Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

Neobank Reduces Infostealer-Driven Payment Fraud by 41% with Real-Time Identity Intelligence

Executive Summary

Neobanks operate without the physical touchpoints and in-person verification channels that traditional banks use to catch fraud. Every identity decision, from account opening through payment authorization, is made digitally. That structure makes neobanks both highly efficient and specifically vulnerable to infostealer-driven fraud, where attackers arrive not with stolen passwords but with stolen sessions, already-authenticated tokens that carry the full trust context of a legitimate returning user.  

This case study examines how a mobile-first neobank with 3.2 million account holders identified the structural gap in its behavioral fraud model, integrated Constella’s infostealer monitoring into its real-time authentication layer, and reduced payment fraud losses attributable to session replay attacks by 41% in the first full quarter following deployment. 

The Challenge: Mobile Sessions Are High-Value Infostealer Targets 

The bank’s fraud model was built on behavioral analytics: device fingerprinting, login velocity, geographic consistency, transaction pattern analysis, and session duration monitoring. The model performed well against credential stuffing attacks and anomalous transaction patterns. It did not perform well against infostealer-sourced session replay.  

The reason is specific to how infostealers operate on mobile and desktop devices. An infostealer infection harvests the authentication tokens and session cookies stored in the browser or application credential store after a legitimate user has authenticated. The harvested session carries the correct device fingerprint (because it was generated on the real device), the correct geographic origin (because the real user authenticated from their home region), and the correct session parameters (because the real user’s authentication flow generated them). When an attacker replays this session, the bank’s behavioral model sees a session that is indistinguishable from the legitimate user’s session. 

The bank’s fraud team had identified three payment fraud patterns that were consistently evading the behavioral model: 

  • Bill Pay Redirect Fraud: Attackers authenticated via replayed session cookie, added new bill payees linked to money mule accounts, and authorized same-day bill pay transfers before the session expired or the account holder logged in independently. Behavioral signals were minimal: one new payee addition followed by one payment event, individually consistent with normal account management. 
  • Peer-to-Peer Transfer Fraud: Stolen sessions were used to authorize P2P transfers to newly added recipients. The bank’s behavioral model flagged new recipient additions for amounts above a threshold, but the infostealer attacks were structured to stay below the flagging threshold across multiple sessions, accumulating losses through repeated low-value transfers. 
  • Account Modification Pre-Staging: In a subset of cases, attackers used the stolen session not to immediately transfer funds but to modify the account’s recovery email and phone number, completing a full account takeover that survived the original session’s expiration. The behavioral model did not flag contact information changes as high-risk events, because legitimate customers update contact details regularly. 

Why Behavioral Models Cannot Solve This Problem Alone 

Behavioral fraud models are trained on internal signals: the historical transaction and session patterns of the account holder. They are exceptionally good at detecting deviations from established behavior. They have a structural limitation: they cannot evaluate whether the session presented to the authentication layer was generated by the real account holder or harvested from an infected device. 

That determination requires external intelligence. It requires knowing whether the account’s associated email address appeared in a recently ingested infostealer package containing session data for the bank’s mobile domain. That knowledge exists only in a threat intelligence provider monitoring criminal markets for infostealer activity. It cannot be generated from internal logs, however sophisticated the behavioral model. 

The Solution: External Infostealer Intelligence at the Authentication Layer 

The bank integrated Constella’s Identity Intelligence API and infostealer monitoring into its real-time authentication pipeline. The integration operated in two distinct modes that addressed both proactive and reactive fraud prevention: 

  • Real-Time Pre-Authentication Enrichment: For every login event, the bank’s authentication system queried Constella’s API with the account’s associated email address. Constella returned a risk signal indicating whether that identity had appeared in recent breach or infostealer activity, and specifically whether session data associated with the bank’s mobile domain had been captured in a recent infostealer package. This signal was added to the behavioral model’s risk scoring before the authentication decision was finalized. Accounts with a current, verified Constella infostealer flag were routed to step-up verification before any payment action was permitted. 
  • Continuous Background Monitoring: Constella’s monitoring ran continuously against the bank’s full account holder population, generating proactive alerts when any monitored email appeared in a newly ingested infostealer package. When a monitoring alert was triggered, the associated account was placed in an elevated-risk state, meaning the next authentication event would automatically trigger step-up verification regardless of whether the login’s behavioral signals were anomalous. This proactive mode caught accounts before an attacker attempted to use the stolen session. 

