Skip to content
activereach

CALL 0845 625 9025

REQUEST A DEMO
Menu
  • home
  • about
    • about
    • why activereach?
    • corporate video
    • management team
    • technology partners
    • certifications
    • supported charities
    • corporate ethics & code of conduct
    • careers
    • terms and finance
    • Close
  • vendors
  • solutions
    • activeNETWORKSdigital ready networks
        • data icon

          data

          • DNS, DHCP & IP address management (DDI)
            • DNS security
            • Close
          • data centre networking
          • IP, VoIP & SIP telephony
            • moving on from legacy PBX / ISDN
            • SIP vs hosted voice
            • Close
          • IPv6 network audit
          • internet access
            • ethernet in the first mile (EFM)
            • fibre to the cabinet (FTTC)
            • leased line internet access
            • satellite internet access
            • ethernet over fibre (EoFTTC)
            • Close
          • link balancing
          • load balancing
            • perimeter load balancing
            • cloud load balancing
            • Close
          • local area networking
            • cabling
            • switch infrastructure
            • Close
          • secure remote access
          • web performance
          • wide area networking
            • MPLS
            • VPN
            • CDN
            • point to point
            • Close
          • wireless
            • WiMAX backup
            • Close
    • activeDEFENCEnetwork security
        • protect icon

          protect

          • attack surface management
          • bot managment
          • breach detection
          • cloud security (CASB)
          • DDoS mitigation
            • perimeter DDoS mitigation
            • cloud DDoS mitigation
            • hybrid DDoS mitigation
            • Close
          • DNS security
          • email security
          • endpoint protection (EDR)
          • general data protection regulation
          • managed detection and response (MDR)
          • micro-segmentation
          • network perimeter security
            • network perimeter firewall
            • network perimeter IDS/IPS
            • Close
          • network security audit
          • operational technology (OT) security
          • public cloud security
            • public cloud compliance engine
            • Close
          • SaaS application security
          • secure web gateway (SWG)
          • security information and event management (SIEM)
          • security intelligence
          • security orchestration, automation and response (SOAR)
          • unified API protection
          • web application firewalling (WAF)
            • perimeter web application firewalling
            • cloud-based WAF
            • Close
          • web security
        • test icon

          test

          • DDoS testing services
            • custom DDoS attacks
            • Close
          • IP discovery
          • Extended Security Posture Management – XSPM
          • penetration testing
          • vulnerability assessment
          • WAF testing
    • Close
  • finance
  • resources
    • resources
    • DDoS knowledge centre
      • what is a DDoS attack?
      • types of DDoS attack
      • DDoS dictionary
      • Close
    • white papers
    • customer success stories
      • customer videos
      • customer testimonials
      • case studies
      • Close
    • datasheets
    • explainer videos
    • research
    • infographics
    • Close
  • newsroom
    • newsroom
    • awards
    • blog
    • events and webcasts
    • media coverage
    • press releases
    • Close
  • support
    • support
    • contact support
      • technical support calendar
      • open new case
      • Close
    • support procedures
      • activereach RMA process
      • activereach kit recycling scheme
      • demonstration vs POC vs pilot
      • activereach chargeable incidents and work
      • Close
    • service status
    • knowledge base
      • connectivity & networking
      • DDoS and WAF testing / mitigation
      • email
      • security
      • telephony
      • Close
    • technical videos
    • mobile application
    • Close
  • contact

You are here: home » newsroom » blog » Bot Protection in Financial Institutions

Bot Protection in Financial Institutions

Posted on 14th May 201918th June 2019 by Lorna Fimia in
  • Industry News
.
Lorna Fimia

Financial services organizations are where the money is, and as such will always be prime targets for cybercrime. For many financial institutions, this bot traffic can account for more than half of their overall website traffic — covering both good bots engaged in essential business tasks to bad bots performing malicious activities.

Banks, traders, asset managers, and insurers need to be aware of the impact of good and bad bots on their business. Good bots must be enabled, bad-bots blocked and those that lie somewhere in between, understood, monitored and controlled. This is partly to reduce the load of online traffic, but also, of course, to stop automated financial crime and outage of online financial services.

Bot protection in financial services
Online fraudsters make use of bots for malicious attacks on financial institutions

Financial Services Industry Tops the Bad Bot Charts

Distil Network’s annual assessment of bad bots, “Bad Bot Report 2019: The Bot Arms Race Continues,” found that the financial services industry the topped the bot charts with 42.2 percent of traffic comprised of bad bots. Last year, that percentage was 24.6 percent – evidently this is a growing threat that needs to be taken seriously.

In the same report, researchers found that 73.6 percent of bad bots observed were Advanced Persistent Bots (APBs), which have more sophisticated capabilities than the average bots. These programs can cycle through random IP addresses, enter through anonymous proxies and change their identities, among other more complex behavior. This is making it more difficult than ever for financial institutions to defend against them.

OWASP Threats Targeting the Financial Sector

OWASP recognises the problem of bad-bots, or automated threats as it terms them, and has published a complete taxonomy to classify them. Its Automated Threat Handbook lists the most prevalent bot threats affecting financial institutions:

  • ACCOUNT CREDENTIALS
    • OAT-007 — Credential Cracking
    • OAT-008 — Credential Stuffing
    • OAT-020 — Account Aggregation
    • OAT-019 — Account Creation
  • PAYMENT CARDHOLDER DATA
    • OAT-001 — Carding
    • OAT-010 — Card Cracking
  • VULNERABILITY IDENTIFICATION
    • OAT-018 — Footprinting
    • OAT-014 — Vulnerability Scanning
    • OAT-004 — Fingerprinting
  • OTHER THREATS
    • OAT-009 — CAPTCHA Bypass
    • OAT-015 — Denial of Service
    • OAT-006 — Expediting
    • OAT-011 — Scraping

Account Takeover

Of the threats detailed above, perhaps the most concerning to financial institutions are those relating to account takeover.

