Denial of Inventory
Prevent denial of inventory attacks that may lead to lost sales and customer dissatisfaction.
Denial of inventory attacks deplete goods or services stock without ever completing the purchase or committing to the transaction. A bad actor uses human or machine-based automation to load a shopping cart, placing the inventory in a holding pattern, effectively denying access by other buyers.
When orchestrated through large scale bots, denial of inventory it leads to a condition where the online merchant has ALL of their inventory in the “hold” state, effectively blocking legitimate customers from being able to shop for these inventory items. Denial of inventory attacks commonly target high value retail items (e.g., sneakers, mobile devices, airline tickets) as well as restaurant reservations, delivery time-slots, and parking spots. The goal of a denial of inventory attack can vary from profit to competitive to disruptive where the attack is used as a denial of service attack.
Airline industry seat spinning is a widespread problem where bots traverse the flight reservation workflow up to the point of paying for the ticket, thereby holding seats on flights. Airlines typically have between 5-20 minutes of hold period for the payment step. During this period “seat spinners” try to then sell those airline tickets for a small profit. If they are not successful in booking any profit, they let the hold period expire and seats are returned back to the inventory. But due to repeated attempts of seat spinning the time window in which seats are available for legitimate customers reduces significantly and, in some extreme cases, these customers find flights completely booked. Repeated seat spinning causes airlines to run half empty flights as legitimate customers are not able to book tickets on their online platform.
As soon as new APIs and web shopping cart applications are deployed, Bot Defense begins detection and analysis of traffic. This enables you to monitor your ecommerce applications and prevent denial of inventory attacks before they impact your business.
Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each API transaction request. The REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities.
As different teams create and deploy new products with shopping cart access, they are automatically discovered and protected from denial of inventory attacks by Bot Defense, effectively baking security into your application deployment workflow.
Bot Defense uses a single, consistent security policy to protect your API, web and mobile shopping cart endpoints so you can unify protection and defend against denial of inventory.
A container-based software architecture allows Bot Defense to be deployed in your data center, the cloud or as a SaaS offering, so you to choose the architecture that best fits your needs.
Deep behavioral analysis of the user intent by CQAI means fraudulent API activity is detected more quickly and consistently than competitive offerings. More rapid discovery translates into reduced denial of inventory or seat spinning attack response time.
Customizable automation indicators and responses enable you to fine tune and maximize attack prevention policies to eliminate business disruption caused by denial of inventory.
With REST APIs and an open architecture, you can ensure information is shared between third party sites and other IT infrastructure like SIEMs and SOC systems.