Designed to power innovation in the banking landscape, the Second Payment Services Directive (PSD2) marked the start of open banking, allowing banks to deliver customers the convenience and experiences they want. By creating a path for banks and financial institutions to share their customers’ data with third parties through the use of APIs, the opportunities presented by open banking to improve the digital experience – from customer onboarding to seamless payments – are endless.

The PSD2 regulatory framework has created a clearly defined pathway for open banking in the UK and Europe. Since 2019, open banking has exploded in the UK with over 300 providers joining the ecosystem. More than 2.5 million U.K. consumers and businesses now use open banking enabled products to manage their finances and make payments. Many other regions, including Australia and Hong Kong, have started to develop legislation to push open banking initiatives while interest in the U.S. for similar guidance is actively being explored.

While open banking has created incredible opportunities, banks are also presented with many new risks. One emerging risk is the exploitation of open banking platforms to initiate credential stuffing attacks.

Credential Stuffing Attacks On the Rise

Credential stuffing is the process of inputting compromised usernames, passwords and other login information to gain access an account. These attacks have been on the rise. Between December 2017 and November 2019 there were 85.42 billion credential stuffing attacks, of which 16.55 billion were targeted at APIs directly.

There are many contributing factors that makes these attacks so successful. First, the abundance of personal information for sale in the dark web provides the fuel for testing. Second, consumers continue to re-use the same credentials across multiple sites enabling high success rates. Finally, tools such as Sentry MBA, SNIPR, and Account Reaper, have enabled fraudsters to automate credential stuffing at scale.

A Behavioral Perspective on Automated Attacks

BioCatch has also been seeing these types of attacks on the rise – with a new twist. Fraudsters know that most prominent websites have some type of bot detection technology employed to prevent credential abuse and have started to change their tactics to circumvent these controls. BioCatch started to observe instances of fraudsters abusing legitimate open banking platform providers to test batches of credentials. In addition, they have reverted to testing smaller, more frequent batches instead of testing at scale.

During February 2021, one financial institution started to receive reports from internal logs that they had suffered what looked like a brute force attack. Looking at the overall volume of failed logins as well as the failed-to-successful ratio, we saw that two distinct events occurred.

When reviewing the origin point of these events, all of the login attempts were coming from a legitimate open banking service provider. It’s not known if the origin was the company itself or another third party provider that leverages their services. What is clear, however, is that the attackers used the opportunity to hide their attacks behind a trusted source.

When reviewing what occurred in the login process of these sessions, we saw that the username and password were typed in extremely quickly. Following a first attempt at log in, a bot was programmed to wait 25 seconds and enter another password and repeat this process multiple times. The login behavior is such that the username and password are not injected – they are entered using key press events and the element navigation is controlled by mouse click events. The speed and concurrency of these sessions is far beyond what would be observed from a genuine connection from a human or from an Open Banking provider (where connections are typically once per day per user), indicating a credential stuffing attack.

Interestingly, during two notable attack events, there were a very small number of logins that exhibited different behavior. These sessions, covering eight distinct users, had more human-like behavior. In comparison to the bulk of the credential testing sessions, in this small group of sessions BioCatch detected remote access tools (RAT) and not bot activity. Success rates of the tested batches varied from 0% all the way up to 23%.

BioCatch advanced behavioral biometrics leverages user-device interaction data, such as mouse clicks, swipes on mobile devices, and keystrokes, to analyze data using machine learning techniques. The technology profiles both genuine and fraudulent activity as well as cognitive insights to distinguish between genuine users and non-genuine users (automated or human) across multiple use cases and threat vectors.

While this may be an isolated incident, it is a potentially significant trend that BioCatch will continue to monitor. As with all forms of fraud, attackers are constantly changing their methods as new technology, like open banking, comes into play. 

Get in touch today to discover how behavioral biometrics can protect your business against these automated attacks and other forms of account takeover.