The easiest way to compromise a financial services customer is to gain direct access to their accounts. To discover profitable targets, criminals deploy bad bots. A large number of attacks are either massively distributed or adequately “low and slow” to evade the in-house security measures, and often go undetected by conventional mitigation systems. In many cases, the activities involved will be a secondary threat to financial organizations, most of which have strong controls around user authentication.

Financial fraud via compromised accounts doesn’t only cause a loss of revenue but also sabotages customer loyalty efforts. Furthermore, reputational damage undermines customers’ confidence and can cause loss of revenue.

Prevention strategies include limiting the number of login attempts, which stops the use of bot-driven brute force password cracking. However, some online services have weaker controls enabling the use of techniques such as Credential Cracking (OAT-007) and Credential Stuffing (OAT-008) to discover passwords – in the hope that poor practice will have led some users to use the same password for their bank or credit card accounts.

Credential Stuffing may be applied directly against certain financial businesses. If a list of account identities has been obtained, then each can be tested against a short list of common passwords (e.g. ‘qwerty123’, ‘password12345’) in the hope that a few customers will be using them.

A recent attack against a UK-based bank was thought to have succeeded because sequential access identities were issued, so the attackers did not even need a list, but just to program their bot to increment the account identity number for each access attempt.

Similar techniques may be used on sites that take online payments to complete payment card details. These include Card Cracking (OAT-010) and Carding (OAT-001). Financial organizations will not be the primary target, but bad-bots are having a secondary impact as the payment card brands and operators will be picking up the pieces.

Symptoms of a Bot Attack on a Financial Institution

High number of failed login attempts

Increased chargebacks and transaction disputes

Consecutive login attempts with different credentials from the same HTTP client

Unusual request activity for selected application content and data

Unexpected changes in website or mobile app performance and metrics

Sudden increase in account creation rate

Financial Institution Recommended Bot Protection Strategies

At a most basic level, firewall rules can be changed to block the source IP addresses used by those running bad-bots. However, attackers are wise to this and regularly change IP addresses, and this approach does nothing to mitigate previously unknown bots and may block some legitimate users.

In order to defend against a Credential Stuffing campaign, financial organizations can deploy a web application firewall (WAF) that can properly fingerprint and identify malicious bot traffic as well as automated login attacks directed at their web applications. activereach’s range of WAF solutions address the multiple challenges faced by Credential Stuffing campaigns by introducing additional layers of mitigation including activity tracking and source blocking.

Web Application Firewalls (WAFs) are capable of securing Web applications as well as enabling PCI compliance by mitigating web application security threats and vulnerabilities. WAFs prevent data from leaking or being manipulated which is critically important in regard to sensitive financial data and/or customer data.

The WAF security filter also detects such attempts to hack into the system by checking the replies sent from the Web server for Bad/OK replies in a specific timeframe. In the event of a Brute Force attack, the number of Bad replies from the Web server (due to a bad username, incorrect password, etc.) triggers the BruteForce security filter to monitor and take action against that specific attacker. This blocking method prevents a hacker from using automated tools to carry out an attack against the Web application login page.

In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.

Bot Detection and Mitigation

In order to fully protect against the most sophisticated automated attacks, a a dedicated bot-mitigation solution should be deployed. At activereach, we use device and browser fingerprinting, collective bot intelligence and Dynamic Turing tests to identify and block automated usage before bots commit any fraud.

Bot protection is delivered with a bot management solution
A Bot Management Solution Provides Full Visibility and Control

Financial services organizations can improve their understanding of bad-bots through machine learning to the benefit of all. Once bots are identified, it can be determined according to provenance and other distinguishing factors if their activity should be allowed, controlled or blocked. Therefore, all of the OWASP bot categories can be managed, unwanted activity curtailed and a large slice of the web’s resources be handed back to human users.

Bot mitigation tools can be integrated with other network protection technology including WAFs, IPS (intrusion prevention system), SIEM (security information and event management), and load balancers.

Visit the activereach bot management solution page for details of Bot Manager, the industry’s most advanced protection from sophisticated, automated bot attacks.

Posted in Industry NewsTagged account takeover, Advanced Persistent Bot, apb, bot mitigation, bot protection, bots, breach detection, credential stuffing, financial services, IPS, security information and event management, SIEM, WAF, web application firewall, web application security

Post navigation

Penetration Testing vs DDoS Testing
Top 6 Risks to the Enterprise from The Internet of Things (IoT)

newsroom categories


view RSS feed


section pages

  • newsroom
  • awards
  • blog
  • events and webcasts
  • media coverage
  • press releases

What our customers say

Just wanted to express my praise on a great job done with Liverpool. Everything went off with basically no issues which makes the refit so much easier.

Leagues ahead of xxxxxxx!

Dominic Colyer
IT Support Technician, Fred Perry

Did you know?

activereach runs regular IT networking events to inform and entertain our InfoSec audience

Visit our Events & Webcasts page to find out more!

Enquire

  • Home
  • About
  • Vendors
  • Solutions
  • Finance
  • Resources
  • Newsroom
  • Support
  • Contact
  • Policies
  • Terms & Finance
  • Privacy Statement
  • Accessibility
  • Social
  • YouTube
  • LinkedIn
  • Twitter
  • Contact
  • Sales: 0845 625 9025
  • Support: 0845 468 6068
©2023 activereach Ltd
activereach® is a registered trademark of activereach Ltd
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
back to top