Case Study

Online Learning Company Protects Against Carding and Digital Skimming

HUMAN_Case-Study_Transaction-Abuse_Compliance-Supply-Chain_Online-Learning-Company

Company

This online learning company is a leading education technology innovator, creating engaging and effective learning resources to help children build a strong foundation for academic success. Its flagship product in the United States is a comprehensive curriculum for preschool through second grade, available on all major digital platforms and used by tens of millions of children.

Director of Information Security

Online Learning Company

“The business case for HUMAN made itself. I'm saving my team almost a hundred hours a month going through logs. We’re saving a ton of money from carding attacks and chargebacks. We are actually getting accurate metrics and data on things like organic traffic, which we can provide to executive teams or venture capital firms. Once people see the efficacy and value, there is no way you can live without it."

Human-Case Study-Exclamation Mark Icons@2x

Challenge

The COVID-19 pandemic spurred exponential growth in virtual education, raising the online learning company’s popularity—and making it a bigger target for bot attacks. The company’s security team noticed an increase in carding attacks on its websites, which led to financial losses from chargebacks and damaged consumer trust. The high volume of bot traffic also skewed the company’s web analytics and required hours of manual work to clean up.

Additionally, the online learning company relied on third-party JavaScript and open-source libraries to build its websites. They realized that some of this JavaScript could access users’ PII when they typed it into site forms, a data privacy compliance violation. They needed full visibility and control of third-party script behavior to ensure compliance and prevent digital skimming attacks.


Human-Case Study-Shield checkmark icon@2x

Solution

The online learning company wanted a single platform to address bot attacks and client-side threats. HUMAN Application Protection met their needs on both fronts.

Transaction Abuse Defense and Data Contamination Defense

  • Uses machine learning algorithms, behavioral analysis, and predictive methods to accurately detect and mitigate carding and other bot attacks on web and mobile apps and APIs
  • Filters out bot traffic from human traffic, so teams can use accurate data to inform their decisions
  • Improves operational efficiency, freeing security teams to work on more strategic tasks

Client-side Defense

  • Detects anomalies in the behavior of first-, third- and nth-party scripts, such as unauthorized PII access and data exfiltration events
  • Provides granular control to block specific actions a script is taking, so you can proactively mitigate potential data breaches and stop legitimate scripts from accessing sensitive data while otherwise letting them run as intended
  • Simplifies compliance with standards and regulations, including PCI DSS 4 and GDPR

Application Protection uses the same open architecture, making it easy to integrate with the company’s existing infrastructure, including AWS CloudFront. Together, the solutions provide a layered defense model that protects against a range of cyberthreats. 

RESULTS

Application Protection has protected an average of 26.5 million page views from bots each month. The drop in malicious bot activity has saved the online learning company tens of thousands of dollars in chargebacks. Because Application Protection automatically removes bot traffic from website data, the company’s marketing team has saved almost 100 hours each month manually sorting through metrics. 

In addition, Application Protection identified 562 scripts from 28 different source domains that sent data to 74 destination domains. The solution discovered that the online learning company risked violating GDPR and CCPA because two of their legitimate third-party vendor scripts could access users’ PII. Application Protection blocked access to the sensitive fields, helping ensure compliance. 

All in all, the online learning company has gained real-time visibility and control into its client-side supply chain attack surface and remains protected from malicious bot attacks.

Connect with Us
to Learn More How HUMAN Can Mitigate Carding and Digital Skimming for You

Related Resources