A Top 5 E-tailer Defeats Account Takeover and Carding Attacks with ShieldSquare
This multibillion-dollar e-tailer delivers customers special finds every day—all at incredible prices. They feature an always-fresh curated collection of products for the kids and women, including clothing, home decor, toys, gifts and more.
E-tailer’s brand is widely popular among women to find out great deals from a plethora of famous brands. However, for years, the e-tailer has been facing the wrath of bots trying to accomplish account takeover by a process known as ‘credential stuffing,’ whereby attackers deploy bots that continuously test login combinations purchased from the dark web, looking for instances of password/username reuse.
In this case, a successful account takeover meant the theft of prepaid gift card and loyalty points, which would later be resold for cash. Security teams also suspected carding attempts because of a high number of failed payment authorizations. Not to forget the loss of sensitive user information that would violate user privacy and puts the brand in a bad light.
Despite having an internal solution, the e-tailer recognized that there was a tremendous surge in successful login attempts and these attempts spiked on certain days, mostly over the weekend.
E-tailer’s team tried different firewall mechanisms and attempted to build their in-house solution based on user agents and IP-based rate-limiting features to block bots. Unfortunately, these tools were cumbersome, time-consuming and difficult to manage. Eventually, the team realized it was an arms race, and their solution ceased to work against ever-evolving attacks.
They chose ShieldSquare’s solution because of advanced bot-detection capability that includes device fingerprinting, collective bot-intelligence and behavioral modeling, which are very difficult to build and maintain in-house. ShieldSquare was not the 1st solution they explored. They evaluated another solution that needs DNS traffic redirection, and they weren’t happy with the performance and efficiency of that approach. E-tailer’s team liked ShieldSquare’s non-intrusive API based solution and were happy to see that deployment took few hours to complete.
"We took a hard look at vendor offerings in the bot mitigation space, compared them against our requirements, and ruled out several well-known names immediately. Those that were still in consideration were ruled out because they didn’t integrate with our technology stack, were not transparent about their capabilities and functionality, or were difficult to engage for a hands-on evaluation – all, that is, except ShieldSquare" said Director of Security and Compliance.
E-tailer also wanted to get deep insights on bot traffic before moving to active mode. With granular insights on bad and legitimate bot traffic, ShieldSquare uncovered that there were thousands of sophisticated account takeover and carding attacks. Comprehensive reporting of captchas "shown versus solved" helped security team build confidence in the accuracy of bot detection capabilities.
Within a week of deploying ShieldSquare, jubilant Director of Security extolled- “Very cool to see the bots hit the dirt. I loved to see graphs go to 0 value.”
At the peak, retailer’s web application is attacked by tens of thousands of new IPs that are used once, and never again. Majority of the bots mimic human visitor behavior to bypass the traditional defenses. ShieldSquare system analyzes the traffic patterns and blocks the malicious bots before they cause any damage.
Benefits After ShieldSquare Roll-Out
1. Stopped credential stuffing activity in its tracks. This came as a breather to the e-tailer’s IT team who were struggling hard with their internal solution that was not effective. They now have enough bandwidth to focus on other vital tasks that add business value.
2. Eliminated carding attempts and fraudulent transactions on the site that resulted in reduced chargebacks and disputed transactions.
3. Stopped fraudsters from misusing referral programs.
4. Consistent decrease in the volume of bot activity pointed to the fact that the attackers are tired and giving up gradually.
5. ShieldSquare proved to be way more efficient than the internal solution, thereby realizing complete ROI and ensuring a thorough security perimeter.
6. The e-tailer’s requirements are met, adhering to all security policies without mandating any infrastructure changes.
AT A GLANCE
- Thousands of distributed account takeover attacks every day via credential stuffing
- Referral program frauds and carding attempts
- Most accurate bot detection solution for sophisticated attacks
- Non-intrusive API and JS Tag based solution with advanced detection capabilities such as user behavior modeling and device fingerprinting
- Highly scalable solution with capabilities to seamlessly handle peak traffic in holiday seasons
It has been nothing but a pleasure to work with ShieldSquare from the initial discovery conversations, through the evaluation and implementation phases. I couldn’t be more pleased with their product and support.
Security and Compliance
A Top E-tailer of US