Skip to content

Spec reduced account takeovers by over 99% for Indiegogo

Spec helped Indiegogo improve customer trust and reduce chargebacks by lowering the incidence of account takeovers

90%
Reduction in
Attack Pressure
75%
Reduction in
Fraud Chargebacks
+9.8%
Increase in
Good Orders
 
Solution
Customer Journey Security
Account Protection

Situation

 

The popular crowdfunding platform company needed to reduce the incidence of account takeovers (ATOs) that resulted from credential stuffing attacks and prevent losses from fraud-related chargebacks.

Solution

 

Indiegogo deployed Spec’s customer journey security platform, gained end-to-end journey visibility, and identified the root cause of fraudulent chargebacks: persistent credential stuffing that resulted in account takeovers. Attackers are now funneled into a poisoned honeypot preventing them from transacting and gaining intelligence about Indiegogo’s security and fraud defenses. 

Results

 
  • -90% attack pressure: Reduced attack pressure by 90 percent over 6 months
  • +9.8% good orders: Increased good orders over 9 percent
  • Chargebacks from 20% → 5%: Chargebacks due to fraud fell from 20 to 5 percent
  • Credential stuffing to < 1%: Reduced credential stuffing attacks to less than 1 percent of site logins
  • Engineers = 0: Tested and deployed new fraud solutions without engineering resources
  • Protected 100K customers: Protected 100K compromised customer accounts
Product Example (Insights 1)

Indiegogo launches the tech that gets people talking

Founded in 2008, U.S.-based Indiegogo is one of the first-ever crowdfunding platforms. Thanks to a thriving community of more than 9 million backers across 235 countries and territories, Indiegogo has to date delivered more than 800,000 innovative ideas to market. Monthly, the Indiegogo website sees more than 10 million visitors and launches about 19,000 new campaigns. 

With Indiegogo, anyone can become an entrepreneur or an investor. This means it’s critical to the brand reputation that investors trust the authenticity of each campaign, and that entrepreneurs know they’re sending products to the people who backed their vision, not fraudsters. Moreover, the Indiegogo team takes seriously their responsibility to protect the customer journey from attackers at all points and to keep all customer data secure. 

A directive to reduce chargebacks: Get to the root cause

The Indiegogo team loves to see a traffic spike on the platform—that is, if it’s the result of a newly-launched crowdfunding campaign. But like many popular websites, the platform is periodically the target of account takeover attacks due to credential stuffing. 

“Bot attacks are common on many websites,” said Senior Director Of Engineering, Adi Raghuwanshi. Some attacks were heavy and obvious, he said, and some went under the radar, only to be detected later when the customer complaints came rolling in. 

Another frustrating problem facing the business was a high volume of fraud-related credit card chargebacks. Each fraudulent transaction costs Indiegogo the amount of the refund plus a card issuer service fee of $15. And these costs were adding up. 

The five-person customer operations team, led by Payments Manager Justin Orme, was in a draining, reactive cycle of retroactive investigations and customer outreach.

To start combating the problem, Orme’s team invested in a risk check product offered by another vendor. At the time of checkout, when the user is submitting their pledge, the vendor returns a transaction “confidence score.” If the score is within a certain range, the team manually reviews the charge and determines, based on available information, the likelihood of fraud. 

“The chargebacks would start flowing in,” Orme said. “It was like, where are these coming from and why? It definitely wasn't the way to live or the way to operate.” 

One problem: These checks happen at the very end of the customer journey. If a fraudulent transaction is the result of an ATO, the compromised account may already have an updated, sham email address and the rightful card holder won’t be able to deny the charge. There is no other customer journey contextual data to alert the reviewer. 

The team hypothesized that if they could stop fraudsters earlier and work toward a vision of protecting the customer journey from end-to-end, they could sharply reduce the volume of chargebacks—and the drain on resources and revenue.

Attackers will often use subtle tactics that can evade both a fraud tool and human review.

“Even when we create block lists for known adversaries, they can be circumvented,” Justin Orme said. “We see patterns of shipping, addresses, the text strings and names associated with specific devices. But if they can change a zero to the letter O, for example, the human eye won’t notice. And the order goes through and the charge is later disputed.”

Solution: Full customer journey visibility on a no-code platform

Working together, Orme and Raghuwanshi set out to evaluate new fraud vendors, seeking better point solutions that could give them broader fraud protection along the customer journey. In this quest, they learned about orchestration platforms which offer expanded visibility, better contextual data to inform risk decisions, and finely-tuned control over how a platform team responds to fraud and attackers. 

“We knew we needed more checks, but how would we onboard these vendors without tying up significant internal resources?” Orme said. “In the past when we’ve needed a solution, even if we got a yes, the next question was always, ‘what is that going to do to the roadmap?’” 

The Indiegogo team chose Spec over other vendors, in part because of the completeness of product vision and Spec’s team of fraud experts who understood the type of data, insights and actions that would reduce ATOs and fraud losses. “Having a platform that's specialized for our business needs and a team that understands how to connect the different products into our platform—that was super critical,” Orme said. “And then also just being cutting edge and new. Indiegogo is bringing new ideas to the market, and so having that be at a backbone of what Spec is doing, that was also a plus.”

“Having a platform that's specialized for our business needs and a team that understands how to connect the different products into our platform—that was super critical.”

For Raghuwanshi, a primary factor in choosing Spec was the ease at which Indiegogo could trial and pressure test different fraud point solutions without taking resources away from the engineering team. “Spec came out to be the most advanced in terms of the no-code approach to integrations,” he said.

Results: Critical insights that reduced ATOs and chargebacks

The benefits Indiegogo got after Spec were instantaneous. Immediately after the platform started analyzing Indiegogo’s site traffic, Spec identified automated credential stuffing behavior. Spec blocked attacks based on their signature, with little effort from the Indiegogo team. 

Within a few months of using Spec, Indiegogo’s credential stuffing attacks were dramatically reduced. “Now, of the overall website logins, they’re at about 1%,” Raghuwanshi said. 

He attributes this steep drop, in part, because with Spec, attackers can’t easily reverse engineer the platform’s protections and they stay away.  If Spec identifies, via known signatures, an attacker that gains access to the platform, they’re sent through an augmented path to a poison honey pot. They then see fake UI responses, like a thank you page that tricks them into thinking they’ve completed a process, preventing them from capturing feedback on the platform’s risk thresholds. 

Fighting adversaries means adapting to new tactics. Raghuwanshi says adapting to evolving threats is easier now with Spec, which they can use to adjust responses. 

Chargebacks due to fraud are also way down, said Orme, from at times 20% of the total mix of chargebacks to consistently around 5%. 

Learn More

Ready to see Spec's customer journey security platform in action? Request a demo now to get an inside look and find out how you can reduce chargebacks with Spec.