For a short while starting late last
month NCR Corp. blocked Mint and QuickBooks from its Digital Insight banking
platform after cybercriminals used the financial data aggregators sites to take
over and tap consumer bank accounts.
Citing a chief security officer at a
credit union, KrebsOnSecurity
reported that the attackers automated unauthorized logins occurring in
12-hour periods over a one-week period and accessing a new account every five
to ten minutes. The attackers often were able to get in with just a username
and password because Mint and QuickBooks didn’t adhere to multifactor
“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” Krebs quoted the source as saying.
“Aggregator traffic is always sensitive because financial institutions have a large percentage of their clients using them legitimately,” said Robert Capps, vice president of market innovation at NuData Security.
“The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit,” said Tim Erlin, vice president, product management and strategy at Tripwire. “A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk.”
But financial institutions can use the data gathered through those relationships and services to fighter cybercriminals. “The good news is that banks can leverage data from these aggregators to be able to flag fraudulent behavior,” said Capps. “These types of attacks are sophisticated, and banks need to leverage their security layers to find suspicious patterns.”
Calling the type of attack experienced by
NCR Corp. “highly sophisticated,” Capp said, “by looking at the details of the
attack as well as its behavior, banks can cut down threats without adding
friction to all their good customers by default.”
But Erlin noted that remediating breaches like the NCR incident often has its limitations. “When you have an incident to deal with, you can only take action on the systems where you have control,” he said. “It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.”