CIAM-as-a-Service for 50 Million Customers at OLX Group Europe

Hi. Hello. So I would start with the, my very first thought that what CM is, is for us, c i m is a mass customer identity and access management.

In, in our case, and that's a little bit different what you can think about the general cim. So they are the vendor solutions. Usually they're applied in banking or maybe in a medical area where compliance is really important. And actually this is something that is really required from the business. In a case of, of other platforms. This is more about how convenient could be CM to the customer, how to make it as frictionless as possible.

That's why today I would try to focus as much as possible on the customer experience to show what actually we struggle a little bit as a consumer of the, of the vendor solution, but also on the, on the similar aspects. And I would try to bring as much data as possible to you. So Alexei group in general is the network of trading platforms. So we are present in nine markets. Those markets are many emerging markets. So you can think about in Europe, Poland and Europe or Ukraine or Central Asia countries like Kaza, Uzbekistan, we have 50, more than 50 million active accounts.

So in general, we have hundreds of millions of, of users, but we have more than 50 million active accounts. Those accounts are like ready to be picked anytime by user using the credentials to, to get in. It translates into, I was checking for the April 17.7 million monthly active users. So those users that use our platforms on a, on a daily basis, monthly basis. So just quickly to to to tell you about also some of our challenges in the CIM is that we are, we have more than 10 brands.

So even if you will do the simple map, it means that there are, there are markets where we have more than one brand and usually translates into that. Every single column here is a separate platform. So today a user have a different account in all those platforms, but actually there is only one single identity behind those. So now I would like to really quickly go through the last five years. In about five minutes, I would try to focus only on, on the most important moments in, in our journey.

So in 2019, when we are executing some of the strategy decisions in the organizations in, in our organization, that was for example, moving to the cloud, breaking the monolith into, into microservices. We're also thinking about, okay, what to do with the, with the identity and on the technology rather, it was, it was the only addition when the hosted identity management of the service was present. Trial ring, lucky number seven. So let me read it quickly. You should ask yourself whether identity management should be self-hosted.

In our experience, a hosted identity as a service solution is preferable, but I left some more context in here. So in general, the, the last visible sentence is that said, sometimes self hosting the solution is a realistic decision, especially for the enterprises that have the operational discipline and resources to, to execute that. And we thought, okay, this is, this is our case. We will be still doing it in house, but life quickly verified those assumptions. So in 2019, we experienced big waves of credential stuff at we were aware about that.

But, but, but you know, if you're such a company, you think, I mean, that was the times you, you could think, okay, it's not our fault, it's a fault of our customer, why they use the same password in every single website. And so simple password. But actually it started affecting us, our business even not from the reputation side, from the, from the cost side. So there were botnets with more than 1 million IP addresses used. So it was really hard to craft a web application firewall rules. And what we saw is, is that there was a 28 times bigger traffic on authentication endpoints.

Fortunately, most of that traffic was fake logins, but who knew it? How, what, what was the percentage of successful logins from the, from that occur? So it translated at the end to 3% traffic, additional traffic on, on the infrastructure. So a significant additional cost that we, we we just made to, to make the, the attackers life easier. So we made a decision to, to integrate a vendor solution. And our journey started from, from this point, so actually we started with integrating property APIs to in to, to implement some security solutions, how to measure that.

We ask our customer service team just to label the customer ticket about the potential account takeovers. So when we released a compromised credential check, I mean we were quite disappointed that there was no visible impact on the, on, on this metric.

Actually, our hypothesis that time was that, yeah, okay, first we integrated in the past go project when it was more free, more open open source project, but we started already implementing other features like adaptive mfa. So in, during that time, we started, started collecting all the signals to be able to tell, okay, what's the usual context in which the user uses our website? And when there was another big wave of the, of the attack, we just released this feature, we, we, we expected to collect a little bit longer those signals.

But yeah, we, we were forced to to, and actually we saw that, yeah, the, the metric decreased, but yeah, actually it got stable at, at, at, at some level. So yeah, we, we made also a decision to, to start collecting front and signals. So more like a behavioral analysis, a little bit more like just thinking about, okay, is it a bot or is it a human? So actually it helped, but just for a while then the attackers quickly figure out what are the leg systems to, to use where this is a more relaxed check. And then we had to really unify it across all our portfolio.

So when you think about the effort needed to, to achieve that, it was, it was really big because those were independent platforms multiplied by different clients, like Android application, I application, web application. So we, we made also a decision to, okay, it's time to start using more standards and start thinking about CM in general as a, as a service, as a hosted service. So we did a rollout of our own hosted logging page, and I believe it's, it's a, it was a quite bold decision to be only web based login page, even in the, in the native apps.

