Industry research by BCG Digital notes that financial services organizations are 300 times as likely as other companies to be targeted by a cyberattack. The reason for the popularity is simple – attackers view the assets held and programs provided by the financial services industry as highly coveted targets, using a variety of techniques to execute account takeovers against APIs that often result in theft or fraud. One of the more common techniques used for account takeover attacks is to analyze perfectly coded APIs found in the mobile application to understand how they work. Attackers then use commercially available attack tools combined with the billions of readily available stolen credentials to launch automated high-volume account takeovers.
Login APIs Targeted by Account Takeover Attacks
This scenario is exactly what transpired for a large financial services customer that provides both consumer and commercial products and services globally. The customer had adopted an API-first development methodology to better support their mobile users and as a means of delivering new and compelling products to market more rapidly. The move provided significant business benefits but also introduced a security challenge: the mobile login APIs were increasingly attacked.
- Attackers used known tools like OpenBullet, malicious, Bulletproof Proxy infrastructure and readily available (stolen) credentials to launch sophsitcated ATO campaigns.
- At the peak of the high volume attacks, up to 90% of the traffic across roughly 50 mobile login endpoints was automated.
- When the ATOs were detected, attackers shifted to a low and slow technique, rotating across as many as 1 million proxies over week long periods of time.
If a malicious login attempt was successful, they would proceed to transfer funds to their own (fake) account using the OFX API, the financial services industry standard fund transfer protocol.
Traditional Account Takeover Attack Protection Methods Fall Short
Clientless API Security Used to Prevent Account Takeover Attempts
Faced with mounting fraud, customer dissatisfaction and a need to better protect their API-first development methodology, the customer turned to the Cequence Unified API Protection (UAP) solution to stop the attacks. The Cequence UAP detects ATOs and other automated attacks using CQAI, an advanced ML-based analytics engine that automatically discovers API, web and mobile application endpoints to build an intuitive site map for visibility and policy-based protection. Predefined policies based on the largest API threat database available dynamically analyze API transactions to determine the intent of each request. If malicious activity is detected, the customer was able to natively enable mitigation policies using multiple response options such as blocking, rate limiting or deception.
The agentless, ML-based approach of the Cequence UAP helped the customer achieve the following results:
- 80% reduction in infrastructure consumption and related costs by eliminating malicious traffic.
- $580,000 saved by protecting roughly 2,000 user accounts from fraud and user dissatisfaction. Savings is based on the Juniper Research estimate that each incident cost organizations $290 and roughly 9 hours of investigative work.
- Reduced time-to-market as new APIs and web apps are automatically protected through DevOps integration.
Today, the customer is using the Cequence UAP to protect all their public-facing APIs and web applications from fraud and theft associated with ATOs and other forms of automated attacks.
Interested in evaluating the Cequence UAP for yourself?
Never miss an update!