Automated bots can wreak havoc on banks, but building an airtight defense can impede a good user experience. The challenge is separating the good bots, such as search aggregators, from the bad ones attempting fraud. In this month’s Digital Fraud Tracker, PYMNTS spoke with Raghu Valipireddy, SVP and chief information security officer for Axos Bank, about the company’s multilayered approach to differentiating bots, and why many FIs are overzealous with their anti-bot firewalls.
The financial sector is no stranger to crime. The days of Jesse James or Baby Face Nelson kicking down doors and making off with giant bags emblazoned with dollar signs may be over, but prospective thieves are turning to digital fraud methods that can ultimately steal just as much money — and go on for months or years without being noticed.
Many cybercriminals rely on bots to conduct their schemes, leveraging automated data skimming programs that can overwhelm banks’ defenses through sheer volume. Digital FIs are particularly concerned about fraud’s threats, including San Diego-based Axos Bank, which has more than $12 billion in assets to protect and sees the constant battle with “bad” bots as a never-ending arms race.
“We like to think of [bots] like bacteria,” Raghu Valipireddy, senior vice president and chief information security officer at Axos Bank, told PYMNTS in a recent interview. “Bacteria gets used to the medicines that we take to prevent them, [then] they mutate and, in a couple of decades or so, the bacteria overpower [the newly developed] medications. Then those medications have to be tweaked and made more powerful.”
This philosophy is the core of any bot attack prevention system, with the need for defenses to constantly evolve and adapt to the latest variations. The bank uses several parameters to detect and eliminate hostile bots or other fraud attempts while ensuring that beneficial or benign bots — like Google’s search engine aggregators — are not impeded.
Good Bots and Bad Bots
One of the biggest misconceptions about bots is that they are all hostile, Valipireddy explained, but many are actually beneficial, including unsolicited ones.
“People used to think [all] bots are bad, but that’s not always the case,” he noted. “Some bots are actually good. Think about what Google did to the internet: Google uses bots to search and crawl through the internet ecosystem, capture a lot of information and make it available for [view on Google] Search.”
Blocking these bots would prevent Axos from being easily found on Google — the most popular website on Earth — and cripple its ability for new customers to find it online. Other beneficial bots come from aggregators, such as the budget tracker Mint, which scrapes data from users’ bank accounts to give them up-to-date asset information for their monthly budgets.
“In the past, a lot of organizations took the stance of blocking all the bots,” Valipireddy said. “But if [Axos] were to block these bots, I’m pretty sure customers who like … services [like Mint and Google] are not going to be happy.”
Hostile bots’ threats are very real, however. Fraudsters weaponize automated bots to skim data from Axos and other financial institutions (FIs), stealing customer data such as Social Security numbers, credit card data and home addresses.
“As fraudsters collect thousands of stolen credentials like login names and passwords, they try to use bots to validate if what they’ve captured [is] correct or not,” Valipireddy noted. “They use those bots in an automatic fashion to log into a website — not just at Axos, but any other bank site. If they’re correct, then jackpot — they found something that’s of value: a correct login and password.”
Fraudsters typically have two options if successful: They use the stolen credentials themselves or sell them on a dark web marketplace. Axos’ job is to make sure they never make it to that point.
Keeping the Bad Bots Out
Differentiating good bots from bad bots becomes difficult as fraudsters use more sophisticated techniques. Hard-and-fast rules that may have worked in the past are no longer applicable with today’s fraud attempts, Valipireddy explained.
“There used to be a time [with] simple techniques of detection, such as someone accessing a bank from an IP address that is outside of the U.S.,” he said. “[But now] it could be a valid customer that’s vacationing or going on a business trip and accessing his bank. Simple techniques like that don’t scale for a digital bank like us.”
Axos instead leverages a multilayered defense, with each utilizing a different mechanism, forcing fraudsters to develop unique bypasses for each layer. Hackers must first make it through two filtration systems — one attached to Axos’ servers and the other based in the cloud — made by different developers with individual security protocols, meaning the same tricks will not work twice. A security gap in one filter will likely be caught by the other due to their different focus areas.
“If the [first filter] is doing a poor job of updating the signature, or some rules or intelligence or whatnot, we’re still having that email load go through the [second filter], which has its own intelligence and rules to apply to our email,” Valipireddy explained.
Any bot that makes it through both filters must face Axos’ email provider’s security system, which warns workers about potentially hostile bots before they click on phishing emails, for example. Employees that ignore this warning are still protected by Axos’ final security layer: a network perimeter defense consisting of intrusion detection systems and firewalls to protect against automated malware.
Fraudsters’ motives are always changing, however — meaning Axos and other digital banks will need to stay on their toes to anticipate the latest threats.
Digital Fraud Evolves and Adapts
Bad actors’ methods have changed in the past and will certainly evolve in the future, Valipireddy said. The last few years have seen a sea change in fraud methods, as bad actors shift from opportunistic rabble-rousing to more targeted attacks for monetary gain.
“Hackers’ motivations have largely shifted over the last decade, from just causing disruptions to carrying out attacks for the sole purpose of making money, [like] holding individuals or groups [for] ransom,” he noted. “Currently, much of the ransomware attacks are opportunistic in that a bad actor can spray the malware to a large number of organizations and hope that some of them will fall prey to it. As we continue to mature our cyber defenses, the hackers will lean toward targeted ransomware attacks that are more sophisticated, but could reap larger payoffs.”
This change in strategy will need to be echoed in digital fraud defenses for the entire financial industry, especially before hackers get too far ahead. Playing catch-up will only result in FIs perpetually fighting last month’s fraud rather than the current trend, which will almost certainly lead to fraudsters’ success.