The infostealer-specific signal quality was the critical differentiator. Constella’s infostealer alert payload included the specific URLs for which session data had been captured, the infected device’s hardware metadata, and the malware strain responsible for the harvest. When the bank’s mobile domain URL appeared in a Constella alert’s session capture inventory, the fraud team had high-confidence, specific evidence that the account was actively compromised, not an anomaly that might or might not indicate fraud. 

The Result: 41% Reduction in Payment Fraud Losses 

In the first full quarter following the Constella integration, the bank’s fraud operations team recorded the following outcomes:  

  • 41% reduction in payment fraud losses attributable to infostealer-sourced session replay. The reduction was directly traceable to the step-up verification challenges triggered by Constella’s infostealer flags: attackers replaying stolen session cookies could not complete step-up verification, terminating the fraud attempt at the authentication layer before any payment was authorized. 
  • 94% attacker drop-off rate on step-up verification challenges sent to Constella-flagged accounts. Legitimate customers whose devices had been genuinely compromised completed re-authentication and were explicitly notified of the infostealer exposure, enabling them to remediate their devices and rotate credentials. 
  • Extended deployment to wire transfer authorization: following the initial integration success, the bank extended Constella’s infostealer monitoring to cover wire transfer authorization events as a second phase, applying the same external risk signal to the highest-value transaction category. 
  • Fraud investigation efficiency improvement: the Constella alert payload, including malware strain attribution and URL-specific session capture inventory, provided fraud investigators with immediate, high-confidence context for SAR filing and law enforcement referral, replacing manual OSINT workflows that had previously required hours per confirmed fraud event. 

 A secondary observation from the deployment: the step-up verification challenges sent to legitimately compromised accounts generated a measurable response in account security engagement. Account holders notified of an infostealer exposure were significantly more likely to enable additional security features, update recovery credentials, and engage with the bank’s fraud support team. The Constella integration functioned not only as a fraud prevention control but as a customer trust and retention mechanism. 

Key Outcomes:  

  • 41% reduction in payment fraud losses from infostealer-sourced session replay attacks 
  • 94% attacker drop-off rate on step-up verification challenges triggered by Constella infostealer flags 
  • Proactive account monitoring enabled pre-attack remediation for accounts flagged before attacker access 
  • Integration extended to wire transfer authorization as a second deployment phase 
  • Fraud investigation timelines reduced through Constella-sourced malware attribution and session capture context 
Why does step-up verification stop attackers but not legitimate customers?

Step-up verification is only triggered for accounts where Constella has confirmed a current, verified infostealer exposure. The legitimate account holder whose device was infected will typically complete step-up successfully because they have access to their real recovery phone or authentication app. An attacker replaying a stolen session cookie has none of these: they possess only the cookie, not the underlying recovery credentials. The step-up challenge effectively requires something the attacker cannot possess. 

How does continuous background monitoring differ from real-time authentication enrichment?

Real-time authentication enrichment queries Constella at the moment of a login event, adding the external risk signal to the decision made during that specific session. Continuous background monitoring runs independently of login events, generating proactive alerts whenever a monitored email appears in a newly ingested infostealer package. The background monitoring mode catches compromised accounts before an attacker attempts to use the stolen session, enabling the bank to place the account in an elevated-risk state prior to any attack attempt. Together, the two modes cover both the proactive prevention window and the real-time detection window. 

What happens to account holders whose credentials are flagged as compromised?

When a Constella flag triggers step-up verification and the account holder completes it successfully, they are notified that their account credentials were found in an external infostealer exposure. The notification specifies that the exposure occurred on an external platform, not within the bank, and provides guidance on securing the affected device and rotating credentials across other services using the same email or password. This notification is specific and credible, which significantly improves the account holder’s engagement with the remediation guidance compared to generic security notices. 

Infostealer-driven payment fraud is structurally resistant to behavioral detection because infostealers generate sessions that are behaviorally identical to legitimate ones. Solving this problem requires external intelligence that exists outside the bank’s own logs: knowledge of what has happened to account holder identities in criminal markets and infostealer ecosystems. 

For this neobank, Constella provided that external intelligence layer, reducing payment fraud losses by 41% without adding friction for the legitimate customer population and converting fraud incidents into account security engagement opportunities. That outcome was not achievable through behavioral model refinement alone. It required knowing what the behavioral model could not see. 

Ready to add infostealer intelligence to your authentication layer?

REQUEST A DEMO