Consumer facing banks have to strike a difficult balance between making customer funds easy to access, while stopping sophisticated forms of account take-over. Attackers are willing to invest significant time and energy to defeat bank security mitigations because the pay-off for success is very high. The banking industry is a great place to spot cutting-edge techniques before they trickle down to other industries.
What we have is “not good enough”
A major US financial institution (henceforth “Bank X”), approached Spur to see if our data could improve their account take-over mitigations. Bank X explained that they are an extremely valuable target for attackers due to their large digital presence and wide breadth of banking services under one roof. Their digital properties include multiple mobile applications and multiple web applications. These customer-facing properties provide access to brokerage services, checking accounts, savings accounts, 401ks, and more. A successful account takeover on their platform presents a number of diverse monetization techniques for an attacker.
By their own assessment, Bank X already did a good job at identifying fraudulent account registrations. This was in part due to the personal information required for identity verification and compliance. This extra data often provided the bank with enough information to spot unusual activity. Bank X, however, knew that their existing solution for preventing account takeovers was “not good enough.” On average, each account takeover would cost Bank X several thousand dollars. This cost would manifest itself in returned funds, litigation, investigatory work, insurance claims, and a loss of customers as a result of the breach.
Spot the tradecraft
One of the best insights Spur can provide to customers is the tradecraft being used to conduct large-scale campaigns. In this case, Bank X was able to provide Spur with a list of seemingly random residential IPs associated with the “most expensive” account take-over incidents. When Spur data was enriched against the chain of indicators, it was estimated that they Bank A could easily prevent over 40% of the successful – and previously undetected incidents. This was true even when the incident spanned multiple sessions or IPs. Bank X had at least two different actors conducting successful ATO (account takeover) campaigns against their platforms using similar techniques, but different residential proxy services. Bank X purchased Spur’s on-prem Anonymous + Residential dataset within the week.
Security without friction
Now that Spur had identified the services being used most successfully against Bank X, it was time to implement mitigations. We turn back to the security/friction paradox: how can you add security
gains without increasing user friction? Bank X took a great approach to application security: progressive authentication and constant session verification based on activity.
The general strategy was implemented as follows: a user session was always tagged with associated services (e.g. VPNs or residential proxies) from Spur. This was done on-prem using a local data-set provided by Spur. That user session could continue on (gaining any additional tags as it changed), until it failed to reach some trust threshold for an account action. This would primarily occur on elevated privilege actions like adding a new transfer account or performing a fund transfer. These are less frequent legitimate user activities, and common fraudulent activities. At this point, Bank X could refer to the user session tags and look for the presence of services commonly associated with different fraud campaigns. If nothing sufficiently hits, then they can choose to proceed as usual without causing any additional user friction. If, however, this session matches a profile consistent with fraud, they can kick up the authentication (e.g. 2FA) or send the user into a holding loop or sandbox environment.
Customer(s) for life
Overnight Bank X achieved an over 40% decrease in successful account takeovers without adding any meaningful user friction in the process. Not only did this dramatically improve their bottom line, but it also gave them compelling evidence of improvements in regulatory compliance reviews. Since this project was completed at Bank X, several of their engineers have moved on to new places. We can almost set our watches for a call to bring Spur’s data into their new environment.
