Financial aggregators deliver single-pane visibility to over 100 million consumer accounts. Mint, Yodlee, and Plaid, to name some well-known examples, are considered top-tier aggregators. But behind them is a long tail of smaller aggregators, many of which are poorly funded startups.
The innovation aggregators provide is undeniable, and the relationships between the top-tier aggregators and the financial institutions (FI) they source from are mostly safe and harmonious. But the smaller companies often lack formal relationships and can add significant risk to the FI community.
Financial aggregators create unintended risks for the financial institutions from which they source consumer data. Three of the most significant are:
Account Verification. Aggregators that have a working relationship with their sources are often whitelisted into the institution’s services. Attackers take advantage of this relationship by validating accounts via credential stuffing against the aggregator instead of directly against the institution. We can tell when the campaigns start, because the login failure rate from the aggregator increases dramatically. Even the top-tier aggregators suffer from this problem, because they only show the secondary verification steps once the correct username and passwords have been entered, giving the attackers the information they need.
Account Takeover. Financial aggregators store the actual banking credentials (usernames and passwords) of the consumers they serve, as well as 60 to 90 days of account data. This makes them a tempting target for attackers. Attackers who penetrate the aggregator look for small-dollar deposits to track PayPal account linkages in flight, and then they exfiltrate the account balance.
Server Outages. Aggregators make up 15 percent of FI account queries. How often should an aggregator service poll the financial institution for updated consumer account information? Once a day? Ten times a day? A hundred times a day? We found one aggregator that queries its sources 60,000 times per day. Multiply that by 10,000 customers, and some FIs have to add capacity just to serve the aggregator traffic.
Shape sees every single login attempt and labels traffic as human, automated, or aggregator. Of course Shape blocks attacks at the financial institution’s web and mobile properties, but we can also detect when attackers are credential stuffing through an aggregator for account validation.
Shape encourages aggregators to move away from storing user financial credentials and switch to APIs supported by the financial institutions they source from. Shape works with the financial institution and the aggregator to make this transition.
When APIs are used, Shape can enforce only the privileges required by aggregators, reducing the threat surface. For example, transactions can be enforced to read-only access, or summary information only.
Shape helps both the financial institution and the aggregator with anomaly detection. Shape fingerprints every attacker framework, including headless browsers and manual attack fraud, and can block or alert both the aggregator and the financial institution.
At Shape Security, we see the attacks against both financial institutions and aggregators, detecting them like we do any other automation or manual fraud. We know when the attacking client is not a true end user, and we limit them, redirect them, or use controlled blocking to minimize their impact.