Fintech aggregators and Open Banking: Service enablers or an unfortunate backdoor for fraud?

December 8, 2021

Open banking is here to stay. The European Payment Services Directive 2 (PSD2) has mandated financial institutions to open their customers’ account information, including historical and current data, to the Third-Party Provider (TPP) their customers engage with. This translates into numerous benefits, such as allowing new market participants to offer innovative financial services and banking solutions to the masses.

As a whole, these Fintech services provide new and exciting customer services and help people manage their finances. After all, hundreds of millions of people already rely on TPPs to access bank accounts, initiate payments, and invest hard-earned savings. However, it is critical that financial institutions and TPPs co-operate to protect their now mutual customers, and not just focus on growth.

Left alone, these aggregators allow criminals access to a brand-new attack vector. This is especially challenging for startups that have not yet reached the critical mass to support extensive fraud prevention teams but still face the same fiercely competitive market, tough growth goals, and the myriad of fraud methods that challenge the well-established and new entrants alike.

A BehavioSec customer recently stated that over 15% of their customers’ fraud losses originate from a single aggregator

An issue with Open Banking aggregators

A lot of the problems stem from the way most aggregators access customers’ accounts. Customers are often misled into believing that they are merely signing into their regular bank accounts, just using the aggregator application, as many aggregator connections look like their bank’s standard authentication service.

This is not the case.

Even when the aggregator login screen mirrors the bank, it is often a completely separate service. Once an aggregator has customer credentials, fintech apps and aggregators may store them on their servers. This means that the safety of the customer’s bank credentials is now reliant on the aggregator’s security infrastructure – or lack thereof.

Beyond potentially leaking banking credentials, the aggregators can also serve as a vehicle for testing breached credentials at scale, as financial institutions’ credential stuffing defenses are bypassed by the aggregators.

Once bad actors have gained access to compromised accounts, they can utilize financial aggregators to further hide their tracks. This is because financial aggregators traffic usually gets safe-listed by the financial institutions due to PSD2 and other Open banking requirements. Criminals utilize aggregators as a ‘trojan horse’ to bypass the bank’s otherwise formidable defenses and repeatedly access compromised accounts, without triggering any alarms.

To make matters worse, despite legislators’ best efforts in regulating Open Banking APIs, the vast majority of Fintech aggregators still rely on screen scraping to access their customers’ accounts.

When using sanctioned APIs to conduct TPP actions, the aggregators are only able to learn limited information about customers and their account activity. This has made scraping the cornerstone of data access, as it allows the Fintech aggregators to gather immense knowledge about the customer. Even in cases where financial institutions make most functionality available through APIs, Fintech aggregators continue to use screen scraping as it allows them to learn more about the customers and improve their offerings.

This is a major issue for financial institutions, as legal screen scraping can be hard to distinguish from illegal automation, like malicious bots or credential stuffing. As I mentioned, it’s common that financial institutions’ fraud prevention teams have to resort to safe-listing known aggregator IPs, as the aggregators simply cause too much traffic for the fraud prevention teams to effectively investigate.

At BehavioSec, we have seen cases where Fintech aggregators represent up to 25% of financial institutions’ total traffic – something that would take fraud prevention teams YEARS to analyze manually if not safe-listed by their bot detection tools. However, that only makes the fraud problem worse. A BehavioSec customer recently stated that over 15% of their customers’ fraud losses originate from a single aggregator and that the aggregator fraud cases are growing fast.

Securely enable Financial Aggregators with behavioral biometrics

The first step in mitigating risk is to identify its source. That is why it is critical to accurately detect transactions from aggregators and automatically categorize them as such, something BehavioSec can provide through our years of behavioral biometrics experience and groundbreaking innovations, like our Predictive Modeler. It clusters repeating behavioral patterns and builds models of sessions with similar behavior, which is typical for aggregators. BehavioSec then labels incoming sessions in real-time with which aggregator it is, so fraud teams can select which Fintechs to allow, and which to block.

Behavioral biometrics and predictive modeling make it easy to do this, something that can be seen in the image below. While designed to make it easier for security systems to spot aggregators, it makes it simple even for an untrained eye to see the difference between genuine users and aggregators. In this case, the aggregator does not do any mouse movements, only mouse clicks, and its behavior is close to identical across all customer sessions in that banking application.

This ability to identify and categorize aggregators, even across millions of user sessions, finally gives fraud analysts a fighting chance against the fraud the aggregators bring. No longer limited to manually updating IP-series of known aggregators, something that is made extra difficult as Fintechs often use the same hosting services, the fraud prevention systems can now immediately detect when an aggregator has shifted IP address, device fingerprint, country of origin, or hosting service.

Here are some examples of what our customers do with our behavioral intelligence:

  • Block all forms of aggregator traffic and force the use of sanctioned Open banking APIs.
  • Block certain aggregators, that they have deemed as weak on security.
  • Require additional step-ups from the customer when using aggregators, like one-time passcodes.

Beyond the classifier capability, behavioral biometrics can protect the financial institution and its customers from account takeovers, regardless of how the criminals got a hold of the credentials. Fintech data breach, social engineering, aggregator-based credential stuffing, we got you covered.

It is also possible to create specialized business rules that combine our behavioral biometrics intelligence with the transactional security system, allowing financial institutions to block fraudsters without causing friction or outright blocking the aggregator – all while remaining compliant with both PSD2 and SCA.