Concerns around bot attacks among FS businesses
By Puja Sharma
The bot detection, and mitigation specialist, Netacea, releases its new report on how businesses are dealing with bot attacks. It reveals one key area where businesses are failing to tackle attacks—bots are going undiscovered for an average of 16 weeks, up two weeks from last year’s findings.
The study, The Bot Management Review 2022, surveyed 440 businesses including e-commerce, financial services, and telecoms sectors in the United States and the UK. It is a follow-up to last year’s report and finds that in almost every measure, businesses appear to be doing worse than last year in the fight against bots—though this may not necessarily mean they are losing the fight.
“On the face of it, this looks like a very poor result for businesses hoping to fight the effect of bot attacks. Our research has shown that bots have a substantial effect on business revenues, and so it’s in their interest for our results to move the other direction,” said Andy Still, CPO and Co-Founder, Cetacea.
“However, we think that the results can be interpreted another way. Businesses are taking time to wake up to the threat of bots, and we see at least part of this increase in bot attacks being down to greater awareness. Businesses are getting better and recognising bot attacks, and so while it may look like things are getting worse, there is some cause for cheer.” he added.
The report’s results on bot myths go some way to confirm this theory, with incorrect assumptions about bots believed less than in previous years. Fewer businesses believe that all bot attacks come from Russia and China, that a Web Application Firewall will stop sophisticated bots, and that ReCAPTCHA is an effective tool against all bots. However, more than 50% of businesses still believe these myths, suggesting there is still some way to go.
“Businesses may be beginning to turn the tide against bot attacks, but if so it is just the beginning,” said Matthew Gracey McMinn, Head of Threat Research, Netacea. “The most damning result of our research, that attacks go unreported for 16 weeks, shows the risk of complacency—bots can essentially run wild for months before the threat is tackled. Better understanding is vital, but just the first step.”
Bot attacks include:
Scraping financial data: There are many ways that competitors can steal your custom content, including financial data scraping and FinTech companies scraping your data for use and resale. Aggregators can also collect your sensitive data. These actions and more may cause competitors to lose revenue.
Account takeover and fraud: Credential stuffing, credential cracking, and dictionary attacks are all terms used to describe account takeover and fraud. This attack intends to get unauthorized access to user accounts by using brute force. Many financial services are targeted by this type of attack.
API attacks: Bots are attacking API endpoints to gain access to sensitive data via API scraping, web API hijacking, and mobile API hijacking. API security is often neglected by organisations, which rely on simple authentication tokens and IP rate limiting to secure these critical attack vectors.
Fraudulent use of credit cards: These are both examples of ways in which bad actors use bots to either authorize stolen credit card information or guess the missing parts of partial credit card information they have already collected. This directly damages a business’s fraud score and increases customer service costs.
Key takeaways
- Bot owners are shifting their tactics, with 60% of businesses detecting attacks on APIs and 39% detecting attacks on mobile apps (up from 46% and 23% in 2021 respectively).
- Attacks from each of the main types of bots—sniper, account checker, scalper, and scraper—have all increased by between 7-9 percentage points from 2021. 53% of businesses are now detecting attacks from account checker bots.
- Almost all businesses, around 97%, report that customer satisfaction has been affected by bot attacks.
- The revenue impact of skewed web analytics, caused by bots being treated as genuine visitors, has increased from 4% to 5%, though fewer businesses report a substantial impact from this particular effect of bot attacks.
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage