Aggregators Banned From NCR’s Digital Banking Platform Amid Account Takeovers

In October, Atlanta-based financial technology titan NCR Corp. temporarily blocked third-party data aggregators, said to be Mint and QuickBooks Online, from accessing its digital banking platform used by hundreds of institutions.

Security expert Brian Krebs in his Krebs on Security blog reported, “That ban, which came in response to a series of financial account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded.”

Krebs reported on Oct. 29 he heard from a chief security officer at a U.S.-based credit union and an NCR digital banking (formerly Digital Insight) customer who said his institution just had several dozen customer accounts hacked over the previous week. “My banking source said the attackers appeared to automate the unauthorized logins, which took place over a week in several distinct 12-hour periods in which a new account was accessed every five to ten minutes.”

Most concerning, the source told Krebs, was that in many cases the aggregator service did not pass through prompts sent by the credit union’s site for multi-factor authentication, meaning the attackers could access customer accounts with nothing more than a username and password. According to the source sometimes the attackers are getting the multifactor challenge, and sometimes they are not, and NCR had just blocked Mint and QuickBooks from accessing banking web sites on its platform.

In an official statement published on Krebs’ blog, NCR confirmed the company notified its digital banking customers about the temporarily suspension of the aggregation capabilities of certain third-party products. “The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data,” read their statement, which was sent to customers on Oct. 29. After confirming containment of the incident, NCR restored the connectivity used for account aggregation. “As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.”

NCR did not specify, but Krebs and other security professionals believe the reuse of online banking passwords led to the hacked accounts.

Tim Erlin, vice president, product management and strategy at Portland, Ore.-based enterprise security provider Tripwire, said, “The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit. A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk.”

Erlin added, when you have an incident to deal with, you can only take action on the systems where you have control. “It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.”

Financial aggregators are a frequently misunderstood security threat, according to Jarrod Overson, director of engineering at Santa Clara, Calif.-based Shape Security. “Banking credentials already fetch the highest prices on account reseller marketplaces. The companies that store the credentials attract the most sophisticated attackers. Despite security concerns, financial institutions have to interoperate with aggregators because users like them.”

Overson pointed out this leads to banking services granting backdoor access for aggregators to automate logins, transactions, and reporting. “This access typically leads to disabling major defenses like MFA (multi-factor authentication) and bot mitigation so aggregators aren’t blocked unexpectedly. Attackers know this and compromise aggregators or their networks to get access to this backdoor. This allows automated attacks to fly under the radar and look as though they are legitimate requests coming from companies like Mint.”

Overson emphasized this is a fundamental problem with aggregators. “They move faster than the companies they are working with and strain existing systems in the name of new features. Financial institutions need to move aggregators towards APIs that have granular authorization, rate-limits, and appropriate protections in place to protect themselves and their users.”

Robert Capps, vice president of market innovation for Vancouver, British Columbia, Canada-based NuData Security, a Mastercard company said, “Aggregator traffic is always sensitive because financial institutions have a large percentage of their clients using them legitimately.” Capps noted the good news is that financial institution can leverage data from these aggregators to be able to flag fraudulent behavior. These types of attacks are sophisticated, and financial institutions need to leverage their security layers to find suspicious patterns.

Capps maintained, “Institutions know when traffic comes from a known aggregator based on information such as the IP address. However, institutions can leverage other information to detect this suspicious traffic. For example, a sudden large number of logins from an aggregator, or a recent increase in failed logins from a legitimate aggregator are signs of potential risk.”

When the financial institution detects signals such as those, they can trigger a policy to review that traffic further or add another layer of security for that user. Capps said, “The type of attack experienced by NCR Corp was highly sophisticated. By looking at the details of the attack as well as its behavior, banks can cut down threats without adding friction to all their good customers by default.”