So you can see that the, the ex, the UX UI is very, very similar. Even today in the Android application, there is even no, this top bar of the Chrome tab, you can use a digital asset links.

Yeah, maybe, maybe it's more visible that this is a web login in the iOS application, but studio can leverage a single sign-on between web and native. So it works, it works for, for, for, for, for the big, for the, for, for the big number of, of customers that we have in place.

And what, what I would like also to highlight here is that what we did on our own is that we delivered only this thin layer of the UI for the customer, but actually everything under the hood is leveraging authorization server and all the solutions from the, from the vendor. But why we decided to build this actually, how long does it take to, to build such a, such a layer, just three months, how long it takes to integrate with all the clients, one and a half year.

So regarding, regarding this decision, I believe the key driver was that we still wanted to own this part of the customer journey, this part of the, of the user experience in the customer journey. So this is very related to the fact that yeah, sometimes, sometimes you can, you, you, it can be tempting to say, okay, I'm, I'm giving everything to the, to, to the vendor. But actually when you will need a feature, when you will need to solve a problem for your customer, yeah, you will be, your voice will be just one in, I don't know, hundred customers of that, of that vendor.

So what we are doing today, just a quick overview. We try to, to have omni account, so one identity for all the platforms within one market. This is quite challenging mainly because of first party cookies session synchronization between different domains and, and similar topics, but they're already solutions. And we are also looking at the privacy sandbox progress. So this is also something that we want to leverage as soon as, as is available for the maas customer. So now I will, I would like to, to go through our key insights and learnings. So the value proposition of the CM as a service.

So if you will go to the vendor, what's, what's the value proposition? So first of all, this is more like a basic staff secure storage for accounts and data accounts, data and credentials. So you are less at risk of a data bridge. This is you, you shift that responsibility more outside of your company. Also a lot of great implementations of the standards.

Native, native, native libraries components as for or as the case for the clients you have monitoring, observability, alerting, I mean that's very important. Usually when you build something in-house, you don't have the knowhow or what should be monitored basic security or br force protection, things like that. And then yeah, things like easy IDP integration, mfa, passwordless. And what's, what I would like to highlight here is that usually the pricing is based on the monthly active users.

Yeah, that's a little bit simplification, but we can, we can say like that. So for 1000 monthly active users, you can pay one to 10 US dollars. If you are closer to 1 million monthly active user, this is closer to this $1 value. So this is, if you will do the math, this is, this is not a big number. So usually this is, this is very convenient to use this. But then when it comes to advanced security features, so everything you, you can hear during the conference, all those solutions, this is a little bit more expensive. So like at 10 times more expensive.

So what, what I would like to to to, to also say here is that all infrastructure costs to handle this is included, but there is one, one learning. Our hard learning is accept emails and SMSs. So usually SMS is involved in sms otp and with SMS otp, yeah, you can think that SMSs can be 10 times more expensive using a global provider that is actually a wrapper for local providers. That is the wrapper for all local carriers. And because of that, I mean, yeah, it was 10 times more expensive.

So actually our first bill from the vendor was, okay, half is the half is the CM cost, half is the SMS cost. So we said, oh yeah, we, we have to do something with this.

So yeah, then I would like to focus on, yeah, the most important value we extracted from, from the collaboration with a vendor. So preventing credential, staffing at tax and yeah, is it worth paying this, this amount of money? So as an example, I'm, I'm, I'm taking one of the recent attacks that, that we, that we had on our platforms, why there is a 370% just because we scaled it to the 100% for the all the items with valid credentials. So there was a botnet with 65 K IP addresses.

And what was interesting is that 27% of, of the atoms had a valid credentials for the, of the customer in our database. So every fourth request had a valid credentials. So then if, if you think about a classic approach, so web amplification firewall, just this network layer, like 99% of, of the atoms just passed through it.

So yeah, the successful ATO was 99%. But then if you will add on top of this compromise, credentials, detection, so we can think, okay, those guys know those credentials, our vendor knows those, those credentials should be, should be zero here. But actually four 45% of the credentials were not detected by our vendor. Why?

Yeah, usually it's a hard question if you would know why we would improve this or the vendor would improve this. One of our suspension is that it was the last days of the, of the December. So maybe a new data set just appeared and usually in, you know, our countries, yeah, we had a Christmas break, all the companies get the Christmas break and actually at the attackers they didn't, they delivered to this, this situation. But then yeah, you can, you can think about risk calculation or in general adaptive mfa and yeah, actually it led through in 52%.

