Financial services organizations are where the money is, and as such will always be prime targets for cybercrime. For many financial institutions, this bot traffic can account for more than half of their overall website traffic — covering both good bots engaged in essential business tasks to bad bots performing malicious activities.
Banks, traders, asset managers, and insurers need to be aware of the impact of good and bad bots on their business. Good bots must be enabled, bad-bots blocked and those that lie somewhere in between, understood, monitored and controlled. This is partly to reduce the load of online traffic, but also, of course, to stop automated financial crime and outage of online financial services.
Financial Services Industry Tops the Bad Bot Charts
Distil Network’s annual assessment of bad bots, “Bad Bot Report 2019: The Bot Arms Race Continues,” found that the financial services industry the topped the bot charts with 42.2 percent of traffic comprised of bad bots. Last year, that percentage was 24.6 percent – evidently this is a growing threat that needs to be taken seriously.
In the same report, researchers found that 73.6 percent of bad bots observed were Advanced Persistent Bots (APBs), which have more sophisticated capabilities than the average bots. These programs can cycle through random IP addresses, enter through anonymous proxies and change their identities, among other more complex behavior. This is making it more difficult than ever for financial institutions to defend against them.
OWASP Threats Targeting the Financial Sector
OWASP recognises the problem of bad-bots, or automated threats as it terms them, and has published a complete taxonomy to classify them. Its Automated Threat Handbook lists the most prevalent bot threats affecting financial institutions:
- ACCOUNT CREDENTIALS
- OAT-007 — Credential Cracking
- OAT-008 — Credential Stuffing
- OAT-020 — Account Aggregation
- OAT-019 — Account Creation
- PAYMENT CARDHOLDER DATA
- OAT-001 — Carding
- OAT-010 — Card Cracking
- VULNERABILITY IDENTIFICATION
- OAT-018 — Footprinting
- OAT-014 — Vulnerability Scanning
- OAT-004 — Fingerprinting
- OTHER THREATS
- OAT-009 — CAPTCHA Bypass
- OAT-015 — Denial of Service
- OAT-006 — Expediting
- OAT-011 — Scraping
Account Takeover
Of the threats detailed above, perhaps the most concerning to financial institutions are those relating to account takeover.
The easiest way to compromise a financial services customer is to gain direct access to their accounts. To discover profitable targets, criminals deploy bad bots. A large number of attacks are either massively distributed or adequately “low and slow” to evade the in-house security measures, and often go undetected by conventional mitigation systems. In many cases, the activities involved will be a secondary threat to financial organizations, most of which have strong controls around user authentication.
Financial fraud via compromised accounts doesn’t only cause a loss of revenue but also sabotages customer loyalty efforts. Furthermore, reputational damage undermines customers’ confidence and can cause loss of revenue.
Prevention strategies include limiting the number of login attempts, which stops the use of bot-driven brute force password cracking. However, some online services have weaker controls enabling the use of techniques such as Credential Cracking (OAT-007) and Credential Stuffing (OAT-008) to discover passwords – in the hope that poor practice will have led some users to use the same password for their bank or credit card accounts.
Credential Stuffing may be applied directly against certain financial businesses. If a list of account identities has been obtained, then each can be tested against a short list of common passwords (e.g. ‘qwerty123’, ‘password12345’) in the hope that a few customers will be using them.
A recent attack against a UK-based bank was thought to have succeeded because sequential access identities were issued, so the attackers did not even need a list, but just to program their bot to increment the account identity number for each access attempt.
Similar techniques may be used on sites that take online payments to complete payment card details. These include Card Cracking (OAT-010) and Carding (OAT-001). Financial organizations will not be the primary target, but bad-bots are having a secondary impact as the payment card brands and operators will be picking up the pieces.
Symptoms of a Bot Attack on a Financial Institution
High number of failed login attempts
Increased chargebacks and transaction disputes
Consecutive login attempts with different credentials from the same HTTP client
Unusual request activity for selected application content and data
Unexpected changes in website or mobile app performance and metrics
Sudden increase in account creation rate
Financial Institution Recommended Bot Protection Strategies
At a most basic level, firewall rules can be changed to block the source IP addresses used by those running bad-bots. However, attackers are wise to this and regularly change IP addresses, and this approach does nothing to mitigate previously unknown bots and may block some legitimate users.
In order to defend against a Credential Stuffing campaign, financial organizations can deploy a web application firewall (WAF) that can properly fingerprint and identify malicious bot traffic as well as automated login attacks directed at their web applications. activereach’s range of WAF solutions address the multiple challenges faced by Credential Stuffing campaigns by introducing additional layers of mitigation including activity tracking and source blocking.
Web Application Firewalls (WAFs) are capable of securing Web applications as well as enabling PCI compliance by mitigating web application security threats and vulnerabilities. WAFs prevent data from leaking or being manipulated which is critically important in regard to sensitive financial data and/or customer data.
The WAF security filter also detects such attempts to hack into the system by checking the replies sent from the Web server for Bad/OK replies in a specific timeframe. In the event of a Brute Force attack, the number of Bad replies from the Web server (due to a bad username, incorrect password, etc.) triggers the BruteForce security filter to monitor and take action against that specific attacker. This blocking method prevents a hacker from using automated tools to carry out an attack against the Web application login page.
In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.
Bot Detection and Mitigation
In order to fully protect against the most sophisticated automated attacks, a a dedicated bot-mitigation solution should be deployed. At activereach, we use device and browser fingerprinting, collective bot intelligence and Dynamic Turing tests to identify and block automated usage before bots commit any fraud.
Financial services organizations can improve their understanding of bad-bots through machine learning to the benefit of all. Once bots are identified, it can be determined according to provenance and other distinguishing factors if their activity should be allowed, controlled or blocked. Therefore, all of the OWASP bot categories can be managed, unwanted activity curtailed and a large slice of the web’s resources be handed back to human users.
Bot mitigation tools can be integrated with other network protection technology including WAFs, IPS (intrusion prevention system), SIEM (security information and event management), and load balancers.
Visit the activereach bot management solution page for details of Bot Manager, the industry’s most advanced protection from sophisticated, automated bot attacks.
