Q2: How F5 Helps Protect Our Financial Services Platform
Texas-based Q2 is a leading provider of digital banking solutions for international financial service and fintech organizations. In 2024, more than $3.4 trillion in transactions passed through Q2 platform. We recently interviewed Lou Senko, Chief Availability Officer at Q2, to find out how F5 Distributed Cloud Bot Defense and other F5 solutions have helped the company cut malicious automation without impacting the user experience.
Q: Tell us about Q2 and the challenges the company has faced from automated bot attacks?
Senko: Q2 serves more than 1,200 financial institutions around the world, including over 40% of the 100 largest U.S. banks and about the same percentage of the nation’s top credit unions. Our services reach some 37 million consumers and commercial account holders.
Our platform handles over 40 million transactions per month, and that volume provides a large potential attack surface for the bad guys. When we first deployed F5 Distributed Cloud Bot Defense in 2020, the automated malicious traffic load on the Q2 system was more than 4 million sessions per hour. In addition, we were experiencing half a million login attempts a month, and 82% of these were credential stuffing attacks, which often were pre-cursors to fraud attempts.
Q: What was the impact of deploying Distributed Cloud Bot Defense?
Senko: We began deploying Distributed Cloud Bot Defense in 2020, and automated traffic, both legitimate and malicious, dropped from a high of 88% of all infrastructure traffic to 3% by 2022. Today, it’s less than 1%. Distributed Cloud Bot Defense now blocks nearly 40 billion suspicious sessions a year, which means that 70,000 potentially malicious sessions a minute are blocked before reaching our infrastructure. We’ve also found that the duration of malicious attacks has dropped 11 times. Once attackers realize that Q2 is defended, they move on to different, easier targets.
Q: What other benefits has Distributed Cloud Bot Defense provided to Q2?
Senko: Stopping bots from reaching our infrastructure is just the beginning. Q2 cares a great deal about the quality of the user experience, and that often correlates to system uptime. But uptime is not just keeping the system up and running. It’s also making sure that users can log in and have an incredible experience and do their business without friction or slowdowns.
Automated attacks, although not resulting in a breach, can hinder those transactions. We were defending against millions of log-in attempts that weren’t real people, and sometimes the user experience dragged, as components became unavailable when they were overwhelmed facing unnatural loads. With Distributed Cloud Bot Defense deployed in front of our infrastructure, that automated activity doesn’t reach our services. The user experience is no longer impacted by all that noise.
Q: What other initiatives has F5 made possible?
Senko: With F5 Distributed Cloud Data Intelligence, we are able to offer customers hyper personalized experiences. Our product now has the capability to learn what individual customers do on the platform, and then tries to predict what they will do next. So, my experience logging in to the platform will be different than yours, based on how we both use the product. The users’ behaviors and traits allow us to make some predictions: Are they close to retirement? Do they have kids in college? Do they need a new car? This allows financial institutions to offer new and differentiated services to users based on their behaviors and traits.
The ability to personalize also helps us detect fraud, which is exploding for our customers, up 14% over last year, reaching over $10 billion, according to the Federal Trade Commission. We know how individual users usually interact on the platform, and if they behave in ways that aren’t normal, we can signal that transaction for scrutiny. With the information we receive from Distributed Cloud Data Intelligence, we can incorporate those signals into our intelligence and start blocking sessions from the log-in attempt to prevent fraudulent activity at the very beginning of that user journey, right at our front door.
Q: Q2 is migrating from on-premises data centers and hybrid clouds to public cloud infrastructure for its banking services. Has F5 played a role in this change?
Senko: About two years ago we made the decision to move out of our distributed cloud footprint, anchored with private data centers underpinning the public cloud, to full-on multi-public cloud. This involved migrating 12,000 servers and hundreds of thousands of workloads to 400,000 containers in the public cloud over the course of three years, all without disruption to our customers.
Distributed Cloud Bot Defense has provided complete protection during the migration, no matter where the workloads were hosted. F5 was “Johnny on the spot,” helping us to minimize the impact of the change for customers. At Q2, we feel that F5 is woven into our products and services. It’s become a customer expectation. F5 is one of our key partnerships.
To learn more about how F5 is helping Q2 protect its financial services infrastructure, check out the full customer story.