You can ask why actually, yeah, just because we, we also care about user experience. So when we, when we had a closer look, that's why I added here all users when we had had a closer look at what, what was, what was the reason it was the users we, that were not quite active recently. So for the returning users, we try to lower the friction and we are more relaxed when it comes to checking, checking the signals. And so one of the learning is that yeah, if you have alt users, yeah, rather delete them or require M F A M F A always for them.

But yeah, only, only if you are aware about this consequence that probably it will be hard, harder for them to, to return to your website. But actually last thing I would like to, to to mention here is that bot detection, so invisible capture or gathering some, some behavioral analysis of the, of the customer actually resulted that for, for, for this it was, I mean for the attacker in this particular case it was, yeah, a hard stop.

So, so they didn't invest into, into overcoming this. In the past, we, we had attempts to overcome this. For example, you can, you can use even website like a two capture when there is a human labor as api.

So yeah, in, in the attacks the attackers use it. So for example, if you're a bank or you have a more value on the, on the account to extract by the attacker, they can, they can easily use it. So I would like spend now a little bit on the, on the user experience, just because I believe this is a key when it comes to the customer.

Im, so in general, the expectation from the, from the user is okay, if I will have to log in, I would like just to log in. But if you will detect, for example, compromise credentials, then you inform a user, you manage the OTP setting a new password, and then you require to log in again.

So yeah, I mean what's, what's in the industry? I mean, a lot of people, a lot of people say that, yeah, password less we will solve of the problems, but actually we, we are doing some research about passwordless with, with our customers and it looks like, yeah, there are some, some, some topics that were mentioned here, for example, yeah, the, the, the last one, we also have those B2B to B2C customers.

So, so B2B means that we as a business, we have a business customers that use our platform to offer end customers. End users.

They the, their services think about real estate agency, they put the properties on our website to attract the end customers. So right now they share one, one account with one password. Okay? What they will do if they will have a phishing resistance mfa, yeah, I mean, I don't know, probably they will be adding somehow all the, all the possible device keys or, or or something like that. So there are no solutions for the user experience yet widely known as widely known, not only for us, but also for the, for the masses. So how it translates to the, to the general user experience.

So I can confirm more or less that there is a drop, maybe not as drastic as, as was mentioned in the previous presentations, but yet if there is a compromised credential detection, the almost half of the user, they just give up. So that's something, that's something that, that you need to consider your product. Analyst will, will tell you, okay, what we can do to, to make it more frictionless, to, to increase, to increase the conversion in this funnel.

Your, your product manager will tell you guys it looks like most of them have is false positives from this, can we remove this and the security force? Of course they will tell you, okay, you see 40% didn't complete it, those are attackers.

But yeah, if you will go to the end customer, you, if you will talk with your end customers, you will figure out that actually no, this is, this is not about security. I mean they give up just because of different reasons. They didn't have an access to, to the device that re register for the mfa, the OTP code come five minutes, five minutes after and it was valid for two minutes. That was our case. So I can confirm all those, all those situations. And LA really last thing I would like to, to highlight here is that it's tempting when you, when you use a vendor solution to do different things.

Like they are, we are not paying right now for the, for the, for the infrastructure they are paying, let's try to limit the TTL of your job. So if you have adjacent web talking session, decentralized session, I mean the, the bigger risk is the, the longer it is valid, but actually all your processes in the front applications will be, will be impacted by this. That's why I would really like to end with the, with with, with this, that different business have different needs at different development stage.

But at the end this is always the user experience at the end really this is, this is about end user experience and this is also my ask to, to all the vendors that, that are here, that are in, in the conference that you could invest a little bit more in thinking about end user user experience just to let, let us offload from this user research effort and that we'll be able to just plug in the really well proved, maybe, maybe already available for the whole market solutions. Thank you. Thanks very much. We ru are running a little bit behind time, but there is a quick question here.

What was the most effective measure against credential stuffing? What helps the most, can this be achieved with on-prem or only through a SA solution?

Yeah, okay. So I I I will tell you that having having solution built in-house, you are always a little behind because everyone says this is a cutting mouse game.

So always, always you can react and you can react quite quickly. So if you see some patterns that are used by NA attacker, you can, you can easily, you can easily implement that, but you will be a little bit behind using a vendor solution. You can leverage experience that they gathered on others in your, in your business.

Okay, thanks very much Thomas Groin. Thank you.