Volterra is now part of F5. Together, we’re creating Edge 2.0.Learn More
Learn more >
Virtual Summit 2020 | App Security and Fraud Summit  Learn More
Watch On-demandSee why we are better together

Financial Aggregator Security Risks

Aggregators innovate but also add credential-stuffing threat surface, ATO risk

How do you Manage Aggregator Risk?

Financial aggregators deliver single-pane visibility to over 100 million consumer accounts. Mint, Yodlee, and Plaid, to name some well-known examples, are considered top-tier aggregators. But behind them is a long tail of smaller aggregators, many of which are poorly funded startups. 

The innovation aggregators provide is undeniable, and the relationships between the top-tier aggregators and the financial institutions (FI) they source from are mostly safe and harmonious. But the smaller companies often lack formal relationships and can add significant risk to the FI community.

Financial Aggregator Security Risks

Financial aggregators create unintended risks for the financial institutions from which they source consumer data. Three of the most significant are:

Account Verification. Aggregators that have a working relationship with their sources are often whitelisted into the institution’s services. Attackers take advantage of this relationship by validating accounts via credential stuffing against the aggregator instead of directly against the institution. We can tell when the campaigns start, because the login failure rate from the aggregator increases dramatically. Even the top-tier aggregators suffer from this problem, because they only show the secondary verification steps once the correct username and passwords have been entered, giving the attackers the information they need.

Account Takeover. Financial aggregators store the actual banking credentials (usernames and passwords) of the consumers they serve, as well as 60 to 90 days of account data. This makes them a tempting target for attackers. Attackers who penetrate the aggregator look for small-dollar deposits to track PayPal account linkages in flight, and then they exfiltrate the account balance.

Server Outages. Aggregators make up 15 percent of FI account queries. How often should an aggregator service poll the financial institution for updated consumer account information? Once a day? Ten times a day? A hundred times a day? We found one aggregator that queries its sources 60,000 times per day. Multiply that by 10,000 customers, and some FIs have to add capacity just to serve the aggregator traffic.

How Shape Helps the FI Community Manage Aggregators

Shape Security’s strategy for dealing with aggregators is simple: ensure that the benefits of aggregator innovation flow to the customers, but in a manner safe for both the end user and the financial institution.

Shape uses four specific tactics to help organizations manage aggregator risk.

1. Authentication Visibility

Shape sees every single login attempt and labels traffic as human, automated, or aggregator. Of course Shape blocks attacks at the financial institution’s web and mobile properties, but we can also detect when attackers are credential stuffing through an aggregator for account validation.

2. Onboarding Assistance

Shape encourages aggregators to move away from storing user financial credentials and switch to APIs supported by the financial institutions they source from. Shape works with the financial institution and the aggregator to make this transition.

3. Least Privilege Access

When APIs are used, Shape can enforce only the privileges required by aggregators, reducing the threat surface. For example, transactions can be enforced to read-only access, or summary information only.

4. Anomaly Detection

Shape helps both the financial institution and the aggregator with anomaly detection. Shape fingerprints every attacker framework, including headless browsers and manual attack fraud, and can block or alert both the aggregator and the financial institution.

At Shape Security, we see the attacks against both financial institutions and aggregators, detecting them like we do any other automation or manual fraud. We know when the attacking client is not a true end user, and we limit them, redirect them, or use controlled blocking to minimize their impact.

Latest Research

of all traffic on banks, credit card issuers, and money transmitters is non-human.
How Banks
can Innovate
Alongside Aggregators
Learn the techniques and strategies that Fortune 500 Banks use to partner with aggregators and better serve clients.
Watch Video
How attackers use Aggregators against FIs
Watch this on-demand webinar to learn how and why attackers leverage apps like Mint and Acorns against financial institutions.

Watch Video

Reduce Aggregator Security Risks Now

Try Shape’s fully managed service
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Policy.