An AI approach to bot attacks on payment systems
The massive number of fraudulent bot attacks on the payments ecosystem and financial services is compounded by the fact that many current data protection tools are not designed to detect this automated crime network.
The rise in bot attacks and defenses designed to stop them have been well documented by fraud researchers, most noting that nearly 2 billion attacks are unfolding annually and that as much as 90 percent of a retailer's web traffic can potentially be from bot activity.
Cequence aims to combat the onslaught of bots through delivery of an artificial intelligence-based protection platform. The Cequence Application Security Platform works to halt potential damage via a module that monitors the millions of bot attacks that can occur daily on one organization, providing a deep analysis of the intent of the website or mobile app visitor.
"We have built an AI powered engine that correlates a lot of different variables on this action between the bad guy on one side and the application server on the other side," said Franklyn Jones, chief marketing officer at Sunnyvale, Calif.-based Cequence.
Automated bots essentially act as a viable user seeking entry onto a web page or a mobile app or any account authorizing through a standard username and password. The prolific growth of bot attacks has come about essentially because criminals have found it an easy way to automate millions of attacks after easily obtaining stolen username and password credentials off the dark web and also purchasing the tools needed to initiate those attacks.
They generally go after "hyperconnected" targets, or those forward-looking organizations that have digital connections to buyers and suppliers, or numerous external log-in pages, or API services.
"Most of the time, it is as simple as a user going to a social media or retailer web page with stolen credentials, appearing as a legitimate user and they have access to everything," Jones said. "They have millions of these credentials and test them on other sites, because they know people use the same passwords for numerous sites."
In speaking to more than 200 highly digitized organizations about the damage malicious bots can afflict, Cequence found that app-level distributed denial of service, account takeover, fake accounts, click fraud and API abuse were top problems. Others included denial of inventory, content scraping, gift card theft, aggregator abuse and reputation abuse.
Security products to thwart bots have been on the market for some time, and network providers continue to add tools, said Paula Musich, research director of security and risk management for Enterprise Management Associates Inc. "But these have limitations that Cequence is trying to address."
Web application firewalls have to react quickly to threats, but they "don't really anticipate new types of threats that haven't been seen before, and they can't ascertain the intent of an attacker," Musich said.
Cequence's claim that its product does not require any changes to the web application code is significant, Musich added.
"It also is using artificial intelligence to look more holistically at a range of behaviors to determine whether suspicious activity is associated with an attack executed by a bot network and determine what the attacker is trying to do," she said.
Cequence is not the first company to apply AI or machine learning to detect web application-level attacks, Musich added. "But they are somewhat unique in applying bot defense plus enabling WAF mitigation."
The software operates alongside other systems and fraud prevention tools and can be deployed in the cloud, on-site or in remote offices.
"We spot the attack, tell the firewall that we have figured out the source of the attack and to just block it in the future," Jones said. "And it does."