Shape’s VP of Intelligence Center to Speak at Retail Cyber Intelligence Summit

Shape’s Vice President of Intelligence Center, Dan Woods, will present at the upcoming Retail Cyber Intelligence Summit on September 24-25, 2019, at the Four Seasons Hotel in Denver, Colorado.

2018 saw a significant increase in user credential spills from retailers. And as the retail industry continues to increase its digitization, it creates more incentives for attackers, as well as increases retailers’ potential attack surfaces. In fact, more than 50 percent of all e-commerce fraud losses were from cyber-attacks such as ATO, gift card cracking, and scalping. In addition, up to 99% of traffic on retail and e-commerce login forms was due to account takeover attempts! 

Dan’s session, titled “The Anatomy of Web and Mobile Application’s Costliest Attacks,” will discuss actual attacks launched against retail and hospitality organizations and explain attackers’ motivations and monetization schemes. Dan will also share the latest threat intelligence on effective attack tools and techniques that cybercriminals are using to circumvent traditional countermeasures with devastating effectiveness. 

“We’re looking forward to continuing our partnership with Shape Security and are pleased to have them as a presenting sponsor at our upcoming Retail Cyber Intelligence Summit in Denver,” said Suzie Squier, president of RH-ISAC.

The Retail Cyber Intelligence Summit is tailored for strategic leaders and cybersecurity practitioners from both physical and online retailers, gaming properties, grocers, hotels, restaurants, consumer product manufacturers and cybersecurity industry partners. The full conference agenda and information on how to register is available here.

The War No One is Talking About

There is a war brewing in cyberspace. The general public is blissfully unaware, and very likely will remain so. The media, when it talks about cybersecurity, tends to focus on the breach of the week, even though there cannot possibly be any lessons left to learn in that parade of spectacle and shame.

The war we speak of is against malicious automation (bots), and it’s being fought largely outside the gaze of journalism. On one side are the organizations putting their stores, intellectual property, processes, and businesses online in their journey toward digital transformation: the “good guys.” On the other side are malicious actors armed with nearly undetectable automation, intent on theft, political influence, fake news, and fake transactions: the “bad guys.”

Asymmetric Conflict

The comedy of this “automation war” is how lopsided it is, technologically. The bad guys have accumulated an impressive arsenal of tools from Sentry MBA, PhantomJS, and simple proxies, to browser extensions (Antidetect), human click farms, behavior collection farms, global proxy networks and, finally, to headless chrome steered with a real orchestration framework like Puppeteer.

Meanwhile, the good guys have only ancient traps like a CAPTCHA or a web application firewall (WAF), both of which are trivially easy for bad guys to bypass. Organizations aren’t thrilled about annoying their customers with friction (like making them click on blurry pictures of buses for 20 minutes) and endlessly rewriting WAF rules when attackers retool every week. It’s an unfair fight, and who has time for that, honestly.

The Silent War of Automation

The primary tactic of an automation attacker is to imitate a legitimate transaction. It doesn’t matter if the transaction has a very low probability of gain for the attackers, because they can multiply their gains by scaling the transactions into the millions at nearly no cost. Because they are blending in so perfectly, many victim organizations have no idea that it’s happening until they see an effect like fully booked inventory, credit card chargebacks, or a competitor who seems to know the price of every single munition with all possible discounts.

The media won’t write a story about how a competitor reverse-engineered an insurer’s policy premiums through the creation of a million slightly different fake profiles, or how an actor deluged a work-for-hire site with a million fake low-wage contractor profiles that represented their tiny firm in the Philippines, because it’s too complicated and there’s no one to shame. There’s no spectacle there.

So, the silent war goes on, with the bad guys getting better and better at imitation, and organizations in nearly every vertical experiencing bizarre side effects (“All our free passport interview slots have been booked and are being sold!”).

What Won’t Save The Day

Everyone’s been hoping that the silver bullet for the good guys was going to be AI. Surely the incredible volume of modern transactions can be used to train machine learning engines to differentiate real traffic from fake, right? The answer is no, it can’t. At best, today’s ML engines can spot not individual anomalies but patterns of suspicious activity. 

When a campaign is identified as being underway, human operators must step in and determine the intent of the campaign, because understanding is crucial in determining next steps. The mitigation can’t just be simple blocking, because that’s a signal which helps the attacker retool. 

Sometimes, the info-war tactics of misinformation and redirection are the solution for the day. Or evidence collection. You need tacticians. You need real people using automation to fight real people using automation.

CyberHub Summit

The war in cyberspace will be a main topic of discussion next week in Atlanta at the CyberHub Summit. Classy people there will be talking about meta issues like defending the region’s online financial services and de-risking the supply chain. A few of us from Shape Security will be there, and over some pints of the venue’s product, we can show you how we’re fighting the war against malicious automation.

If you can’t make it to the CyberHub Summit, please don’t hesitate to contact us at any of the channels listed under our logo, but otherwise we hope to see you in Atlanta next week!

Better Together: Partnering with Okta

Every day, nearly 10 million valid credentials fall into the hands of criminals, fueling massive amounts of fraud. Shape’s new partnership with Okta aims to eliminate this fraud by providing Okta customers an invisible layer of defense against bots, credential stuffing attacks, and account takeover attempts. By implementing both solutions, businesses can have the very best in both identity and security to protect their workforces and consumers.

Businesses trust Okta for identity services across both single sign-on (SSO) and customer identity and access management (CIAM) portals. Shape’s partnership with Okta enhances security in both cases:

For Okta’s enterprise SSO customers, adding Shape provides a powerful, invisible layer of defense. Large credential breaches often include valid employee credentials. With Okta and Shape installed together, criminals will be further prevented from performing credential stuffing attacks using those stolen usernames and passwords.

For Okta’s CIAM customers, deploying Shape increases security without adding friction to the user experience. Shape enables businesses to eliminate CAPTCHAs and other consumer-unfriendly security measures on login pages while also preventing fraudulent account registrations.

The Okta and Shape partnership extends across all major touch points: web, mobile, and APIs. To learn more about using Shape to enhance your Okta SSO and customer portals, contact Shape or your Okta representative.

#1 Fastest Growing Company in Silicon Valley | Deloitte’s Technology Fast 500

FastestGrowing_Linkedin.jpgToday Shape was recognized as the fastest-growing company in Silicon Valley and the third-fastest growing company in the U.S. by Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America.  Rankings are based on a company’s revenue growth from 2014 to 2017.

“We’re laser-focused on protecting our customers and we have an incredible team,” said Shape’s CEO, Derek Smith, who credits the 23,576 percent revenue growth to the company’s unceasing dedication to customer success. Smith continued, “This is why we are able to grow incredibly quickly while maintaining a 99 percent customer retention rate.”

00000IMG_00000_BURST20181114193632655_COVER  Derek Smith, Shape CEO, accepting the award on November 14, 2018.

“Congratulations to Shape and the other Deloitte 2018 Technology Fast 500 winners on this impressive achievement,” said Sandra Shirai, vice chairman, Deloitte LLP, and U.S. technology, media and telecommunications leader. “These companies are innovators who have converted their disruptive ideas into products, services and experiences that can captivate new customers and drive remarkable growth.”  

This is the latest honor for Shape, which has also been recognized by Fortune Magazine as one of the Top 100 companies in artificial intelligence, ranked by CNBC as one of the Top 50 most disruptive companies in the world, and named by Business Insider as one of the “25 Enterprise Startups to Bet Your Career On.”