Protecting financial institutions from brute-force attacks

We examine the problem, of protecting online banking accounts from password brute-forcing attacks. Our method is to create a large number of honeypot userID-password, pairs. Presentation of any of these honeypot credentials causes the attacker to be logged into a honeypot account with fictitious attributes. For the attacker to tell the difference between a honeypot and a real account lie must attempt to transfer money out. We show that is simple to ensure that a brute-force attacker will encounter hundreds or even. thousands of honeypot accounts for every real break-in. His activity in the honeypots provides the data by which the bank learns the attackers attempts to tell real from honeypot accounts, and his cash. out strategy.