In today’s blog we are going to review how Poshmark enabled API security using the Cequence Unified API Protection (UAP) solution to block automated account takeover (ATO) attacks that were overwhelming their online marketplace. Poshmark is a leading online marketplace that enables users to buy and sell new and secondhand styles for women, men, kids, homes, and more. Founded in 2011 in Redwood City, California, Poshmark has over 80 million registered users in its vibrant community across the U.S., Canada, Australia, and India. Today, there are more than 200 million available listings on its platform.
The ease, simplicity and fun of the buying and selling experience has enabled millions of people around the world to bring their closet online with just a phone. As their marketplace grew, it opened the company up to an increase in malicious activity that needed to be addressed to preserve the user experience.
Increased Account Takeover Attempts Alongside Rapid Growth
Poshmark’s security team noticed an increase in the variety of new automated account takeover (ATO) attacks that used credential stuffing to compromise the accounts of their users. They saw this increase in attacks across both their web and API applications, neither of which had any API protection to detect and block these types of automated attacks.
Traditional Methods Disrupted User Experience
To identify and block suspected automated attacks, the security team had enabled a CAPTCHA challenge that not only disrupted the user experience, but also created friction for user sign up and login.
They were looking for a security solution that could block automated fraud attacks while improving the experience for buyers and sellers. Cequence partnered up with the online retailer to help deploy Cequence Unified API Protection (UAP) solution.
The goal of the security team was to deliver with Cequence the following:
- Inline Blocking: Realtime blocking of all malicious bot traffic, ensuring that only real user traffic reaches the application with a very low false positive rate.
- Eliminate CAPTCHA: No longer rely on CAPTCHA as the primary way to identify bot activity.
- Easy and Quick Deployment: Unlike other security solutions, they wanted to avoid the software cycles required to integrate Mobile SDK and JavaScript instrumentation.
Security Transformation in a Matter of Days
After implementing the Cequence Unified API Protection, they were able to block malicious bot traffic in real-time before it reached their application. This enabled Poshmark to streamline the user experience and ensure that only legitimate users were on their platform.
Poshmark was now able to do the following:
- Inline Blocking: Real-time blocking of malicious bot traffic, ensuring that only legitimate user traffic reached their mission-critical applications.
- Fake Account Prevention: Blocked fake account creation used to conduct malicious activity across mobile and web sites.
- Stopped Downstream Impact: By blocking ATO attacks and malicious user signups, they were able to significantly reduce downstream impacts such as reliability, uptime, and fraud.
- Real Comments: Ensure that all new comments on listed items were from real users and not fake comments from automated bots.
- User Experience: An improved user experience, only delivering CAPTCHA challenges for suspicious traffic to prevent bot activity.
WHAT THEY ACHIEVED
Through Cequence, the Poshmark security team reduced cancellations of sold items that were the result of fake listings generated by malicious activity. Moreover, they were able to dramatically reduce the impact of CAPTCHA challenges by 99.3%, no longer requiring a challenge for most logins. More significantly, Poshmark was able to block over 609,000 attempted ATO attacks, saving an estimated $2,192,400 in potential account losses.
Learn more on how Cequence helped Poshmark achieve API security.
Free API Security Assessment of Your API Attack Surface
Get an Attacker’s View into Your Organization
Never miss an update!
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
