Leading Meal Kit Delivery Company Ends Account Fraud With DataDome

A leading meal kit delivery company was battling severe attacks from sophisticated fraudsters, who were using stolen credit card data to create new accounts and place fraudulent orders. Handling the incidents manually was stressful, time-consuming, and costly. After a thorough comparison of different bot protection systems, the company selected DataDome. By stopping account fraud before it happens, DataDome has dramatically reduced the company’s cost of operation and eliminated a major source of stress for the security team.

The Problem: Account Fraud Driving Up Cost of Operation

Bot-driven fraud is everywhere, as a leading meal kit delivery company learned the hard way.

“Last year, we had a series of massive account fraud cases,” says one of the company’s security engineers. “The fraudsters were using bots to sign up for our service with stolen credit card data, so we were sending a lot of boxes to places they weren’t supposed to be.”

The attacks not only generated a lot of stress and extra work for the security team; they were also very costly for the company.

“The problem wasn’t just the loss of revenue,” the security engineer explains. “During the attacks, combating the fraudulent use of our service doubled our cost of operation. It was all hands on deck, including our head of data engineering, our director of security, and our CTO, who are some very expensive people to use for incident handling.”

To a lesser extent, the company was also concerned about bots scraping their content, primarily the recipes openly available to everyone, but intended only for human users.

“We knew there was some scraping activity and it was something we had wanted to address, but we didn’t realize how big of an issue it actually was until we discovered it in the DataDome dashboard,” says the security engineer.

The Solution: Superior Web, Mobile, & API Protection

The slew of credential stuffing and account fraud attacks sparked a search for a sustainable, long-term bot protection solution. After investigating a number of options, the team’s shortlist had been drilled down to two potential solutions.

“The key point that tipped the scales in DataDome’s favor was its superior protection of the mobile and especially the API endpoints”, says the security engineer. “Our attackers appeared to try and get as much surface area as possible, so we needed to protect all our endpoints. And unlike the other contender, DataDome was able to detect malicious AJAX and XHR calls to our APIs.”

Indeed, API protection has been part of DataDome’s offering since day one. The solution handles all AJAX and XHR traffic and automatically displays a CAPTCHA if a bot is detected, requiring no intervention from the customer’s team.

“We were also able to speak to another company that had recently compared the two solutions for very similar issues and on a similar infrastructure, which comforted us in our choice,” the security engineer comments.

The Results: Drastic Cost Reductions & Peace of Mind

Today, DataDome efficiently protects all the company’s previously vulnerable endpoints against bot attacks and bot-driven fraud.

“We were able to stop the bleeding a lot faster than we would have by using just a WAF,” the security engineer confirms. “Preventing new accounts from being created for the purpose of fraud is a big win for us.”

Stopping fraud in its tracks had an instant, positive effect on the meal kit delivery company’s bottom line.

“As soon as we activated DataDome, the cost of operation went down dramatically. Having a technical solution that prevents fraud and ATO from happening means that key tech personnel no longer need to be involved,” he observes.

While ending automated account creation and fraudulent orders was the company’s primary goal, they have also derived additional benefits from DataDome’s protection.

“Content scraping turned out to be a much bigger issue than we were aware of, but that’s now taken care of as well,” the security engineer attests. “And one thing I didn’t expect when we brought the product in was that it would help avoid service downtime, which used to happen a lot. Stopping layer 7 DDoS attacks, cheaper than with a WAF, was one of the immediate wins.”

In conclusion, he celebrates a more intangible benefit: “I can sleep at night,” he smiles. “Maybe that doesn’t sound like a big deal, but as a security person, DataDome has afforded me a better work-life balance, and that’s a big deal to me.”