As online marketplaces grow, they become increasingly enticing targets for cyber crime which often utilizes credential stuffing and other tactics to hack and takeover legitimate user accounts to be used for fraud.
Poshmark has partnered with Cequence Security to stop malicious activity from automated bot attacks via API that were compromising the security and safety of the site.
Increased Account Takeover Attempts Alongside Rapid Growth
Poshmark’s security team noticed an increase in the variety of new automated account takeover (ATO) attacks that used credential stuffing to compromise the accounts of their users. They saw this increase in attacks across both their web and API applications, neither of which had any API protection to detect and block these types of automated attacks.
Traditional Methods Disrupted User Experience
To identify and block suspected automated attacks, the security team had enabled a CAPTCHA challenge that not only disrupted the user experience, but also created friction for user sign up and login.
They were looking for a security solution that could block automated fraud attacks while improving the experience for buyers and sellers. Cequence partnered up with the online retailer to help deploy Cequence Unified API Protection (UAP) solution.
The goal of the security team was to deliver with Cequence the following:
- Inline Blocking: Realtime blocking of all malicious bot traffic, ensuring that only real user traffic reaches the application with a very low false positive rate.
- Eliminate CAPTCHA: No longer rely on CAPTCHA as the primary way to identify bot activity.
The marketplace needed a solution that would block the malicious activity without interfering with the legitimate user experience.
Security Transformation in a Matter of Days
After implementing the Cequence Unified API Protection, they were able to block malicious bot traffic in real-time before it reached their application. This enabled Poshmark to streamline the user experience and ensure that only legitimate users were on their platform.
Poshmark was now able to do the following:
- Inline Blocking: Real-time blocking of malicious bot traffic, ensuring that only legitimate user traffic reached their mission-critical applications.
- Fake Account Prevention: Blocked fake account creation used to conduct malicious activity across mobile and web sites.
- Stopped Downstream Impact: By blocking ATO attacks and malicious user signups, they were able to significantly reduce downstream impacts such as reliability, uptime, and fraud.
- Real Comments: Ensure that all new comments on listed items were from real users and not fake comments from automated bots.
- User Experience: An improved user experience, only delivering CAPTCHA challenges for suspicious traffic to prevent bot activity.
According to the case study from Cequence, the Poshmark security team reduced cancellations of sold items that were the result of fake listings generated by malicious activity.
They were also able to reduce the impact of CAPTCHA challenges by 99.3%, no longer requiring a challenge for most logins and were able to block over 609,000 attempted ATO attacks, saving an estimated $2,192,400 in potential account losses.
Account takeover fraud is certainly not unique to Poshmark, most of the major online marketplaces are targets for these bad actors.
But in my experience, it is rare to see the level of transparency Poshmark and Cequence have shown in this case study.
Kudos to Poshmark for taking the problem seriously, engaging with experts to address the issue and being transparent about the challenges they face to keep the marketplace safe and secure for all users!