The Cybercrime Crisis: Top FinTech Attack Vectors

By Vanita Pandey, Vice President, Product Marketing and Strategy, ThreatMetrix

Consumer demand for anytime, everywhere services has resulted in over half of all transactions now coming from mobile devices. According to recent research by ThreatMetrix, customers are increasingly transacting with their financial institutions digitally, especially to access their accounts on-the-go. Account logins represent 88% of the total financial services transactions and have doubled year-on-year. Mobile transactions also grew significantly in Q4 2017 and represented 60 percent of all financial services transactions.

Meanwhile, emerging FinTechs continue to disrupt the industry, with an emphasis on convenience and friction-less user experiences. The resulting arms race has incumbent institutions and startup challengers transforming every facet of the business through digital innovation. The problem is that cybercriminals are exploiting the gaps in those same technologies. Account creation attacks increased in Q4 2017 and have grown 382% compared to 2015, which illustrates the increased risk from fintech platforms. Fraudsters are undoubtedly on the prowl to make a quick profit from applying for new loans or other financial products. 

Beyond the evolution of known threats, a handful of key attack vectors are gaining new momentum. Here are the most common attacks that financial institutions should consider when developing their cyber security strategies:

●     Device Spoofing: By impersonating a device on a network, cybercriminals can bypass even the most complex application procedures and launch attacks against network hosts, steal data or spread malware. Take Southeast Asia as an example, there is a strong prevalence of device sharing, use of jail broken and rooted devices along with cheap smart phones. This provides an opportunity for fraudsters and leads to a strong prevalence of device spoofing in the region.

●     Identity Spoofing: Cybercriminals may craft messages that appear to come from a trusted source, or alternatively intercept a message from a legitimate sender and make it look like the message came from them. This form of attack can be used to hijack login credentials from valid users, and it can target any resource that’s associated with an identity. Actually, identity spoofing and device spoofing are the most prevalent attack vectors in APAC. The percentage of these attack vectors in Asia are even significantly higher than the global average, highlighting the region’s susceptibility, in part due to the fact that some countries in the region do not have access to widespread identity verification assessments.

●     Man-in-the-Browser (MitB) or bot: Bots and/or scripts enable fraudsters to test credentials at scale and infiltrate trusted user accounts. However, with the prevalence of bots being used by search engines to check links and content, and variously by digital businesses to retrieve data or monitor performance, it is becoming increasingly important to differentiate between good and bad bots as the prevalence of good bot usage increases. This trend will continue with the advent of EU’s PSD2 (Revised Payment Service Directive), as banks will open their APIs to third party providers, leading to the emergence of new business models and services.

●     IP Spoofing: Fraudsters will send IP packets from a false (or spoofed) source address in order to disguise themselves. Denial-of-service attacks often use IP spoofing to overload networks and other devices with packets that appear to be from legitimate source IP addresses.

Without the digital identity intelligence on the associations between users and their devices, locations, behaviours and other dynamic data elements, fraud is virtually impossible to detect. As attacks grow more sophisticated and complex, financial institutions must shore up their defences. After the quarter financial institutions just faced, that’s a goal the entire industry should support.