Account aggregation is the compilation of multiple accounts into an intermediary system. Aggregation can be carried out by one user merging information from several applications, or to combine the data of many users of a single system.
Aggregation can be carried out with completely legitimate intent and is often used to simplify how the consumers access the information in question, whether that be aggregated social media, email or bank accounts.
The nature of the threat is like that of account creation and scraping but with several, crucial differentiators such as making changes to account properties and interacting with the aggregated application’s functionality.
Threat actors target a myriad of sectors, including financial services, entertainment, government, retail and technology, to access and misuse the account holder’s credentials, payment details and medical information.
Financial services are particularly susceptible to account aggregation attacks, with attackers commonly targeting financial advisors, wealth managers and investors for their unique access to customers’ login credentials, monetary and banking data. When aggregated, this exposed information can pose a significant threat to the targeted organization and its customers.
How to prevent account aggregation
Implementing application programming interfaces (APIs) that are dedicated to approved aggregators and appropriately secured ensures legitimate account aggregation activity is protected against automated threats.