Airline Seat Spinning

Airline industry seat spinning is a widespread problem where bots traverse the flight reservation workflow up to the point of paying for the ticket, thereby holding seats on flights. Airlines typically have between 5-20 minutes of hold period for the payment step. During this period “seat spinners” try to then sell those airline tickets for a small profit. If they are not successful in booking any profit, they let the hold period expire and seats are returned back to the inventory. But due to repeated attempts of seat spinning the time window in which seats are available for legitimate customers reduces significantly and, in some extreme cases, these customers find flights completely booked. Repeated seat spinning causes airlines to run half empty flights as legitimate customers are not able to book tickets on their online platform.

Airline Seat Spinning Attack

Image 2: Seat spinning is a Denial of Inventory variant.

Preventing Denial of Inventory: Key CQ botDefense Differentiators

  • ML-based analytics engine delivers complete application visibility: CQ botDefense is based on CQAI, an ML-based analytics engine that operates out-of-band to automatically discover all your web, mobile and API-based shopping cart endpoints, building an intuitive site map that can be used for visibility and policy-based protection. Alternative solutions that use JavaScript instrumentation and mobile SDK are prone to inject application deployment delays with extended QA/validation processes, security gaps between mobile app variants, and user dissatisfaction with slow page load times.
  • Open, extensible platform with customizable responses including deception: Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each account login transaction. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Alternatively, the REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
  • New apps protected automatically, security induced delays eliminated: As different teams create and deploy new products with shopping cart access, they are automatically discovered and protected by CQ botDefense. The result is security that is baked into the application development and deployment workflow.
  • Consistent protection for exposed APIs, web and mobile applications: CQ botDefense protects web, mobile and API-based applications with shopping cart access from automated attacks with a single, consistent security policy, resulting in an opportunity to consolidate application security functions into a single platform.
  • Deployable anywhere: A container-based software architecture allows CQ botDefense to be deployed in your data center, the cloud or as a SaaS offering, allowing you to choose the architecture that best fits your application security needs.

Additional Denial of Inventory Prevention Resources

CQ botDefense SaaS Datasheet

CQ botDefense 5 Minute Demo

API Security Podcast