March 29, 2021

The role of consumer credentials in financial cybercrime

New research from VMware Carbon Black has found that the COVID-19 pandemic has been connected to a 238% surge in cyberattacks against banks1. And losses can be huge: McAfee found that the global losses from cybercrime now total nearly $1 trillion2, an increase of 180% since 2018.

 

It is clear cybercrime is an increasingly serious issue in financial services. The number one form of cyberattack in the industry involves credential stuffing: the use of stolen login credentials, typically usernames and passwords, to breach systems through large-scale automated login requests. In September 2020, the FBI highlighted that credential stuffing accounted for the greatest volume of security incidents3 in the financial sector at 41% of total incidents between 2017 and 2019. According to the FBI, the rise in credential stuffing correlated with an increase in more credentials on the dark web.

Studies estimate there are more than 15 billion4 stolen credentials available today. Considering 72% of consumers reuse passwords5 across personal accounts, it often only takes one breach for a bad actor to access a customer's bank account.

 

In addition, there has been an explosion in adoption of fintech apps that enable payments, investing, budgeting, tax filing, lending, and other use cases. For a fintech app to perform their service, they must have access to a consumer’s financial account data and the majority of this data has been collected via a decades-old data aggregation process known as screen scraping.

Screen scraping requires consumers to provide their login credentials directly to the fintech app, or in many cases, to an intermediary known as a data aggregator. Given the risks associated with stolen consumer credentials, it is not surprising that a 2018 report6 from the U.S. Treasury found, “there was universal agreement among financial services companies, data aggregators, consumer fintech application providers, consumer advocates, and regulators that the sharing of login credentials constitutes a highly risky practice.”

The U.S. Financial Crimes Enforcement Network (FinCEN) Director Ken Blanco7 described the seriousness and scope of this threat: “In some cases, cybercriminals appear to be using fintech data aggregators and integrators to facilitate account takeovers and fraudulent wires…. [C]ybercriminals are able to exploit the platforms’ integration with various financial services to initiate seemingly legitimate financial activity while creating a degree of separation from traditional fraud detection efforts.”

In addition to the financial harm cybercrime causes, there are also less obvious costs. Brand damage and loss of trust can push customers to switch firms leading to a rise in customer acquisition costs8. Costs from increased customer service complaints and the assistance required to reset breached accounts can quickly add up. These hidden costs are especially worrisome for small and midsize financial institutions where every customer counts and staff and resources may already be stretched thin.

Rather than force consumers to change their passwords or improve their password hygiene, which requires significant behavioral change, why not remove login credentials from data aggregation altogether? Fortunately, we can do just that through Application Programming Interfaces (APIs).

APIs provide a viable alternative for financial data access, acting as software intermediaries that allow applications to communicate with one another. API-based data access can be used to authenticate and authorize consumers directly with their financial institution, thus eliminating the need for login credentials to be held and stored externally by a fintech or data aggregator. In fact, Federal Deposit Insurance Corporation (FDIC) Chairman Jelena McWilliams believes, “there appears to be broad consensus within the industry that APIs and tokenization are a better method to facilitate data sharing to avoid the risks associated with screen scraping."

Consequently, APIs are critical in reducing financial cybercrime. Some industry participants have begun to make the move to APIs but why haven’t more financial institutions been able to adopt this new technology?

In Part II of this series, we will discuss what has held up the use of APIs for data aggregation and explain how we’re overcoming these challenges.


 

1 Charlene Osborne. “COVID-19 blamed for 238% surge in cyberattacks against banks,” ZDNet, 5/14/2021. https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/.

2 Zhanna Malekos Smith and Eugenia Lostri, “The Hidden Costs of Cybercrime,” McAfee and the Center for Strategic and International Studies, December 2020. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf.

3 FBI Cyber Division, Private Industry Notification. “Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector,” 9/10/20. https://www.ic3.gov/media/news/2020/200929-1.pdf.

4 Malekos Smith and Lostri.

5 Lani Leuthvilay, Password Usage Study: A Conversation with Yan Grinshtein, HYPR, 12/10/19. https://www.hypr.com/password-usage-study-part-1/.

6 U.S. Department of the Treasury. “A Financial System that Creates Economic Opportunities Nonbank Financials, Fintech and Innovation,” July 2018. https://home.treasury.gov/sites/default/files/2018-07/A-Financial-System-that-Creates-Economic-Opportunities---Nonbank-Financi....pdf.

7 FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco, delivered at the Federal Identity (FedID) Forum and Exposition –Identity: Attack Surface and a Key to Countering Illicit Finance, 9/24/19, https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-federal-identity-fedid.

8 “Fintech Customer Acquisition – Building Trust,” Finextra. 2/26/2020. https://www.finextra.com/blogposting/18481/fintech-customer-acquisition---building-customer-trust.

Topics: Commentary Blog

Related articles headline.

Blog

Reducing complexity in Open Banking regulatory compliance

With the issuance of the CFPB 1033 final rule in late October 2024, the countdown toOpen Banking compliance has.

Blog

How Akoya’s managed services help ensure CFPB 1033 rule compliance

Financial institutions have begun their efforts to comply with the Consumer Financial Protection Bureau’s Section 1033.

Blog

Final CFPB 1033 rule: Challenges and opportunities for financial institutions

In our webinar, "It’s time to act. Prioritize CFPB 1033 compliance for your customers," Open Banking experts from Akoya.