Deter Account Takeovers in Financial Services

Overview

Increasingly, consumers rely on digital channels for financial transactions. Not just fintechs, but traditional financial institutions such as banks and credit unions embrace technology to meet their consumers’ evolving needs and expectations.

While aggressive innovation provides consumers with a range of financial products, it also provides bad actors with new incentives to attack. From new account fraud and account takeovers to application fraud, man-in-the-middle, and phishing attacks, financial institutions are under constant threat from attackers. It is estimated that banking, cards, and payments sectors lost nearly $385 billion to fraud in 2021.

Account takeovers are particularly attractive to fraudsters because they can monetize the compromised accounts in several ways. In addition to draining the funds from the account, attackers can sell the account information to third parties on the dark web. Alternatively, they can use the compromised accounts for a range of criminal activities including opening lines of credit, money laundering, disseminating spam, and launching phishing campaigns.

In addition to monetary losses, account takeover attacks damage the reputation and brand of the affected financial institution, which may lead to customer churn and loss of business.

How Much Money is Made by Attacking Financial Services Accounts?

The Economics of Account Takeover Attacks, explains the factors that affect the monetization of compromised financial services accounts. In fact, potential returns from an account takeover attack depends on these factors:

Hit rate

Refers to the possible number of valid sets of credentials harvested from a credential stuffing attack. For banking and fintech accounts, the estimated hit rate is about 10%. The hit rate for financial institutions is lower compared to other industries because consumer IDs do not use email addresses, and consumers are wary of repurposing the same credentials they use for other digital accounts. Therefore, for an average quality combo list with 1 million credentials, attackers can harvest nearly 100,000 credentials at 10% hit rate.

Reputation of the attacker

A reseller’s reputation directly affects how much of their inventory they can sell. For example, new sellers with no/low reputation may sell up to 20% of their inventories, while more experienced resellers with a medium reputation may sell up to 40% of their inventory. Long-term proven resellers with a very good reputation may sell at least 60% of their inventory.

Market value of the compromised accounts

The market price of a compromised financial account fetches the most potential revenue after premium gaming accounts. The average revenue per credential for a financial account is $0.40 which can fetch around $24,000 for an attacker with good reputation, $16,000 for an attacker with medium reputation, and $8,000 for attackers with low reputation.

A website’s level of protection

Less-protected or unprotected websites are easy targets for attackers; they don’t need to have superior technical skills, and they don't need to create an attack infrastructure. On the other hand, highly protected websites may block or challenge close to 100% of the attack traffic, increasing the need for the attacker to resubmit requests, extending the timeline to completion, and raising the cost of the attack. Less-patient or skilled attackers are likely to give up an attack before it completes and move on to an easier target.

How Much Does It Cost to Attack a Financial Services Account?

To attack a well-protected site, attackers must invest additional effort and cost, in addition to building an elaborate attack infrastructure. Due to the increased number of replays, lack of fast progress, complexity of attack strategy, rising attack costs, and the uncertainty of how long the attack will take to complete, less experienced attackers give up early, which affects their inventory and ultimately their net income.

The Economics of Account Takeover Attacks reveals the monthly and annual costs of attacking a single and multiple (5) websites with various levels of protection namely: with a WAF, a bot management solution, and an advanced bot solution such as Arkose Protect™.

The revenue potential for attackers of varying reputations for websites protected with various levels of security solutions are described in the table below:

Website protected with WAF

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$624	$624	$624	$624	$624
Potential Income:
Low reputation	$7,376	$15,376	$23,376	$31,376	$39,376
Medium reputation	$15,376	$31,376	$47,376	$63,376	$79,376
High reputation	$23,376	$47,376	$71,376	$95,376	$119,376

Website protected with a bot management solution

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$9,000	$9,600	$10,200	$10,800	$11,400
Potential Income:
Low reputation	-$1,000	$6,400	$13,800	$21,200	$28,600
Medium reputation	$7,000	$22,400	$37,800	$53,200	$68,600
High reputation	$15,000	$38,400	$61,800	$85,200	$108,600

Websites protected with Arkose Protect™

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$18,080	$27,760	$37,440	$47,120	$56,800
Potential Income:
Low reputation	-$10,080	-$11,760	-$13,440	-$15,120	-$16,800
Medium reputation	-$2,080	$4,240	$10,560	$16,880	$23,200
High reputation	$5,920	$20,240	$34,560	$48,880	$63,200

Long-term deterrence with Arkose Protect™

Financial services organizations using Arkose Protect™ can deter account takeover attempts by making them costlier and increasing the time to complete. Attackers will need to create an elaborate infrastructure, possibly consisting of a laptop orchestrating a set of virtual machines (VM) deployed in a cloud infrastructure generating the attack traffic load balanced through a large set of residential and mobile proxies. The software running on the VM may be an advanced script written in Python or similar languages, or run a full-blown headless browser able to execute JavaScript and mimic more advanced behavior like mouse movement or key presses.

In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests.

Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.

To avoid detection, attackers must revisit and devise a more-sophisticated attack strategy to ensure:

The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;

The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;

The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;

The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.

Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.

Conclusion

Top financial institutions globally trust Arkose Labs for long-term protection of their platforms and consumers against account takeover attacks. This future-ready bot management solution, deters bad actors while preserving the user experience for genuine consumers.

Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.

REQUEST A DEMO CLOSE

Bad Bots and Beyond: 2023 State of the Threat

SOLUTION BRIEF

Deter Account Takeover Attempts in Financial Services With Arkose Protect™