computer crime and cyber fraud. Previously, he spent 20 years in local, state and federal law enforcement and intelligence agencies, including the FBI as a special agent investigating cyberterrorism and the CIA as a technical operations officer. There it was specialized in cyber operations.
Common security measures in financial services include layer 5 to 7 precautions, for example, web application firewalls (WAFs), enforced two-factor authentication (2FA) on the corresponding application, or bot detection and prevention tools such as CAPTCHA.
However, WAFs primarily look at the application layer to defend against the top 10 web application threats according to the Open Web Application Security education.telefony-taksi.ru (OWASP) list. However, the application layer does not provide sufficient signals with which to reliably detect sophisticated automated processes. Additional signals are required for this. These include, for example, those obtained by collecting behavioral biometric data and querying the browser/device environment.
2FA is effective against many attack methods. However, large-scale deployment is expensive and creates hurdles for customers. Also, it can’t always prevent credential stuffing, even if account takeovers are made more difficult. In most 2FA implementations, a customer enters a username and password. If these are correct, the user is prompted to enter the second factor. If the username or password is incorrect, the customer receives an error message and is not prompted for the second authentication factor. However, this difference tells the attacker if the credentials are correct. The attacker has not taken over the account, but can sell the now known correct credentials to another attacker who specializes in bypassing 2FA. This includes, for example, port-out scams involving phone number and provider switching, SIM swapping, SS7 gaps, iOS/Android malware, or social engineering.
CAPTCHAs create an unnecessary hurdle for customers when logging in and can lead to aborted dial-in and lost revenue. Also, similar to 2FA, they do not stop bots completely. Many attackers bypass CAPTCHAs through optical character recognition (OCR), machine learning, and even using cheap human click farms.
Important safeguards
Therefore, comprehensive protection against attacks against inherent vulnerabilities can only be achieved with the following steps:
1. Provide transparency
First, identify the applications that are under automated attack. This is done by providing informed and objective answers to the following questions: why would someone launch an automated attack against this application? How could someone use it to get money or information? Or is there a long-term, more strategic reason? To get answers to these questions, financial services need to have a thorough understanding of their applications and workflows, and a comprehensive understanding of the automated attacks that are being seen on the Internet.
2. Take appropriate measures
For financial services, it is very important to distinguish legitimate from illegitimate automated processes. Legitimate automation must be allowed, illegitimate must be prevented. The following points play a decisive role here:
- Transactions should not be placed on the Allow list with an attribute that can be easily forged. This includes, for example, a user agent string. In the best case, only transactions with a shared secret in the HTTP header are allowed.
- Financial services should not simply terminate the session in the event of an automated attack. This could give the hacker helpful feedback for reworking their tool or on the cause of the error such as incorrect password. Instead, attackers should take longer to realize they have been stopped. This can be achieved for example by redirecting or forwarding the transaction, injecting or changing the transaction and redirecting it back to the source or replying with a complete HTML page.
3. Perform ongoing retrospective analysis
Organizations must perform ongoing retrospective analysis of transactions targeting an application to quickly identify modified attacks or other unwanted automations. This is best done with artificial intelligence and expert assistance, as well as machine learning systems that can handle aggregated transactions. Also, financial services need to update their real-time defenses quickly without hindering legitimate customers in the process.
Outlook
The battle against new types of automated attacks on web and mobile applications, which often takes weeks or months, is not over even after they have been successfully repelled. Many attackers instead continue their activities with modified tools, login data or manual input via click farms. Therefore, financial services should involve security experts and use products that are constantly evolving to protect against new types of threats. Dan Woods, F5