Global Dating Platform Defeats Account Takeovers

The Customer

A global online dating company that serves 35 million members in over 50 countries. The company is a market leader and its mobile app is one of the App Store’s top 50 grossing apps.

Global Dating Platform Defeats Account Takeovers

The Pain Point

The company was facing large-scale credential stuffing attacks in 2016. Credential stuffing is an attack in which bad actors take credentials that have been stolen from third parties and test them en masse via automation on the target site. Because users reuse passwords across online services, on average, 0.5%–2% of a credential list will be valid on a target site.

Bad actors were launching sophisticated credential stuffing attacks on both the website and mobile app, leading to numerous account takeovers. Once accounts were successfully taken over, attackers would conduct catfishing and spamming schemes. Not only did these attacks degrade user trust, but they also incurred a substantial cost for the customer service team.

The Decision

In 2016, the company evaluated a tool offered by its CDN provider to mitigate the unwanted automation against its web and mobile platforms. After two months of testing the tool, the security and fraud teams were left frustrated. The tool required internal resources to actively deal with every single automated attack, including researching and writing rules for individual activities. The amount of time and resources required to operate the tool was unsustainable and cost ineffective. Moreover, the tool only identified 20% of the automated credential stuffing activity on the dating website, rendering it inadequate.

When it was clear that the CDN-provided tool was not the right solution, the company contacted F5. It was specifically looking for a solution that could fulfill four critical requirements:

Global Dating Platform Defeats Account Takeovers

The Outcome

Once the company selected F5 Distributed Cloud Bot Defense, F5 began deployment within weeks. In monitoring mode, Distributed Cloud Bot Defense observed that, on average, 80% of all web traffic was automated. As soon as F5 initiated mitigation mode, the attacks were immediately blocked and prevented from reaching the origin server.

Global Dating Platform Defeats Account Takeovers

By successfully mitigating automated attacks, F5 has delivered value across the enterprise:

  • Security: F5's managed service has allowed the security team to focus on other security priorities.
  • Fraud: Now that Distributed Cloud Bot Defense is preventing a majority of account takeovers (ATOs) from occurring, the fraud team is able to dedicate its resources to detecting and preventing sophisticated manual fraud.
  • Customer Service: The reduction in ATOs has led to a decrease in customer service requests and upset users.
  • IT: Because automated traffic no longer reaches the origin server, the IT team only needs to handle 20% of the traffic it was handling before, reducing infrastructure costs. Furthermore, site latency decreased from 250 ms to 100 ms, improving site performance.

Challenges

As depicted in the traffic chart below, attackers behaved in typical fashion:

  • Accelerate Days 0-2: When first blocked, adversaries increase the volume of attack to attempt to break the new defense via brute force.
  • Retool Days 3-7: After a period of failure, they stop in order to retool their attack.
  • Return Day 8: The attackers return with a variant of their attack method that they deploy with full force.
  • Give-Up Days 9-10: The attackers quickly realize that the defense is impenetrable, and they move on to easier targets.

Download (PDF)