Introduction
This is the first of a series of reports tracking the amount of unwanted automation observed against F5 bot defense customers in different industries. Data used in this report is from customers around the world but is heavily skewed towards North American customers. This report is meant to provide an overview of the amount of credential stuffing and other unwanted automation targeting various industries. The report also includes the tracking of long-term automation trends for each of these industries. Such long-term trend data is helpful for security teams in the various industries as they protect their applications. Security practitioners can tell whether their experience is in line with peers in their industry, as well as identify ways in which they can improve their security posture to make their organizations less attractive targets for unwanted automation.
This initial report is focused on the first half of 2023 with deep dives into particular industries and flows. A flow is defined as an application or API function e.g. Login, Sign Up, Search, Shop etc. These are functions that a given endpoint allows users to perform. The report is not meant to be a comprehensive review of all flows across all industries, but aims to cover the most common industries and flows. Over time the list of industries and flows may be adjusted in response to audience feedback, so please feel free to reach out should you like to see specific data added to this report.
Automation Overview
Below we will look at unwanted automation from the standpoint of industry targeting, platform targeting (web vs mobile), and function (or flow) targeting, such as login or checkout.
Automation by Industry
Figure 1 below gives an overview of the average proportion of unwanted Web and Mobile API automation observed for the first half of 2023 across 13 industry verticals. Overall, automation levels ranged from 0.1% Mobile API automation on Insurance companies to 44.6% against the Telecoms industry’s Mobile APIs.
The difference between levels of automation on Web vs Mobile is a bit harder to explain. Some industries see higher levels of Web automation while others see higher levels on Mobile. The trend we are seeing has been an increasing proportion of automated attacks coming via the Mobile channel over time. This trend continues even in industries where the majority of attacks are still on Web. As more industries adopt modern application architectures and move towards APIs, we expect this trend to continue as APIs are more structured and easier for attackers to work with.
Though there are fluctuations from month to month (as shown in Figure 2 below), there are some strong patterns in the proportion of unwanted automation by industry. There are several factors that affect how much automation we see on a given enterprise and by aggregation in a given industry:
- Value – What is the payout of using automation against the given enterprise? What kinds of money, stored credit cards, gift cards, miles, points, discounts, services etc. can be stolen from hacked accounts? i.e. what is the payout of success?
- Security – How well defended are enterprises in this sector? Do they have large security budgets and teams? How long will it take for fraudulent activities to be detected i.e. what is the probability of success?
- Risk – what is the probability of being identified and what are the consequences if identified?
- Deterrence (length of protection) – How long have strong defenses been in place? Have existing anti-bot defenses successfully mitigated and deterred attackers? (New Bot Defense customers tend to have higher automation percentages than those that have been protected for longer. The mix of new and old customers in each industry may also impact the industry automation overview in Figure 1, though this impact will decrease over time.)
Using this simple factor list, we can explain why the Telecoms industry is the most attacked: the value of the payout from taking over an account is very high. Telecomsaccounts allow hackers to steal new phone upgrades and get brand new smart phones. They can also take over and port phone numbers to other devices, circumventing phone based 2FA used by banks and other high value targets. This makes Telecoms companies very desirable targets, even if they have very large security budgets and teams. Given the consolidation in the Telecoms industry, the match rate of stolen credentials is bound to be high as most adults have a Telecoms account with one of a handful of providers, compared to the tens of thousands of credit unions.
On the other end of the percentage automation spectrum are credit unions. These tend to have smaller user bases and smaller average account balances than some of the larger banks. The probability of matching a list of stolen credentials against a small 50 thousand member credit union is much lower than matching against a 50 million customer international bank. Not only is the probability of credential matches higher with larger banks, but the value sitting in the accounts is also higher. This makes credit unions smaller targets despite the perception that they are likely to have weaker security, smaller budgets and security teams. Contrary to this perception, credit unions typically outsource a lot of services including security to larger organizations that use their scale to bring best in class security to what would otherwise be small and poorly secured credit unions. This combination of low value, low probability of success and outsourced security makes credit unions a less desirable target for bots.
Industry Trend Analysis
Industries see meaningful variation in unwanted automation rates. Below we will go deeper into some of the findings shown above to better understand different industries’ experiences over the last six months.
Web
Figure 2 below gives the June year to date (YTD) trend in Web automation (%) for the 13 industries highlighted in Figure 1 above. The image legend is sorted from highest to lowest automation (%) based on June 2023 numbers for ease of reference.