Over the past couple of years, I've worked on many projects which have been focused on helping companies 'turn the lights on' as to what is happening on their website - the good, the bad and everything in-between. One of the most unusual cases I've seen involved a payday lender and a mass disclosure of online banking credentials. After much discussion with my colleagues, we settled on calling this new fraud type 'credential sharking' (as in loan shark).
So how does credential sharking work? Whilst analyzing online banking click patterns, we discovered an outlier, which appeared to be a potential threat. A single device was repetitively logging in and scrolling through a broad range of user accounts - very different to how you and I use online banking.
After several calls to the account owners, it was discovered that all of the users had something in common - payday loans with an external third party. Upon further questioning, the underlying answer was revealed. As part of the loan opening process, the payday lender was requiring applicants to provide their online banking credentials - with the intention of the payday lender to then use these login details to check when the loan customer received incoming funds (e.g. salary, social security payments) and subsequently deduct the loan repayments.
The potential risks, ethical considerations, compliance and regulatory issues associated with this case deserve several thousand more words - but let's just say they're material. Apparently, this specific issue was isolated to an overly creative, rogue employee, who had created their own process to minimize loan delinquencies. The risk was also not limited to any specific bank - it impacted any bank which happened to have a customer who signed on with this particular payday lender - thousands of accounts in total.
Although this appeared to be an isolated case, it does raise a question about the disclosure of online banking login details to third parties - something which is becoming more and more commonplace within innovative FinTech products. Services which request disclosure of online banking details include payment facilitators, auto-saving products and account aggregators.
Account Aggregation Offer Convenience and Risk
Without exception, the first thing which stands out when analyzing the click patterns on a banking website is account aggregators. Account aggregators are third party services, which scrape transaction and balance data from web portals (normally online banking) into a 'single pane of glass'. Theses services started with retail banking, but have since expanded into domains such as wealth management, superannuation and even frequent flyer accounts.
The consumer benefit is a single view of their financial position and all their transactions - regardless of the institution of where the accounts or loans are actually held. This is a compelling proposition, especially for consumers who like to shop around for the best deal and hold no particular loyalty to a single bank. However, there is the fine print. Typical terms and conditions for these services are very favorable for the aggregator and include provisions such as the aggregator may use, sell, license, distribute and disclose to third parties aggregated information obtained or data shared is done so at the risk of the consumer.
Although account aggregators are typically very security conscious, they are still an excellent potential resource and target for cyber attackers. A consumer's aggregation account has perfect and complete financial data. If you're planning to steal someone's identity, then it is an excellent place to start as it provides a wealth of information such as who the victim banks with and how much money they have.
After compromising online banking credentials (e.g. via phishing or malware), there are two activities which need to be completed by attackers - validation and prioritization. Validation is verifying that the login credentials and passwords still work. Prioritization is primarily determined by available funds in the compromised accounts (to maximize ROI).
An account aggregation service provides a free and extremely efficient mechanism to achieve these two goals, and this is a technique often used by attackers. The additional benefit is that it provides a veil of anonymity, given the aggregator is being used as a proxy.
How to Mitigate Fraud Losses
This is where it starts to become a little messy. To help work through the potential implications, let's work through a hypothetical example. Let's consider an aggregation website has been compromised and the attackers have obtained thousands of online banking credentials. Attackers proceed to use the credentials to steal millions of dollars, across a large number of banks
The question is, who will ultimately be liable for the fraud losses?
(a) The banks
(b) The third party aggregator site
(c) The consumers who had their data stolen
If you've answered (c), you're technically correct.
By sharing login credentials with a third party, an individual actually breaches their security obligations and are technically liable any fraud losses facilitated by such a disclosure. This ruling is governed by normal banking terms and conditions, as well as regulatory polices such as the Australian ePayments code.
In reality, most banks will likely choose to carry liability and refund customers, given the potential loss of unhappy customers as well as the reputational risk associated with such an incident.
Similar to many cyber risks, the key question is how to manage. My view is that a solution may be formulated in two parts:
To understand the risk, we need to be able to answer a simple question: how many customers are actually using third party aggregation services? This question may be answered by analyzing the website visitor behavior and the associated metadata.
Based on my experience working with banks across Asia Pacific, the answer usually lies somewhere between hundreds and tens of thousands of customers.
Once we've established scale, the logical first step is to record the risk within the appropriate risk register framework. This process will enable a business to rate the severity of the risk by evaluating against the likelihood and potential impact (e.g. fraud loss, media exposure, brand damage, share price).
From there, we need to consider pragmatic controls to reduce the risk to an acceptable level for the business. The type of controls may include the following actions:
- Customer segmentation. Tighten risk controls and monitoring across those customers whom are identified as using third party aggregation services
- Provide a secure, read-only API to the aggregators, to avoid screen scraping
- Block aggregator activity completely
- Pro-actively contact customers whom are identified as using aggregation services to explain the risks and potential implications
- Implement a second factor, risk-based authentication platform for higher risk login events. This will invoke a business process change for aggregators, given the dynamic nature of authentication.
Regardless of the controls, all businesses impacted by aggregator-like activity, should build a contingency plan to manage the risks. The plan may be as simple as temporary blocking of all at risk accounts, coupled with a customer communication plan - but it is important for something to be in place.
Although innovative services (such as aggregators) introduce new cyber risks, there is nothing preventing us from effectively managing these risks. Data driven monitoring solutions, combined with a clear plan and common sense are the keys to unlocking this outcome.
Author: Tim Dalgleish
Category: RSA Fundamentals
Keywords: Account Aggregation, Consumer Security, Credential Sharking, Cybercrime and Fraud, Fraud, Risk-Based Authentication