If you could look like a million people, what kinds of crimes could you commit?
Today’s fraudsters have access to enormous resources and pretend to be a whole horde of people with nearly limitless options at their disposal to mask their efforts. The armies they create, these battalions of sophisticated bots…when they’re marched in a single direction, they can wreak an astonishing amount of havoc.
When Singaporean corporations were hit by the SolarWinds attack, the Monetary Authority of Singapore (MAS) released new guidelines to minimize the aftereffects. Yes, organizations should meet the new Monetary Authority of Singapore (MAS) guidelines. Yes, they should be vetting every service provider they work with for cybersecurity best practices. Yes, they should conduct regular penetration tests to ensure that there aren’t any weak spots in the (proverbial) firewall.
The greatest threat lies in the automation of such attacks
Just a few years ago, HUMAN (formerly known as White Ops) was the lead in the takedown of the 3ve botnet, which at its height, controlled more than 1.7 million devices. These devices were all pointed in the direction of advertising, making more than three billion fake ad requests a day and stealing more than $30 million over the course of the botnet’s lifespan.
All of this is just to say that sophisticated bots, when gathered together, can be extremely valuable tools for fraudsters. And financial technology firms may just be next on their hit list. Bot attacks on financial services firms are on the rise, growing to 52% YOY in Singapore in Q1 2020.
As a fintech in Singapore, consider whether your offerings run on an application or on the Internet. Do you have a web portal for customers to access? Do you deal with cryptocurrency?
Sophisticated bots can target public-facing web applications with relative ease. It’s called “account takeover” and bad bots have several ways of obtaining your information. For example, a fraudster can gather user credentials leaked via a recent data breach (and it seems like there’s another one of those every week or so) and send an army of bots to try numerous combinations of user credentials on any web portal to see which credentials are being reused. That’s an attack called “credential stuffing” and it’s a common way for fraudsters to impact the market.
What’s more, 75% of sophisticated bots live on the devices Singaporeans use every day. It’s not solely the domain of data centers anymore; malware sits on consumer devices like mobile phones, laptops, and tablets and the fraudsters deploy bots and are off to the races to exploit whilst seeking to remain undetected.
It’s worth noting that multi-factor authentication (MFA), while a help in these circumstances, is not a perfect solution as it can also be defeated by a determined fraudster.
On another front, there are issues that result from sophisticated bots arriving at a website and creating a slew of fake accounts. These accounts can be used to test stolen credit cards, post fake user-generated content or spread disinformation and spam.
Preventing these attacks
And while these attacks might be ameliorated by password hygiene on the part of consumers it’s not a perfect answer to the problem. Data breaches aren’t going to stop and it’s incumbent on organizations with web portals and applications to protect themselves against fraudsters and prevent from being the next company appearing in the breaking news headlines. Recent research from Kaspersky indicates that more than half of all fraud schemes in the financial industry were account takeover attacks.
So the logical next step is to prevent those leaked credentials from working against the next fintech organization down the street. If you can detect automation where there shouldn’t be any automation, you can block the deleterious impacts of someone else’s data breach before they reach your door.
That’s our approach, spot the bots and stop them before they can get in. This is a $7 billion problem, according to one analyst firm. Trying to “fix” human nature through password hygiene is a losing battle but preventing the downstream impacts of a data breach is possible and businesses that work in the financial and insurance space should be especially focused on mitigating automated attacks.
For fintech organizations, more can be done to safeguard users’ hard earned money. Better staff awareness training, for example, is key to ensuring employees can identify and avoid potential threats. In terms of infrastructure, having zero-trust architecture and proactive testing to find vulnerabilities in systems can go a long way. And when in doubt, collaborations with specialists can lead fintechs to safer pastures all while ensuring compliance with MAS’ updated guidelines and laws.
Featured image credit: Business vector created by fullvector – www.freepik.com