ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

What is Bank Account Takeover?

Bank Account Takeover is a form of account takeover in which a cybercriminal uses bots to crack into a victim’s bank account and take it over to withdraw funds or make payments to third-parties. While bank account takeover is not as widespread as regular account takeover instances of user accounts on online shopping, gaming and other types of non-financial portals, it is of extreme concern to consumers due to the huge financial impact it has.

Api Abuse

How is Bank Account Takeover Carried Out?

Cybercriminals generally use the following two tactics to take over accounts, though social engineering techniques to take over accounts without using bots also exist.

Credential Stuffing

Credential stuffing is defined as ‘Mass log-in attempts used to verify the validity of stolen username/password pairs’ (OWASP OAT - 008) and it takes advantage of users who reuse the same username and password combination on multiple websites. Hackers are known to buy and sell lists of bank log-in credentials on the Dark Web, and then use bots to attempt large numbers of log-in attempts, hoping to find the right credentials to log-in and take over bank accounts

Credential Cracking

Credential cracking is defined as ‘Identifying valid log-in credentials by trying different values for usernames and/or passwords’ (OWASP OAT - 007) and is commonly known as ‘brute forcing’. Bank account takeover usually happen through hackers obtaining lists of breached usernames or passwords (either sold on the Dark Web or freely available on certain sites used by cybercriminals). Bots are then used to carry out brute force techniques that can involve dictionary attacks (sequentially entering large numbers of words) and random guesses to figure out which combination of log-in credentials works.

Impact of Banking Account Takeover

Bank account takeover is primarily carried out by cybercriminals to steal money from account holders. Though most banks send alerts about account activities via text messages, banking application notifications or emails, the damage is often done by the time the account holder gets the notification. Apart from the direct losses for an account holder when his or her funds are stolen or used to buy goods or services, there are also legal considerations in reporting the crime, not to mention financial penalties in case of checks bouncing or automatic payments to billers not being made due to lack of funds in the account. Bank account takeovers greatly impact consumer confidence in banks and can result in major damage to a bank’s reputation.

How to Prevent Bank Account Takeover

Banks and financial institutions usually have systems that detect fraud or unusual account activities, but these are limited in their protection when a consumer’s account has already been compromised. Though many banks use methods such as limiting the number of possible log-in attempts that can be made during a certain time, along with two-factor authentication required for every log-in, these have proved to be ineffective in combating criminals who use bots to take over bank accounts. To prevent account takeover fraud and ensure watertight account protection, there is no alternative to a dedicated bot mitigation solution. A specialized solution such as Radware Bot Manager provides robust protection against account takeover by analyzing every log-in attempt by every user. Read our Solution Brief to learn more about account takeovers and how they can be prevented.

Step Up and Take Action

Powered by Think201