Cequence Security

Denial of Inventory

Denial of Inventory attacks deplete goods or services stock without ever completing the purchase or committing to the transaction. A bad actor uses human or machine-based automation to load a shopping cart, placing the inventory in a holding pattern, effectively denying access by other buyers.

Denial of Inventory

Image 1: Denial of Inventory prevents others from executing a purchase

When orchestrated through large scale bots, it leads to a condition where the online merchant has ALL of their inventory in the “hold” state, effectively blocking legitimate customers from being able to shop for these inventory items. Denial of Inventory attacks commonly target high value retail items (e.g., sneakers, mobile devices, airline tickets) as well as restaurant reservations, delivery time-slots, and parking spots. The goal of a denial of inventory attack can vary from profit to competitive to disruptive where the attack is used as a denial of service attack.

Airline Seat Spinning

Airline industry seat spinning is a widespread problem where bots traverse the flight reservation workflow up to the point of paying for the ticket, thereby holding seats on flights. Airlines typically have between 5-20 minutes of hold period for the payment step. During this period “seat spinners” try to then sell those airline tickets for a small profit. If they are not successful in booking any profit, they let the hold period expire and seats are returned back to the inventory. But due to repeated attempts of seat spinning the time window in which seats are available for legitimate customers reduces significantly and, in some extreme cases, these customers find flights completely booked. Repeated seat spinning causes airlines to run half empty flights as legitimate customers are not able to book tickets on their online platform.

Airline Seat Spinning Attack

Image 2: Seat spinning is a Denial of Inventory variant.

Preventing Denial of Inventory: Key CQ botDefense Differentiators

  • ML-based analytics engine delivers complete application visibility: CQ botDefense is based on CQAI, an ML-based analytics engine that operates out-of-band to automatically discover all your web, mobile and API-based shopping cart endpoints, building an intuitive site map that can be used for visibility and policy-based protection. Alternative solutions that use JavaScript instrumentation and mobile SDK are prone to inject application deployment delays with extended QA/validation processes, security gaps between mobile app variants, and user dissatisfaction with slow page load times.
  • Open, extensible platform with customizable responses including deception: Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each account login transaction. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Alternatively, the REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
  • New apps protected automatically, security induced delays eliminated: As different teams create and deploy new products with shopping cart access, they are automatically discovered and protected by CQ botDefense. The result is security that is baked into the application development and deployment workflow.
  • Consistent protection for exposed APIs, web and mobile applications: CQ botDefense protects web, mobile and API-based applications with shopping cart access from automated attacks with a single, consistent security policy, resulting in an opportunity to consolidate application security functions into a single platform.
  • Deployable anywhere: A container-based software architecture allows CQ botDefense to be deployed in your data center, the cloud or as a SaaS offering, allowing you to choose the architecture that best fits your application security needs.

Additional Denial of Inventory Prevention Resources

CQ botDefense SaaS Datasheet

CQ botDefense 5 Minute Demo

API Security Podcast