For years now, the biggest security concerns for businesses in the financial services sector have mainly been related to data security, privacy, compliance and everything in between. Nevertheless, application security is equally as important and complex, as it consists of multiple potential attack vectors that can be exploited to orchestrate an attack. As a matter of fact, data breaches and leaks can occur just as much in the application layer as through unauthorized database access. One of the most notable threats to application security in recent years has been bad bots.
Bots are applications that run automated tasks on the internet. Not all of them are bad, though. Take Googlebot for example, Googlebot helps build a searchable index of documents and web pages on the internet, or on social media crawlers. The majority of bot traffic is bad, however. Imperva Research Labs reported in 2019, 24.1 percent of bot traffic was bad compared to 13.1 percent of good bot traffic. Bad bots have been terrorizing the internet for the past couple of years, growing in sophistication and persistence. Some of the most advanced bad bots today are able to mimic human interactions with web applications in an extraordinarily persuasive way. This makes them a nightmare to detect and manage.
In 2019, financial services were hit the hardest when compared to all other industries, with 47.7 percent of traffic being from bad bots. This doesn’t come as a surprise really, as bad bot operators are always looking for the most profitable source of income, and financial services hold the most coveted incentives. Not only that, but the lion’s share (over three-quarters) of bad bot traffic to financial services is made up of moderate or sophisticated bad bots, the kind that are harder to detect and manage. What are these bad bots doing? What are their specific targets?
- Account takeover and fraud: Also known as Credential Stuffing, Credential Cracking or Dictionary attacks. In this brute force style attack, bad actors attempt to gain unauthorized access to user accounts. Financial services suffer from these attacks regularly. In fact, the biggest Account Takeover attack Imperva handled targeted an online banking service. When account takeover attacks are successful, the ramifications are far-reaching. Account takeover attacks may result in noncompliance with data privacy regulations, loss of PII (Personally Identifiable Information), significant brand damage, customer dissatisfaction, increased fraud and customer support costs as well as customer churn.
- Credit card fraud (Card Cracking or Carding): These are two different methods used by bad actors that utilize bots to either authorize stolen credit card information or guess the missing parts of partial credit card information they already have in-hand. This directly damages the fraud score of a business and causes increased customer service costs in order to process fraudulent chargebacks.
- Custom content theft including financial data scraping: Your competitors may be scraping your proprietary content and rates, FinTech companies may be scraping your data to use and re-sell, and aggregators may be scraping your sensitive information. All of these actions and more may result in revenue loss to competition.
- Attacks on the Application Programming Interface (API): APIs are often used to serve web browsers, mobile applications, and IoT devices. They have become an integral part of the digital world over the past few years. Bad bots are exploiting API endpoints to gain access to sensitive data in attacks like API scraping as well as web and mobile API hijacking. Many organizations fail to manage the security of APIs, while relying on simple authentication tokens or basic IP rate limiting to protect these critical attack vectors.
- Denial of service at the application layer: Automated application layer attacks are different from volumetric DDoS attacks. While volumetric attacks are directed at the lower-level network protocols 3 and 4, bad bot activity targets the application layer (layer 7). In many cases, this isn’t the direct intention of attackers, but rather an indirect consequence of the heavy load caused by the sheer amount of requests to the web server. Successful DDoS attacks slow down web applications, hampering performance and elevating risk of a downtime. This results in loss of revenue due to the website’s unavailability, as well as damage to brand reputation.
Imperva’s Advanced Bot Protection safeguards websites, mobile applications, and APIs from automated threats without affecting the flow of business-critical traffic. It is a key component in Imperva’s market-leading, full-stack application security platform. The platform combines best-of-breed solutions that bring defense-in-depth to a new level.
To learn more about how Application Security is important for financial services, join our webinar, Protecting Your Digital Investments: Why Application Security is More Important Than Ever. Register now.
Advanced Bot Protection is a part of Imperva’s Application Security platform. Start your Application Security Free Trial today to protect your assets from Grinch bots and other automated threats.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.