Poq Protects Customer Mobile Apps From Credential Stuffing With DataDome
Poq is an app commerce company. Its SaaS platform enables retailers and brands to create beautiful, intuitive mobile apps that deliver joyful shopping experiences. Aggressive credential stuffing attacks exposed its customers to account takeover and fraud, threatened Poq’s reputation, and wasted a lot of time for the engineering team. By adding the DataDome solution at the platform level, Poq can now offer account takeover protection as a value-added service, and the team no longer needs to worry about bot-driven fraud.
The Problem: Aggressive Credential Stuffing Attacks
Poq offers a mobile application front end as-a-service to retailers and brands, enabling them to create a digital flagship experience for customers through mobile apps.
“We provide a customizable front end that enables retailers to provide the mobile app experiences that their customers demand, and an API layer that integrates with their e-commerce system,” explains Bala Reddy, VP of Engineering at Poq.
Early in 2020, Poq started to experience frequent credential stuffing attacks against some of its customers’s login endpoints. For a while, Bala and his team were able to mitigate these account takeover attempts with a combination of different measures, such as rate limiting and custom rules in their web application firewall.
They also developed a highly efficient custom API signing feature, wherein every request entering their infrastructure was signed by an obfuscated key bundled with the mobile application. This allowed them to verify that the request originated from the mobile apps they had developed.
Then, a particularly motivated group of attackers started to target one of Poq’s clients in the financial sector.
“Those hackers went to extreme lengths to attempt to crack and bypass whatever defenses we put in place,” Bala recalls. “We spent weeks trying to figure out how to stop it. And this is essentially wasted time for us—we should be focusing on creating great mobile shopping experiences, not defending ourselves against attacks.”
Since Poq provides the app front end as-a-service to its customers, the very real risk of account takeover and fraud is also a question of brand reputation and customer satisfaction.
“Our customers rely on us to provide end users with the best possible app experience, and that includes security. For those customers that are exposed to credential stuffing attacks, we needed to be able to offer a top-notch security option,” says Bala.
The Solution: Optimized Protection for Mobile Applications
When Bala and his team started to search for an external bot protection solution, they knew that the technology would need to be adaptive.
“After spending so much time and energy trying to block the attacks ourselves, we had learned that these hackers don’t stop at anything,” he says. “The barrier had to be pretty high, and the solution had to be capable of learning. We had tried a lot of different measures, and had a degree of success. But then the attackers would just come back with a new strategy and an even more determined attack vector.”
The ideal solution also had to be optimized for mobile applications.
“Most bot protection solutions lean heavily toward the web; mobile isn’t much of a focus,” Bala observes. “
That’s where DataDome stood out; it mines data from the mobile application and builds a profile based on that data, and the adaptive learning algorithm blocks traffic that doesn’t match that profile. It was exactly what we needed. The documentation for the mobile software development kit was also very good, which inspired confidence. And the integration on the API layer was a simple plugin we could turn on in our web application firewall. DataDome basically ticked all the boxes.”
Integrating DataDome at the platform level took the team about a week and a half. Some early hiccups were quickly resolved with expert guidance from the dedicated onboarding team.
The Results: Secure Customer Apps & Peace of Mind
Today, Poq offers bot protection as a value-added service to customers whose apps are potentially vulnerable to account takeover attempts.
“The experience has been very good, and the protection gives us peace of mind,” says Bala. “Before we implemented DataDome, we were always looking over our shoulders, checking our monitoring systems to see if our defenses were working, just being on high alert. All that is a thing of the past—the protection just works.”
Offloading bot protection to a solution built for the purpose has also enabled the Poq team to spend much less time focusing on bot attacks, and more on their core business.
“We report to our clients on a monthly basis, so we’ll look at our logs and at the DataDome reports to check if there have been attacks and verify that DataDome has blocked them, and report on those metrics. Apart from that, we don’t really spend time on bot attacks anymore,” observes Bala, who also appreciates the continued development efforts on the SDK.
“Many SDKs are not well maintained, and tend to fall behind,” he remarks. “DataDome has kept up to pace with the advances on the mobile platforms as well, even in terms of dependency management. For example, it was pretty much the first SDK that migrated to the iOS Swift Package Manager. So, our experience with it has been really smooth.”
Finally, he praises the availability and responsiveness of the tech support and bot SOC teams.
“Whenever we have a question or an issue, we can reach out to our primary contact and we’ll get a quick response. We’ll also be put in direct touch with the threat research team if that’s required. So, we’re very happy with the level of professional services provided.”
Related posts
How Plarium Uses Intent-Based Detection to Block 20M+ Malicious Requests a Month
Tell me more
Inside Kimwolf Traffic: How Residential Proxies Fuel Credential Stuffing, Web Scraping, & Fraud
Tell me more
How to Prevent a Brute Force Attack with these 5 Powerful Strategies
Tell me more
How does reCAPTCHA work? How it is triggered & bypassed
Tell me more
