Financial-services firms, and fintechs particularly, have been swamped with account-takeover attacks over the past year, leaving many consumers wary of visiting these sites, according to a report issued Thursday by Sift Science Inc.
Indeed, the volume of account-takeover attacks overall more than tripled between the second quarter of 2019 and the same period this year, Sift reported. As a result, ATO attacks now represent fully 39% of all fraud attempts blocked by Sift’s technology.
But for financial-technology and financial-services firms, the assault has been even more troubling. Attacks against these companies were up a staggering 850% in the June quarter compared to the same period last year, Sift says, with criminals particularly focusing on cryptocurrency exchanges and digital wallets. Their aim, the company says, is to liquidate users’ accounts or “make illicit purchases.” This increase in attacks was far and away higher than the 142% jump for the group accounting for the second-highest increase, digital goods and services.
The consequences of this barrage of fraud go beyond the losses sustained by consumers. Just shy of half of consumers queried by Sift said they feel they are most at risk when visiting financial-services sites. One-quarter of the consumers reached by Sift said they had been defrauded on financial-services sites.
In ATO attacks, fraudsters use a credential-stuffing technique to gain access to legitimate accounts and raid the value they may hold. One criminal group sought to overwhelm its targets’ defenses by deploying more than 1.5 million combinations of stolen user-name and password combinations, Sift reported. The barrage at times amounted to a high of 2,691 log-in attempts per second, with the attempts masked to make it appear they were coming from different locations. Sift says the overwhelming assault arrived at “an unthinkable pace.”
The impact of such automated ATO attacks can not only make fishy logins appear legitimate but also make legitimate logins look suspicious, notes Jane Lee, trust and safety architect at San Francisco-based Sift. “At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the fraud economy,” she adds in a statement.
For the study, Sift gathered data from a network of more than 34,000 sites and apps that use Sift services, in addition to responses from more than 1,000 consumers canvassed in July and August.