Financial Services Customer Stops Millions of API-based Account Takeover Attacks (ATO)

December 14, 2022 | by Matt Keil

Account Takeover Financial

Industry research by BCG Digital notes that financial services organizations are 300 times as likely as other companies to be targeted by a cyberattack. The reason for the popularity is simple – attackers view the assets held and programs provided by the financial services industry as highly coveted targets, using a variety of techniques to execute account takeovers against APIs that often result in theft or fraud. One of the more common techniques used for account takeover attacks is to analyze perfectly coded APIs found in the mobile application to understand how they work. Attackers then use commercially available attack tools combined with the billions of readily available stolen credentials to launch automated high-volume account takeovers.

Login APIs Targeted by Account Takeover Attacks

This scenario is exactly what transpired for a large financial services customer that provides both consumer and commercial products and services globally. The customer had adopted an API-first development methodology to better support their mobile users and as a means of delivering new and compelling products to market more rapidly. The move provided significant business benefits but also introduced a security challenge: the mobile login APIs were increasingly attacked.

  • Attackers used known tools like OpenBullet, malicious, Bulletproof Proxy infrastructure and readily available (stolen) credentials to launch sophsitcated ATO campaigns.
  • At the peak of the high volume attacks, up to 90% of the traffic across roughly 50 mobile login endpoints was automated.
  • When the ATOs were detected, attackers shifted to a low and slow technique, rotating across as many as 1 million proxies over week long periods of time.

If a malicious login attempt was successful, they would proceed to transfer funds to their own (fake) account using the OFX API, the financial services industry standard fund transfer protocol.

Account Takeover - Financial Services

Schedule a personalized demo to learn how the Cequence UAP stops ATOs in their tracks.

Traditional Account Takeover Attack Protection Methods Fall Short

The original solution to their ATO problem was an internally developed tool that proved successful initially, but over time, proved to be resource intensive to maintain as attackers quickly figured out how to evade mitigation. First-generation bot detection solutions were evaluated but showed limited success due to the solution’s reliance on JavaScript and mobile SDKs. The challenge first-generation bot detection solutions have is the simple fact that APIs are code – they cannot be instrumented in the same way a web page, or an app can. This meant that the first-generation bot solutions had limited access to telemetry data and other information needed to determine if the intent of a transaction is malicious or not.

Clientless API Security Used to Prevent Account Takeover Attempts

Faced with mounting fraud, customer dissatisfaction and a need to better protect their API-first development methodology, the customer turned to the Cequence Unified API Protection (UAP) solution to stop the attacks. The Cequence UAP detects ATOs and other automated attacks using CQAI, an advanced ML-based analytics engine that automatically discovers API, web and mobile application endpoints to build an intuitive site map for visibility and policy-based protection. Predefined policies based on the largest API threat database available dynamically analyze API transactions to determine the intent of each request. If malicious activity is detected, the customer was able to natively enable mitigation policies using multiple response options such as blocking, rate limiting or deception.

The agentless, ML-based approach of the Cequence UAP helped the customer achieve the following results:

  • 80% reduction in infrastructure consumption and related costs by eliminating malicious traffic.
  • $580,000 saved by protecting roughly 2,000 user accounts from fraud and user dissatisfaction. Savings is based on the Juniper Research estimate that each incident cost organizations $290 and roughly 9 hours of investigative work.
  • Reduced time-to-market as new APIs and web apps are automatically protected through DevOps integration.

Today, the customer is using the Cequence UAP to protect all their public-facing APIs and web applications from fraud and theft associated with ATOs and other forms of automated attacks.

Interested in evaluating the Cequence UAP for yourself?

Try it now

Matt Keil

Author

Matt Keil

Director of Product Marketing

Additional Resources