What is Denial of Inventory?
The OWASP definition of denial of inventory is to deplete goods or services stock without ever completing the purchase or committing to the transaction.
How does it work?
A typical workflow for an online merchant when selling goods and services online is as follows:
- Customer account login: this is an optional step in many cases.
- Customer browses the online merchant catalog, selecting items for purchase then adding them to a shopping cart.
- Merchants will hold shopping cart items out of inventory, denying other customers the ability to buy that item.
- In some cases, merchants have implemented inventory timeouts ranging from a few minutes to a few hours for holding shopping cart items, after which these items are returned to inventory.
- Customer completes the purchase by paying for goods in the shopping cart and providing shipping information.
Denial of inventory attackers will complete steps 1 and 2, but never execute step 3 – the purchase. When orchestrated through large scale bots, it leads to a condition where the online merchant has ALL of their inventory in the “hold” state, effectively blocking legitimate customers from being able to shop for these inventory items.
Airline seat spinning – a denial of inventory variant
Airline industry seat spinning is a wide spread problem where bots traverse the flight reservation workflow up to the point of paying for the ticket, thereby holding seats on flights. Airlines typically have between 5-20 minutes of hold period for the payment step. During this period “seat spinners” try to then sell those airline tickets for a small profit. If they are not successful in booking any profit, they let the hold period expire and seats are returned back to the inventory. But due to repeated attempts of seat spinning the time window in which seats are available for legitimate customers reduces significantly and in some extreme cases, these customers find flights completely booked. Repeated seat spinning causes airlines to run half empty flights as legitimate customers are not able to book tickets on their online platform. seat spinning is typically done by travel aggregators and low cost travel sites.
Some other applications which involve reserving time-slots without payments – restaurant reservations, delivery time-slots, parking spots, appointments, are also vulnerable to denial of inventory attacks. These types of attacks are even simpler to orchestrate as they do not involve the payment step and, in many cases, do not require login before making reservations.
Is denial of inventory a multi-phased attack?
In cases where an account, valid or not, is required, a denial of inventory attack will entail Account Take Over (ATOs) or Fake Account Creation, both of which are considered to be business logic abuse attacks. ATOs or “credential stuffing” is the process of using stolen credentials to uncover valid user name and password combinations to then sell or re-use (for a denial of inventory attack). Fake accounts are created using a bot, that then can be re-used (for a denial of inventory attack).
Denial of inventory goals include:
- Profit: Denial of inventory/seat spinning are profit driven by the attackers who use a massive army of bots to profit even small amount per ticket to rake in huge profits overall.
- Political: When companies or their leaders take a position on divisive political issues, their companies are often subject to automated as a form of retaliation from the opposing group.
- Competitive: Denial of inventory can be competitive in nature where rogue organizations launch an attack to suppress the competition while selling their own goods and services at a premium, especially for high demand items.
- Disruptive: Denial of inventory attacks can be used as an application layer denial of Service attack – rendering the application unusable.
What is the impact on an organization?
Denial of inventory of any type will result in lost sales to a competitor and/or lower profits when sold by an aggregator. From a customer perspective, they will lose confidence in their favorite vendor, moving on to a new one to find the goods and services they are looking for.
Organizationally, denial of inventory impact can be wide ranging, distracting teams from their daily roles to address a wide range of challenges. Public relations and marketing will need to respond to press and analyst queries to maintain brand image. Ensuring customer support can adequately manage angry customers while maintaining positive morale, while addressing their normal roles and responsibilities.
What type of applications and industries are targeted by denial of wallet attacks?
Denial of inventory targets all types of retail including those in the travel sector (e.g., airlines, travel booking, hospitality, etc.).
Preventing denial of inventory with Cequence Security
Cequence Application Security Platform prevents denial of inventory attacks using a patented machine-learning analytics engine that detects the intent of the transaction based on many factors including the behavior of the user (e.g., speed of form fills, mouse movement and keystrokes, time of day, location, etc.). Using these datapoints and more, you can creatively mitigate the attack through blocking, rate limiting, geo fencing, or deception.