For a short while starting late last month NCR Corp. blocked Mint and QuickBooks from its Digital Insight banking platform after cybercriminals used the financial data aggregators sites to take over and tap consumer bank accounts.
Citing a chief security officer at a credit union, KrebsOnSecurity reported that the attackers automated unauthorized logins occurring in 12-hour periods over a one-week period and accessing a new account every five to ten minutes. The attackers often were able to get in with just a username and password because Mint and QuickBooks didn’t adhere to multifactor authentication.
“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” Krebs quoted the source as saying.
“Aggregator traffic is always sensitive because financial institutions have a large percentage of their clients using them legitimately,” said Robert Capps, vice president of market innovation at NuData Security.
“The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit,” said Tim Erlin, vice president, product management and strategy at Tripwire. “A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk.”
But financial institutions can use the data gathered through those relationships and services to fighter cybercriminals. "The good news is that banks can leverage data from these aggregators to be able to flag fraudulent behavior," said Capps. "These types of attacks are sophisticated, and banks need to leverage their security layers to find suspicious patterns.”
Calling the type of attack experienced by NCR Corp. “highly sophisticated,” Capp said, “by looking at the details of the attack as well as its behavior, banks can cut down threats without adding friction to all their good customers by default.”
But Erlin noted that remediating breaches like the NCR incident often has its limitations. “When you have an incident to deal with, you can only take action on the systems where you have control,” he said. "It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.”