USE CASE

F5 Distributed Cloud Bot Defense for Salesforce Commerce Cloud Security

CHALLENGES

  • E-commerce sites are continually exposed to cyberattacks
  • Fraud takes all forms, including account takeover (ATO), credential stuffing attacks, checkout abuse, web scraping, denial of inventory, and more
  • For cybercriminals, e-commerce targets can be lucrative; losses to payment fraud alone are projected to surpass $20 billion annually
  • Attackers commonly move across all channels (web and mobile); a reliable security solution must do the same

BENEFITS

  • Slash fraud and abuse
  • Prevent reputational damage
  • Remove friction from the user experience
  • Improve application performance and uptime
  • Increase security

E-commerce Sites: Three Critical Areas to Safeguard

The F5 cartridge for Salesforce Commerce Cloud (SFCC) is the integration module that connects SFCC Platform and Distributed Cloud Bot Defense. It sends selected telemetry to Distributed Cloud Bot Defense, receives inference responses, and performs mitigation. The solution and its benefits are designed to protect eCommerce websites from a range of attacks, including:

  • Account Takeover: Stops fraudsters from rapid-fire testing millions of stolen credentials against your login applications, eliminating fraudulent traffic before they have a chance to take over your customer’s accounts.
  • Checkout Abuse: Also known as Denial of Inventory. Bot attacks can be targeted at online checkouts, where they add several products to the cart, depleting the available products in an attempt to deliver an advantage to another retailer, while also frustrating your legitimate customers.
  • Web Scraping: Product information and pricing is often a source of competitive advantage. Control how automated scrapers and aggregators harvest data from your website in order to protect sensitive data.

Distributed Cloud Bot Defense protects against these and other nefarious tactics identified by the Open Web Application Security Project® (OWASP), a nonprofit foundation that works to improve the security of software. 

E-commerce websites are easier than ever to create and deploy. Unfortunately, e-commerce sites are also more attractive than ever for cybercriminals to target with an ever-changing array of threats, most of which are bot attacks. The good news is that F5 Distributed Cloud Bot Defense, the industry-leading solution used by the world's leading retailers—large, medium, or small—is now available on Salesforce Commerce Cloud LINK Marketplace.

Data from the US Federal Trade Commission (FTC) shows that the agency received more than 2.1 million fraud reports from consumers in 2020. Throughout those reports, imposter scams were the most commonly cited category of fraud, followed by online shopping. In all, consumers reported losing more than $3.3 billion, up from $1.8 billion in 2019. Nearly $1.2 billion of the 2020 losses were from imposter scams, while online shopping accounted for about $246 million in losses. And those are just the ones that were reported to the FTC.

In addition to protecting customers, e-commerce operators also need to protect themselves—from account takeover (ATO), intellectual property theft, sensitive data exposure, checkout abuse, and much, much more as the list of threats grows every day.

Salesforce Commerce Cloud (SFCC)

When it comes to enabling B2C and B2B commerce for businesses of all sizes, Salesforce Commerce Cloud (SFCC) is helping thousands of businesses transact with their customers via a cloud-based platform that “empowers brands to create intelligent, unified buying experiences across all channels—mobile, social, web, and store.”

SFCC reports that its platform processes $21 billion in gross merchandise value annually and supports more than half a billion individual shopper site visits each month. All this activity is happening across large and small companies alike; but no matter the size of the retailer, Distributed Cloud Bot Defense for Salesforce Commerce Cloud delivers bot protection solutions that defend the world’s largest retailers, banks, and airlines.

Distributed Cloud Bot Defense for Malicious Bot Protection on Salesforce Commerce Cloud

Regardless of the platform on which a company’s e-commerce channels are deployed, it’s not unusual for 90 percent or more of daily log-in attempts to be from non-human visitors—i.e., bot-based traffic. In the case of bot-attack traffic, these bots simply cycle through the millions and millions of stolen and leaked credentials that are already in the wild, one after another, over and over, throwing username and password combinations at your e-commerce platform and hoping for even a tiny fraction to make it through



It’s a process known as credential stuffing and it can be costly. All those automated login attempts are a constant, steady drain on bandwidth and application resources. Things can go from bad to worse if one of those bots is able to log in with stolen credentials leading to account takeover (ATO).

F5 offers an innovative service that identifies all manner of harmful, bot-driven network traffic and blocks it before it becomes a drain on your resources (or worse). Distributed Cloud Bot Defense is perfectly suited to protect e-commerce platforms since it is quickly and easily integrated into Salesforce Commerce Cloud (SFCC) via F5's certified cartridge only for SFCC.

