How Starbucks Combats Account Takeover (ATO)
Account Takeovers (ATOs) and credential stuffing represent a huge threat to the retail industry. In fact, they pose major problems for any vertical in which customers tend to reuse passwords for multiple accounts. Password reuse makes compromised credentials even more valuable to cyber criminals.
Starbucks recognized this threat more than four years ago, before it was well understood by the industry at large. As Starbucks Director of InfoSec Mike Hughes said in a recent Shape Security webcast, “We started to put eyes on the issue in 2013, looking at it holistically as a problem for the industry and, as a member of the industry, something we would be facing and dealing with.”
Traditional Approaches Fail to Stop ATO
Before 2014, Starbucks relied on traditional security approaches such as throttle rate limits, web application firewalls (WAFs) and IP blocking via CDN bolt-on solutions. None of these worked against persistent and highly sophisticated credential-stuffing attacks. “We had short periods of small efficacy,” said Hughes, “but then came the retooling [by the attackers], and we wouldn’t be able to contain the attack for more than eight to ten hours.” The result was a Whack-A-Mole situation, with a new attack cropping up the moment the old one was blocked.
Shape Enterprise Defense contained the attackers decisively, said Hughes.”We were able to put blocks in place that had a lasting effect.”
Fighting Sophisticated Hackers Takes Total Focus
Shape’s total focus on security is key to its long-term efficacy, Hughes said. He characterized the blocking of bots as “a data analytics problem that needs to be addressed continuously, not a milestone where you achieve protection and then you’re done.” In Hughes’ view, the bolt-on solutions of CDN providers are not sufficient, because “their primary investment structures are around the CDN, not security.” Purpose-built solutions, like Shape’s, have the requisite focus.
Another differentiator for Shape is its advanced signal collection and analysis, which is necessary to deal with today’s hard-to-detect attacks. “If we look back to 2013 or 2014, we saw very bursty attacks,” said Hughes. “They had all sorts of flags. Now, the effort criminals will go to use a headless browser with tools such as PhantomJS to mimic signal telemetry is incredible. They are getting very advanced at masking.”
He also pointed out the value of Shape’s customer base, which includes banking and other verticals beyond retail — enabling Shape to train its ML models with the most advanced attack dataset and create higher efficacy countermeasures. “The broader footprint of other verticals that you can apply back to the data creates more efficacy. When you take a financial institution’s attack profile and risk surface for ATO and train the model against the one for retailers, you’re actually enhancing [your efforts] in a way that you can’t with a simple algorithm.”
With Shape’s Blackfish, Starbucks Can Identify Compromised Credentials
By adding Shape’s Blackfish product, Starbucks further bolstered its security posture. Through patented technology, Blackfish stores mathematical representations of known compromised credentials (not the credentials themselves) obtained from its extensive customer network. It can therefore identify compromised credentials in near real time, even before a breach has been discovered. This collective defense against fraud gives Starbucks customers proactive protection from the threat of an ATO.
“Blackfish gives us the ability to remediate customer issues before the customer experiences them,” said Hughes. “It’s a proactive approach to taking care of security and the customer.” When Starbucks becomes aware of a problem, it notifies customers and suggests an immediate password reset.
Securing Benefits Beyond Security
In addition to sustained efficacy in the real-time blocking of attacks, Hughes cited two other important Shape benefits. One was ease of deployment.
“There was zero effort required from the development teams to place the solution inline,” said Hughes, “and very little effort required from the infrastructure and data center teams. When you can go from no data transiting the devices to full block in less than two weeks, that’s a win. I have no other vendors who can get there that quickly.”
“I have no other vendors who can get there that quickly.”
A second benefit was reduced infrastructure load. “Looking holistically across retail, upwards of ninety percent of login activity is non-human bot traffic. That means you’re creating tremendous amounts of load. Blocking that means a significant ease on the infrastructure.”
Fraud Isn’t Going Away
The risk of cybercrime and internet fraud has become a fact of life for every transaction involving the internet, and there’s no end in sight. As Hughes put it, “The barrier to entry is so low, the return is so high and the risk of being caught is so low, this isn’t going away.” Starbucks is engaged in a long-term battle to block bots, ATO and credential stuffing attacks — and Shape plans to be there every step of the way.
Originally published at blog.shapesecurity.com on June 28, 2018.
