Almost one fifth of all traffic on financial services websites last year was by bad bots, with attempts at account takeovers, content scraping and credit card fraud particularly prevalent, according to a report by software group Imperva.
Financial services was one of the worst-affected industries by sophisticated bot traffic last year, according to US cyber security software company Imperva, which released its annual bad-bot report in April.
Bad bots — software applications running automated tasks with malicious intent over the internet — accounted for 25.6% of all website traffic in 2020, according to Imperva. Almost one fifth of all traffic on financial services websites last year was by bad bots, with attempts at account takeovers, content scraping and credit card fraud particularly prevalent.
More than half of bad-bot traffic is made up of advanced, persistent bots, “which cycle through random IPs [Internet Protocol addresses], enter through anonymous proxies, change their identities and mimic human behaviour,” the report states.
“Sophisticated bots which closely mimic human behaviour and are harder to detect and stop,” says Edward Roberts, director of strategy and application security at Imperva.
Sophisticated bad-bot attacks made up 11% of financial services web traffic last year, according to Imperva’s report, which claims more than one-third of overall login attempts in 2020 originated from malicious bots.
Shifting tactics
Content scraping — stealing website content to “parasite” on another company’s efforts — has become more sophisticated in its approach, Mr Roberts says.
“Unlike screen scraping, which only copies pixels displayed onscreen, some web scraping extracts underlying HTML code and, with it, data stored in a database. The scraper can then replicate entire website content elsewhere to make themselves look more reputable,” he says.
Account takeover fraud, meanwhile, can involve “brute force” style attacks using lists of compromised user credentials to breach a system, Mr Roberts says. “The attack uses bots for automation and scale, and is based on the assumption that many users reuse usernames and passwords across multiple services. The financial services industry is a primary target for these attacks as banking data has incredible value on the dark web.”
Several financial services have suffered data breaches in the past few years, including Australia’s Westpac and the US’s Capital One, both in 2019.
Open banking risks
The rollout of open banking services, allowing third-party financial service providers to securely access bank customers’ financial information to develop new services, has gathered pace around the world over the past few years.
But Mr Roberts claims the prevalence of open banking services has made it simpler for bots attempt account takeovers and other fake interactions because application programming interfaces (APIs) offer more vulnerabilities to exploit.
“Open banking has ushered in a new era of digital connectivity for financial services by enabling greater usage of APIs to power new digital services and applications. However, [having] more external API connections creates greater risk exposure and more surface area for bots to attack,” Mr Roberts says.
“Services that connect to a bank using APIs are also targets for bots because they may be considered a softer, less secure target than the bank, which then leads to a downstream attack,” he says.
Services that connect to a bank using APIs are targets for bots because they may be considered a softer, less secure target than the bank
“Bad bots exploit API endpoints to gain access to sensitive data in attacks like API scraping, as well as web and mobile API hijacking. Many organisations fail to manage the security of their APIs by relying on simple authentication tokens or basic IP rate limiting to protect their data from critical attack vectors,” he adds.
Many financial services firms still view data security, privacy and compliance as their primary security concerns, Mr Roberts says. “Today, breaches and leaks can occur just as often in the application layer as through unauthorised database access,” he says.
Adding Captcha tests or rate limiting — which restricts applications overusing a website — to sensitive pages are defences that can be introduced to address the threat posed by bots, Mr Roberts says, but a more developed strategy may also be needed.
“Bot operators are motivated and financially driven, so they will find creative ways to evade detection over time. That’s why it’s critical to understand your website and take account of what information or services on your site could be scrapped or attacked by a bot.”
Continue reading: Deepfakes pose new cybersecurity risk for banks
