January 10, 2019
As digital transactions continue to grow apace, customers are storing more and more personal information in online accounts. This makes account access/takeover a prime target for cybercriminals. Businesses have the unenviable task of protecting customer data while trying to maintain customer experience by minimizing excessive verification procedures. Cybercriminals are using Bots (a software application that runs automated tasks) to increase the efficiency of attacks on confidential data, such as login and payment details. Customer experience is further compromised as Botnets (networked/connected Bots) run massive identity testing sessions trying to penetrate fraud defenses.
A leading global retailer was using ThreatMetrix to protect its e-Commerce payment transactions against fraud. Although fraudulent payment transactions were well controlled, the retailer was recording very high daily traffic that seemed to be attributed to Botnet attacks. In all likelihood, these huge automated sessions were trying to access customer logins. The retailer was using a cloud-based Web Application Firewall (WAF) solution for login protection. This solution was able to detect high-volume Distributed Denial of Service (DDoS) attacks but not low-frequency Bot attacks. Slow password brute forcing attacks were passing through as they were designed to go undetected by a WAF as current WAF technologies are inadequate when profiling user device and behavior.
Botnet attacks had been an ongoing problem for the retailer. Even though the attack volumes were huge, the retailer could not work out the origination points of the attacks as they were able to mask the underlying identity information at the retailer’s authentication servers and thus inhibit the existing WAF solution from redirecting and properly profiling the attack event.
With the peak shopping seasons approaching, the retailer needed to secure its customer login transactions at the same level as the payment transactions, creating a frictionless experience for trusted users.
Securing Customer Accounts through Accurate Detection of Botnet Attacks
The retailer expanded the ThreatMetrix deployment to cover the account login transactions. It recognized the importance of protecting not only personal account information, but also the online experience of its customers.
• Identifying Botnets
ThreatMetrix account takeover solution provided immediate protection by identifying cases where the event profiling was limited due to the existing WAF solution’s susceptibility to granular intrusion. By analyzing these events, ThreatMetrix was quickly able to work with the existing provider to make adjustments to its system to stop the Botnet from bypassing profiling. This had the following benefits:
- Around a 50-percent reduction in Botnet attempts with approximately 90 percent of all attacks being blocked from the outset. The efficiency of the solution will improve further as more traffic is analyzed and the rules are customized to the retailer’s business.
- The majority of the redirect was accomplished with only a few rules within a robust ATO policy. The main rule was set to monitor for “Divergences” of IP address to multiple email accounts in a short period of time.
- The Digital Identity Network provides information on historical attacks to provide context-based assessment to identify fraudulent trends/patterns.
• Good customer recognition
By layering ThreatMetrix technologies, the retailer was able to passively authenticate the digital identities of its customers across devices to identify returning customers without compromising their digital experience.
• Behavioral profiling and analytics
The Digital Identity Network perform continuous cataloging of all the activities related to a device, account or persona. This enables detection of low-volume, low-frequency attacks, even if they are distributed.
• Global intelligence
Attackers are increasingly adopting strategies to stay below the detection threshold of individual businesses, but they invariably leave an identifiable global footprint. The ThreatMetrix Digital Identity Network processes billions of transaction for thousands of global online businesses and is in a unique position to identify cross-industry, cross business, cross-geography attack signatures.
• Application integrity
For mobile applications, ThreatMetrix provides an SDK that measures the code integrity at runtime to identify reverse engineered mobile apps and eliminate credential stealing or app embedded RATs.
• Malware detection
ThreatMetrix technology scans mobile apps and the host OS for malware including key loggers, Trojans, man-in-the browser and man-in-the-middle attacks. In addition to signature analysis, ThreatMetrix uses functional testing, such as advanced page fingerprinting to detect
polymorphic malware that evades traditional signature-based approaches.