It's one thing to defraud a bank and its customers, but it is quite another for cybercriminals to get away with it.
The attack isn’t complete just by moving stolen funds into a dummy or money-mule bank account. The fraudster has to turn the digital funds into tangible currency, and do so without leaving behind a paper trail. Fraudsters have turned to concealing their identity by using Virtual Private Networks (VPNs), proxy servers, IP-hiding software, the Tor Browser, or any other program or application that gives them the cover of anonymity when the time comes to cash out the money they have stolen.
In recent years, this technique has worked. The security strategies of most banks are not designed to prevent transactions that, on the surface, look completely normal. But as security technology has caught up to those IP address/geolocation-hiding techniques, the way in which many cybercriminals now successfully get away with the cybercrime has evolved to stay one step ahead.
IP Camouflage: The New Threat Vector
Hackers steal customer login credentials from many different kinds of organizations, but when it comes to banks, make no mistake – cybercriminals want that information to gain access to online bank accounts and siphon off funds. This makes account takeovers (ATOs) particularly harmful, as it is the account holder who suffers the most. The cost of such an attack can be equally damaging to the financial institution itself through reimbursing the lost funds to the customer, the potentially irreparable damage to the bank’s reputation, and a loss of consumer trust in the institution.
Once cybercriminals have harvested one or a number of account holder login credentials – and perhaps even the one-time passcodes used for second-factor authentication – they are ready to perform the account takeover. Doing so while employing anonymizing software makes the digital heist harder to trace. That is why a growing number of ATO attacks are carried out using IP concealing technology to hide the attacker’s true identity and location.
Not all proxy/anonymizing technology, however, is being used for malicious purposes. Some IP concealing software and applications are perfectly legitimate and employed by individuals or organizations that wish to maintain their privacy or bolster security. Many companies and internet service providers, for example, employ some kind of VPN in their network configurations. When legitimate logins to a bank’s transactional pages are inevitably performed from this environment – how can the financial institution tell the real customers from the cybercriminals attempting an ATO?
There is a very important distinction to be made between the “good” anonymizing tools and those that are employed by an attacker seeking to break into an online bank account. Anonymizing VPNs, hosting providers, data centers and content delivery networks, for example, provide anonymity to corporations and other organizations. Conversely, a user trying to log into a bank’s web platform who has cloaked their IP, or via public or web proxies is likely doing so with malicious intent.
How Banks Can Defend Against IP-Cloaked ATOs
To effectively protect against the threat of an ATO by an IP-concealing hacker, financial institutions should keep an eye out for typical behaviors that are a clear indication that someone who is connected to a bank’s web platform is up to no good. Such conspicuous behavior can include:
- An unusual number of failed login attempts
- Login attempts made from different geolocations in a short period of time (an indication that the IP address is being rerouted)
- A password change followed by an unusual transaction behavior
- A change of address before making a purchase
- Purchasing expensive or a high number of consumer goods
Incorporating a solution into a financial institution’s security strategy that can detect when a connection is being made to a bank’s web platform via a proxy or IP hiding software, would go a long way to helping shut down the lion’s share of ATOs targeting the bank. What’s more, that solution must have the sophistication to tell which type of anonymous visit is likely being made by a legitimate proxy or VPN, from those which should be treated as suspicious and likely be evidence of an ATO attempt.
Since not all end users who connect to transactional pages anonymously are cybercriminals, the bank must have full control over how they treat such activity, and that control must be flexible enough to be altered should circumstances change.
To learn more about anonymous visits detection, click here.