Leading Fintech Company Combats Credential Stuffing & Gains Productivity With DataDome

According to the company’s CTO, “Credential stuffing is a perpetual challenge on any website with a login area. If someone says it’s not happening to them, they either don’t want to admit it, or they’re simply not aware!”

The company’s engineering team would typically discover such attacks via their logs. They would look at the requests they were getting, discover spikes in failed login attempts, and then try to mitigate the attacks by adding custom rules to their load balancer.

The attacks weren’t constant, but when they did happen, the manual process of tackling them required significant time and effort from both the DevOps and engineering teams. Severe attacks could take three or four people off track for hours, even days. Analyzing logs, implementing new monitoring methods, adding and testing more custom rules in the load balancer, dealing with eventual fallouts—it was all time away from building new software.

Finding a more efficient way to tackle the issue had been on the company’s security roadmap for a while, but it was one of many items that needed to be prioritized (most readers can probably relate). Then, hackers hit once again with an even larger attack than usual.

“At that point we just said ‘Stop, we have to fix this issue’,” the CTO recalls. “As soon as we had mitigated the ongoing attack, we needed to stop other work, get our options on the table, and prioritize an implementation.”

The solution: Artificial intelligence and human expertise.

Approaching the task with a certain sense of urgency—they did not want to go through the same thing one more time—the team did a very quick evaluation of available solutions. While they needed a certain flexibility in how to mitigate attacks, they also wanted a solution that didn’t require a lot of maintenance effort from people within the organization.

“We also wanted to work with someone who had been around for a while and had proven results, so that we could trust the solution from the start,” explains the VP of engineering. “The last criterion was ease of integration with our server infrastructure. Even if a tool or a solution had a lot of bells and whistles, if there would be a long road to realizing that potential, that knocked it lower in our evaluation.”

The team shortlisted three different options, with a fourth contender in the wings, and tested them in parallel in a staging environment. So what were the deciding factors?

“The ability to leverage DataDome’s artificial intelligence sealed the deal for us,” says the CTO. “It was also extremely appealing to partner with a team that was flexible during the evaluation period. We could go to DataDome and say ‘hey, we’re having this issue, here’s how we’re approaching it, what are others in the same situation doing?’, and we could harness that shared intelligence.”

“Support was definitely a main driver,” confirms the VP of engineering. “If we had a problem, within a few hours, we’d get help on how to solve it in the best way. We could email someone, and they’d get back to us and we could have a conversation fairly rapidly. With most of the solutions we evaluated, we either had to figure it out ourselves, or there was a lengthy wait for a response back.”

Finally, the team appreciated the ability to run a free trial of the actual implementation.

“It’s very helpful to be looking at real traffic, even if you can’t apply the rules,” says the CTO. “Trials are sometimes a bit theoretical, but with DataDome, we could see the true potential of the product in a low-risk situation and evaluate what it would actually do in a production environment.”

The results: Stronger data security, more time to build fintech products

Once the contract was signed, the DataDome solution was up and running in about a day. “A lot of vendors promise that,” laughs the CTO, “but it’s very rare that we can actually make it happen.”

Since that first quick setup, the company has transitioned to a more thorough integration which not only analyzes request headers, but also leverages DataDome’s JavaScript tag to optimize the accuracy of the detection.

“We’ve reached a level of trust where we can have confidence that bot-driven credential stuffing attacks are being addressed,” the CTO observes. “That doesn’t mean bad actors won’t try other ways to get into our systems, but DataDome has taken off one layer of stress. It has relieved some of that pressure from our DevOps team, so that other projects get through our system faster. It has definitely improved our productivity.”

DataDome automatically blocks credential stuffing attacks. No intervention from the DevOps or engineering team is required.

“There’s a lot of trust now between us and DataDome,” agrees the VP of engineering “We’re spending a lot less time monitoring our assets for credential stuffing. The AI has been very gratifying for us: it adapts and detects problems without us having to manage it ourselves.”

“DataDome wasn’t the cheapest solution we evaluated, but it replaces labor we would otherwise have spent mitigating attacks,” the CTO concludes. “As a small team that’s always short on people, not being beholden to one person being an expert on HAProxy rules that they’ve scripted is also a big relief for us organizationally.”