Digital Banks Prove Increasing Target for Account Takeover Attacks

November 26, 2019         By: Steven Anderson

The notion of the challenger bank, often a wholly online affair, has brought with it plenty of change in the banking field and the wider economy beyond. For mobile payments users, this has brought both opportunity and challenges as mobile banking and mobile payments often go hand-in-hand. The folks at Segasec recently sent some research our way and revealed that digital banks are frequent targets for account takeover attacks.

Granted, it’s no secret that digital banks would be prime targets for hackers—that’s where the money is, after all—but Segasec found that digital banks were rather heavily targeted. Segasec—an Israeli security firm—monitored several major challenger banks from October 17 to November 5, and for those roughly two weeks made some shocking discoveries.

Just for Monzo.com, which is one of the fastest-growing digital banks around with new subscriber numbers in the “tens of thousands”, found itself up against two possible attacks and fully 229 “suspicious URLs” that could have been part of other attacks. One featured the Monzo name and logo, along with wording lifted verbatim from the official Monzo site.

Chime Bank, meanwhile, only had 71 suspicious URLs in that time, but also had two possible attacks in the making.

Revolut proved the leader in attack patterns, however, with fully 367 suspicious URLs uncovered, with 10 possible attacks in the making. Worse, several of those attacks used Punycode systems, using words that can’t be written in standard format but are instead converted to Unicode. This would effectively prove an “invisible” attack to customers.

Granted, none of this is a particularly new development. We know that online-only banks are a huge target because, as Scott Adams put it, that’s where the money is, and money draws weasels. Thus, users of online-only banks are left with the issue that their banking platform of choice is inherently popular among end users and hackers alike, and should plan accordingly.

The extent to which hackers are willing to go, however, should prove as a truly chilling cautionary tale for those who plan to use online-only banking. It’s a great potential option for mobile payments users, but it needs to be treated carefully thanks to the depth of hacks being staged therein.