By Antoine Vastel PhD, VP of Research at global cybersecurity company DataDome
Banks are at the heart of modern economic life, processing millions of transactions globally, every second. An unavoidable reality is that these financial institutions will always be a target for cybercriminals, who seek to defraud either the institutions themselves, or their customers.
Despite being prime targets for criminals, the financial industry has a poor track record of protecting itself against cyber attacks. In fact, it is currently the second least cyber-secure sector in the UK.
One of the primary modes of these attacks is through the use of bots, which can overwhelm many IT systems within minutes. This is far from a fringe threat, the volume of cyber attacks on these institutions in 2023 has doubled. The worst of these attacks saw unprotected financial institutions losing millions of dollars and, at times, large customer bases.
While this is clearly a significant threat, an alarming number of financial institutions seem to be wholly unprepared for this serious threat. A recent DataDome survey showed that around 70% of financial institutions monitored had no defences against the most common bot-based attacks on their homepage. A worrying statistic that implies a lack of readiness across their website.These figures show that the sector has a long way to go in meaningfully addressing the problem.
The threat landscape
The cybersecurity threat landscape constantly evolves and adapts, presenting banks with endlessly shifting and maturing challenges aimed at exploiting vulnerabilities and compromising sensitive financial data. Account fraud poses a significant challenge as fraudsters use bots to leverage stolen or synthetic identities to create fraudulent accounts, exploiting incentives, promotions, or credit offers.
Account takeovers represent another pressing concern for the banking industry, as bots attempt to gain unauthorised access to user accounts by exploiting vulnerabilities in authentication processes or utilising stolen credentials. Such breaches not only jeopardise the security of sensitive financial information but also erode customer confidence in the safety of online banking platforms.
Additionally, Distributed Denial-of-Service (DDoS) attacks pose a significant risk to the availability and functionality of banking systems. By overwhelming networks, systems, or websites with a flood of traffic from multiple sources, DDoS attacks render them inaccessible to legitimate users, disrupting essential banking services and causing financial losses.
False solutions
Many financial institutions have attempted to put some anti-bot measures in place, notably, the increased use of CAPTCHAs and Multi Factor Authentication (MFA). These work by presenting a visual test to an incoming user, or requiring them to enter in a password on another device, like a mobile phone.
At one stage, these could meaningfully restrict the amount of bots entering a site, but in recent years these methods have become woefully obsolete as standalone solutions. Notably, they have a tendency to block real users who use a VPN for their own privacy and security, but this has the opposite effect and drives away genuine traffic.
As well as being intrusive, frustrating, and potentially inaccessible to many users, traditional CAPTCHAs do a very poor job at distinguishing real humans from bots. Research has shown that bots are quicker and more accurate at solving CAPTCHAs than humans.
Even MFA is becoming more vulnerable to exploitation. As AI becomes more advanced at generating both text and voice, it has proven increasingly able to fool both automated and human-led MFA systems on a wide scale.
Both of these methods are input dependent, in other words, they are different forms of tests put in front of a user. The unfortunate reality is that any form of bot detection that is reliant on these tests will be in a constant race with machine learning algorithms that are growing increasingly competent and sophisticated at a near exponential rate. This makes them an unreliable method for financial institutions to protect their customers.
The best challenge might just be invisible
With a rethink of the traditional CAPTCHA approach in order, security experts have gone back to the proverbial drawing board. The best approach today? ‘Invisible challenges’.
These powerful tools allow websites and apps to identify and block bot activity with astonishing accuracy, ultimately reducing the need for human users to complete CAPTCHAs.
Because these challenges are “invisible”, they are far more difficult for bots to adapt and learn from, giving the edge back to financial institutions. While invisible challenges don’t fully eliminate the need for CAPTCHAs, they can be combined with more sophisticated CAPTCHA techniques, which are far less frustrating and time consuming for users. A combined approach like this means financial institutions can maintain flexible options in response to suspicious or malicious behaviour.
Financial institutions can effectively safeguard against bots by integrating invisible challenges into their security stack. This approach eliminates the necessity for manual interventions in nearly all instances, maintaining a seamless user experience without compromising security. By shifting the burden of security from their customers, financial institutions can enhance both user satisfaction and their own security—positively impacting their revenue in the process.