Tap Blocks Attacks, Saves Time, & Reduces Costs With DataDome

The challenge: DDoS attacks cause slowdowns, inflate costs, & distract developers

It happened on a Sunday. At first, it was just a minor slowdown, which could have been due to the normal weekend spike of use, plus new people signing up from an ongoing ad campaign. Still, something didn’t feel quite right, and CTO Mike Anderson went to check the log files.

“They were about 100 megabytes—not yet the 1.7 gigs that we had coming,” he says. “And then, the application slowed down completely.”

The Tap app itself is designed so that no data is retained on the actual device. Everything is served on demand and encrypted in motion and at rest. While an attempt to hijack data would be fruitless, a brute force attack could hamper the platforms’ ability to service the data—thus delivering a throttled experience for its users.

“For the next two weeks, it was pretty much all hands on deck,” Mike recalls. “We were constantly monitoring the system, and we could see people looking for weaknesses and trying to find their way in. So rather than spending our time on development, we were firefighting. One of our guys wouldn’t even go to sleep. He’d spend the evening setting up alerts, and when an alert went off in the middle of the night, we’d both be on our computers watching these people attacking us. It was rough.”

The Tap development team has managed to keep their server and cloud costs relatively low for a platform of its scale. However, during that stressful month, those costs spiked. The manual monitoring also deviated a lot of resources away from actual development.

It was time to find a solution that could automate attack monitoring and mitigation for them.

The solution: An elegant tool backed by a passionate team

As Mike explains, the Tap application itself is purely a gateway into the banking and card services the company provides. Since all the heavy lifting is done server-side, the app is extremely lightweight.

The development team was therefore a bit skeptical when they were first introduced to the DataDome solution, where a client-side SDK collects device properties and behavioral data when a user interacts with the app, and challenges users whose API calls are blocked by the DataDome server-side module.

“It wasn’t really our first choice to put something inside the app,” Mike admits. “I have to say, though, that when we evaluated the SDK, we were blown away. It’s just a few kB and causes no latency issues whatsoever; you don’t even know it’s there. It’s a beautiful, elegant system.”

As a neobank (or digital-only bank), Tap relies on a broad network of partners, and its architecture is made up of dozens of APIs and SDKs. However, engaging with service providers can be a pain, because Tap is often the first company to use a given service in a built-in environment or in a particular way. It’s not rare for the team to rewrite vendors’ documentation themselves, and they find that technical support often leaves more to be desired. Not so much with DataDome.

“One of the things we loved about DataDome was that the sales rep brought in the technical team right away,” says Mike. “On our first or second call, we were not just having a technical discussion, we were already setting up the environment that we needed for our experiments. And that was our biggest selection criterion: at DataDome, we found like-minded people with impressive technical expertise, who were very available and passionate about what they do.”

The results: 100% uptime, cost control, & peace of mind

DataDome detects and blocks malicious requests before they reach Tap’s servers. The best part, for Mike and his team? Not having to think about it.

“That’s the ideal for every integration that we work with,” he says. “You don’t want latency issues, you don’t want to have to update something every five minutes, and you don’t want customers complaining about CAPTCHA requests. With DataDome, it’s honestly as if it weren’t there.”

As with all preventative measures, putting a figure on the business value is tricky. But there’s no doubt in Mike’s mind that the investment pays itself back many times over.

“Just the fact that I personally used to spend a lot of time looking at server logs, searching for patterns, and trying to figure out what was going on obviously had a cost,” he remarks. “And the time spent on this issue for the rest of the development team has also been eliminated, which is a massive cost saving.”

“A denial of service attack could cost our business hundreds of thousands of pounds’ worth of losses or damages, so it’s hard to know exactly how much DataDome are saving us—hopefully we will never have to find out!” he concludes.