By Anastasia Ustinova – October 14, 2019
When Chipotle customers across the country complained this month about fraudulent charges to their accounts, the fast-food chain blamed the hottest cybersecurity trend for the incident. Criminals tested usernames and passwords stolen from other websites to try to access Chipotle’s app accounts, a company spokesperson said, referring to the practice known as credential stuffing. Barely a blip in the industry a decade ago, the so-called “credential stuffing” has become the number one cybersecurity threat worldwide, with bot traffic accounting for 90% of all login attempts on retail websites.
It has also brought bread-and-butter business to cybersecurity startup Shape Security, which first spotlighted the criminal practice eight years ago. Shape has built a machine-learning engine that helps distinguish humans from bots online. The engine is constantly learning, processing over a billion transactions daily from some of the world’s largest organizations, including over 50% of online banking in the U.S.
Last month, the Santa Clara-based startup joined the “unicorn club,” raising $51 million at a reported valuation of $1 billion. The latest round led by the British technology investment firm C5 Capital brought its total to $183 million.
With online attacks becoming more sophisticated by the day, AI and machine learning are changing every aspect of cybersecurity, from improving the ability to anticipate and respond to breaches to user behavior analysis and fraud and malware detection. The cybersecurity market is projected to exceed a whopping $124 billion this year and investors are piling in. The VC funding of cybersecurity companies hit a record $6.4 billion last year, up from $4.7 billion in 2017, according to Pitchbook.
Founded in 2011, Shape spent the first two years in stealth mode, polishing its technology and educating companies about credential stuffing, the term coined by Shape’s co-founder Sumit Agarwal during his stint as the deputy assistant secretary of defense at the Pentagon.
“It went from no one knowing what it was and us having to educate everyone that we spoke to about it to now being the primary issue that companies are trying to deal with,” said Shuman Ghosemajumder, the chief technology officer at Shape. “I think that that’s one of the reasons why we’ve been as successful as we have.”
Humans vs Bots
Shape Security estimates that nearly every person in the U.S. has had their login information stolen via a security breach. Cyber criminals then use that data to imitate real users online, training sophisticated bots to access millions of sites and mobile apps. While only a small percentage of those attacks are successful, because consumers recycle passwords across multiple sites, hackers gain traction by scaling their attacks. The criminals then drain those accounts of money, credit card numbers and email addresses, resulting in business losses of over $5 billion annually in North America alone. Using multiple machine learning systems, Shape looks at everything from account activity to user’s location, network and device to determine if the login request came from the real human or from a bot, and blocks up to two billion unwanted attacks daily. Yet, artificial intelligence alone is not a silver bullet. While AI helps determine the patterns of suspicious activity, human operators play a crucial role when it comes to understanding the intent of the attack and taking steps to stop it. “The mitigation can’t just be simple blocking, because that’s a signal which helps the attacker retool,” the company says on its blog. “You need real people using automation to fight real people using automation.” Last year, Shape was recognized as the fastest-growing company in Silicon Valley and the third fastest growing in the U.S. After its latest funding, the startup is planning to expand to Europe and Asia and is also considering an initial public offering in the next couple of years. “Investors and the market at large are in love with their story because their product actually does what it says it does,” says Alissa Knight, senior cybersecurity analyst at Aite Group, who estimates that technology like Shape can help recover as much as 60% of a company’s traffic lost to bots. “Once customers see the technology and it’s ROI, the sale is a no brainer. It sells itself.”