FindContact
The challenge:
Account takeovers
The solution:
DataDome protects websites and APIs
Goals achieved:
Automated blocking of impersonator bots
With 40 million members, BlaBlaCar is currently the largest community of carpoolers in the world. The web and mobile platform connects drivers offering seats in their cars with passengers who want to make the same journey.
But this very rich database is also a prime target for players seeking to capture the users’ personal data for criminal purposes.
After observing a number of unusual and inexplicable load spikes, the BlaBlaCar team discovered that they were due to bots which were trying to take control of user accounts on the site. They therefore began to closely observe the behavior of these bots.
Account takeover attacks, carried out by “impersonator” type bots, usually exploit login-password databases that have been stolen from other sites.
In order to try to take control of user accounts, these bots use the “brute force” technique: they access the login forms and very rapidly test all the stolen login-password combinations, which are often in the hundreds of thousands. Since many people tend to use the same login-password combination on multiple sites, the bots’ success rate can attain 8%.
But what, exactly, are they trying to achieve?
In account takeover attacks, bots have a dual objective: to collect as much personal data as possible (name, first name, postal address and mail, telephone, etc.) but also to exploit various means of payment linked to the accounts.
Carding thus consists of using stolen card numbers to make purchases via spoofed accounts. Hackers also try to retrieve coupons and credit coupons which they can use or resell.
By closely observing their behavior, BlaBlaCar discovered that certain bots had industrialized a process to modify the transfers between community members, in order to divert them for their own benefit.
Luckily, BlaBlaCar managed to foil these attacks before any harm was done to its customers. However, protection against such threats required constant monitoring and daily updates, and the BlaBlaCar team soon realized that it was more efficient to use a dedicated solution. The choice fell on DataDome.
BlaBlaCar’s revenue comes primarily from its website. The implementation and installation of the DataDome module was therefore carefully monitored, in order to ensure that it didn’t penalize site stability or the user experience.
The main concern was performance. Since DataDome is validating incoming traffic, the module positions itself, in technical terms, at a crucial point for any website. BlaBlaCar’s question was whether DataDome’s infrastructure could handle all its traffic.
The team managed the ramp-up perfectly, especially since the chosen architecture is designed in such a way that DataDome is not a Single Point of Failure. It’s fundamental for us to be absolutely certain that an eventual DataDome failure will not block traffic to our site.
Francis Nappez, cofounder and CTO of the carpooling site
Regarding latency, a key element for the user experience, “it’s extremely well managed on the DataDome side“, Francis Nappez continues. “If there’s any degradation, it is largely within acceptable margins (a few milliseconds), especially given the value we get in return from the service.”
During the implementation process, it was also necessary to ensure that no personal information related to users was sent to DataDome as part of the information exchange on incoming BlaBlaCar traffic.
Setting up DataDome is an insurance. You can live without one, but you need to know that if you do, you are putting yourself at risk.
Francis Nappez, CTO of BlaBlaCar
Since the DataDome solution was activated, BlaBlaCar’s user accounts have been protected without any need for maintenance. DataDome’s technology, which is based on a machine learning process and pools data from all the protected sites, makes it possible to detect both known bots and new behaviors. It therefore doesn’t require any daily intervention on the part of BlaBlaCar’s technical team.
For Francis Nappez, the main challenge in a secure environment is to remain alert. In this respect, the daily report sent by the DataDome service, which presents detailed data and indicators on bot traffic to BlaBlaCar, is very useful.
“To see every day the magnitude of the threat, and to verify that it is, in this way, identified and countered, is reassuring,” Francis Nappez observes.
However, BlaBlaCar continues to closely monitor the integrity of account credentials on the site, as well as the nature of bots crawling the site, thanks to the DataDome Dashboard, which provides a real-time overview of all bot traffic with detailed identification of their operators.
With DataDome, we benefit from the collective intelligence accumulated on all the sites protected by the technology, and this delivers great value in terms of guaranteed security.
Francis Nappez, CTO of BlaBlaCar
791