Distributed Cloud Bot Defense protects web, mobile applications, and API endpoints from sophisticated attacks that would otherwise result in largescale fraud. It determines in real time if an application request is from a fraudulent source and then takes an enterprise-specified action, such as blocking, redirecting, or flagging the request.

Distributed Cloud Bot Defense stands out in the industry because it relies on machine learning in conjunction with years of experience defending the world’s largest companies—meaning it has gathered vast quantities of highly detailed data from countless attempted attacks. With all this experience, Distributed Cloud Bot Defense has unparalleled expertise in not just identifying whether any given request was made by a bot or human, but whether the request was made with malicious or benign intent.

Deployment

There are two stages to a Distributed Cloud Bot Defense deployment: observation and mitigation. In the observation stage, Distributed Cloud Bot Defense collects advanced telemetry to inform and train the defense engine to detect attacks. These signals are collected via JavaScript on web applications and an SDK on native mobile applications.

The Distributed Cloud Bot Defense Engine is the decision-making component of any Distributed Cloud Bot Defense deployment and is key to the entire mitigation stage. It detects and mitigates automated transactions aimed at the e-commerce platform. To deflect fraudulent requests, it processes hundreds of signals to detect automation at the application, network, browser, and user levels.

Salesforce diagram

Powered by AI and ML, Distributed Cloud Bot Defense analyzes all transactions and scrutinizes every attack campaign to proactively recognize future attempts. When an attack campaign tries to bypass F5 by somehow retooling (typically by updating software or leveraging new proxies), Distributed Cloud Bot Defense is still able to identify the campaign based on hundreds of other signals. Most importantly, as soon as a new attack technique is observed on one customer, new countermeasures are automatically deployed, and details are shared so all other F5 customers are immediately inoculated as well.



Distributed Cloud Bot Defense operates instantly and unobtrusively. Any time the platform determines in real-time that an application request is from a fraudulent source, that source is immediately blocked—all without introducing ineffective friction (such as the need for multi-factor authentication, CAPTCHA, etc.) to legitimate human users. Distributed Cloud Bot Defense is provided as a managed service through F5’s certified cartridge on SFCC, which brings industry leading bot management and protection to all retailers–large, medium, or small. 

Summary: F5 Distributed Cloud Bot Defense is the solution you need for your Salesforce Commerce Cloud applications

E-commerce fraud is a real and growing threat from which B2C and B2B operators need to protect their customers—but those protections must not negatively impact the user experience for risk of losing those same customers. While Salesforce Commerce Cloud (SFCC) helps deploy and operate your end-to-end ecommerce experience, F5 Distributed Cloud Bot Defense is available to work behind the scenes to dramatically reduce exposure to automated, fraudulent bot attack traffic, and help ensure the security of your e-commerce related services by removing friction from the user experience.

For more information about Distributed Cloud Bot Defense, visit f5.com and download the cartridge from the SFCC Marketplace.

Learn more

Technology Alliance: F5 Distributed Cloud Bot Defense for Salesforce Commerce Cloud 
https://www.f5.com/partners/technology-alliances/salesforce-commerce-cloud

Lightboard Lesson: F5 Distributed Cloud Bot Defense for Salesforce Commerce Cloud
https://youtu.be/YZPdUSuUvko

DevCentral Articles:
1) https://community.f5.com/t5/technical-articles/f5-bot-defense-for-salesforce-commerce-cloud-protect-your-e/ta-p/287269
2) https://community.f5.com/t5/technical-articles/f5-bot-defense-for-salesforce-commerce-cloud-protect-your-e/ta-p/287284

Case Study: Retailer Solves Shoe-Bot Spikes, Fixes Fraud, Friction and Fake:
https://www.f5.com/customer-stories/retailer-solves-shoe-bot-spikes-fixes-fraud-friction-and-fake

Stop Fraud Without Friction: How to detect and defeat modern cyberattacks:
https://www.f5.com/resources/library/security/ecommerce

F5 Distributed Cloud Bot Defense solution overview:
https://www.f5.com/pdf/solution-profiles/f5-distributed-cloud-bot-defense-solution-overview.pdf

Copyright © 2022 F5, Inc. All rights reserved. The material posted on this Website, including but not limited to graphics, text, pictures, photographs, layout and the like ("Content"), are protected by United States Copyright law. Absolutely no Content of this web-site may be copied, reproduced, exchanged, transmitted, transferred, modified, uploaded, downloaded, published, sold or distributed without the prior written consent of F5 Networks, Inc.