By Salvatore Stolfo on Aug 12, 2019 1:02:05 PM
The EU’s Revised Payment Service Directive, known as PSD2, offers exciting new opportunities for third parties to access bank accounts and disintermediate banks in transactions. PSD2 enables bank customers, both consumers and businesses, to use third-party providers to manage their finances. In the near future, individuals and businesses could be using Facebook or Google to pay bills, make transfers and analyze spending, all from their current bank account.
But there are some serious security risks to consider. Banks are obligated to provide these third-party providers access to their customers’ accounts through open APIs (application program interface). This will enable third-parties to build financial services on top of banks’ data and infrastructure. PSD2 also provides a larger opportunity for fraudsters to disintermediate the third parties and conduct unfettered fraud. Increasing third party payment websites increases the attack surface, giving direct access to bank accounts. Banks have seen a glimmer of this new attack surface through debit cards loaded on smartphones. New defenses are needed desperately to detect payment website clones in real time. Responding by flooding with AI-generated decoy identities and decoy bank accounts is a solution on the horizon.
PSD2 offers new opportunities for fraudsters to gain direct access to bank accounts by spoofing the third-party payment providers .Website spoofing is already a growing problem in the banking and financial industry that has doubled in the last year, resulting in $1.3 billion in losses. This attack vector has been around for decades and continues to be popular because it’s difficult to detect until it’s too late. For a fairly small investment, an adversary can acquire all the tools they need on the dark web to set up highly convincing website spoofing schemes, as part of a larger phishing campaign. Website spoofing works on all of the major internet browsers and is not prevented by "secure" connections. The adversary can observe and modify all website pages and form submissions, even when the browser's "secure connection" indicator is lit. The user sees no easily discernible indication that anything is wrong. Even sites protected by 2-factor authentication (2FA) cannot escape the assault.
WIth PSD2, those third-party payment providers will provide wallets and hand-held apps for sure, but their web interfaces are as easily spoofed as the banks’ websites whose data they access through the bank API's. It’s true that 2FA raises the bar, but since there is clearly so much value to be stolen, man-in-the middle attacks will become the norm by fraudsters who will likely force a mystical Third Factor into the security equation.
PSD2 opens up a Pandora’s Box of security risks and questions for any bank doing business in the EU. Under GDPR, multinational corporations must make every effort to provide “reasonable security” mechanisms to protect personal data. This extends to spoofed sites that the organization never even knew about. In this new era of data privacy reform, not knowing about a cyber-attack doesn’t keep your organization protected from fines. It’s time to rethink the way we approach detection and mitigation of web spoofing incidents.
A common approach to detecting website spoofing has been to search for brand images and relevant content from the copied site. Domain registration monitoring fails to help organizations detect spoofing early in the lifecycle of an attack, before data is stolen. Further, this approach does nothing to help businesses understand how long the fake site has been active, and most importantly, how many customers or employees may have been victimized. The two biggest challenges of all – who initiated the attack and deterring the adversary from trying it again – are completely left out of the mitigation process.
A more sensible approach is to focus on early detection and a smarter mitigation strategy that is painful to the attacker and provides actionable data for targeted organizations.
Allure detects a spoofed website as soon as it’s viewed by the first visitor during a website phishing attack, which initiates the take down process immediately upon fraud being committed. The idea is to flood the adversary with highly believable decoy credentials and personal information. This causes a great deal of doubt about what may have been stolen, making it hard for the fraudster to discern what is real and what is fake. The only way to know is to test all credentials at the real site, causing greater overhead costs for the adversary, and providing an opportunity to gather information about the attacker when decoy logins occur, such as endpoint IP addresses under his or her control. Once the fraud is detected, intelligence is then collected to quantify customer and brand impact, inform responses (i.e. notify impacted clients to reset passwords) and uncloak attackers. The spoofed website can also be flooded with decoy credentials until the site is taken down to devalue the information collected by the adversary, and Allure Decoy Documents are used to detect intrusions resulting from attacks.
PSD2 is forcing the banking industry to change its approach to fraud detection. It’s now possible to shift the advantage in favor of the legitimate businesses victimized by website spoofing. Whether the motivation is to spread fake news in pursuit of influence, steal customer login credentials or credit card numbers for financial gain, or break into cloud shares and networks to exfiltrate intellectual property, website spoofing has devastating impacts on company reputation, consumer trust and corporate revenues. It’s time to take a more modern approach to solving this pervasive security problem. Simply detecting IP anomalies isn’t enough.