Interview with Shuman Ghosemajumder, CTO of Shape Security

Josiah Motley · June 20, 2019 · Short URL:

A look into business security, data breaches, and the inspiration behind the company

In 2019, you'd be hard-pressed to find someone that hasn't had their data stolen. While most of us are aware of this, even those among us that think their data is safe has probably been affected by a breach and not even realized it.

On the business end - data breaches are expensive. Not only are you damaging your reputation, but data breaches can cost a business a lot of money.

Shape Security is one company that works with businesses to help them best avoid and prevent data breaches that could happen through methods like credential stuffing.

I had the chance to talk with Shuman Ghosemajumder about Shape Security, the inspiration behind the company, and how data breaches affect businesses.

Check out the full interview below.

Care to introduce yourself and your role with Shape?

My name is Shuman Ghosemajumder and I’m the chief technology officer at Shape Security. In that capacity, I lead all product, engineering, and research for the company.

I previously worked at Google, where I led global product management for click fraud protection.

In just a few sentences, what is Shape?

Shape’s technology platform stops sophisticated fraud and cybercriminal attacks which bypass standard security controls.

Our flagship product, Shape Enterprise Defense, is the primary line of application defense for the majority of large US banks and airlines as well as leading companies in the retail, insurance, telecommunications, Internet, and other consumer industries.

In the past 12 months, we prevented over $1 billion in attempted fraud. Our business is now expanding globally and last year Deloitte named us the fastest-growing company in California by revenue. CNBC has also named us one of the top 50 most disruptive companies in the world.

What inspired the creation of the company?

Back in 2011, Shape’s founders Derek Smith, Justin Call, and Sumit Agarwal launched the company to deal with a pattern of increasingly sophisticated attack types they had observed.

Specifically, what they saw in the work they did at the Pentagon and in the defense industry was that automation was increasingly used by cybercriminals to create fraud on applications which were otherwise secure from a traditional security standpoint. Sumit coined the term “credential stuffing” at the time to describe one of the most dangerous types of automated attacks, where usernames and passwords from one data breach were being used to attempt to log in to completely unrelated websites.

That has gone on to become an industry term to describe one of the most widespread online threats in the world today.

What problems are you trying to solve?

Nearly every person in the U.S. has had their personal information stolen via a data breach.

These billions of stolen usernames, passwords, and other data allow cybercriminals to imitate real users online using sophisticated bots. Shape’s technology can detect these spoofing attempts and stop the automated fraud they would otherwise create.

This is really the beginning of the AI vs. AI arms race, where cybercriminals are incentivized to pass mass Turing tests to create fraud, and defenders utilize more sophisticated AI and ML to attempt to outpace, detect and defeat them.

Why is credential stuffing such a big problem for businesses? Why isn't it more widely discussed?

Cybercriminals harvest credentials from data breaches and test them by attempting to log in to every website and mobile app imaginable. A predictable subset of those credentials (typically 1-2% for the average credential stuffing attack) will successfully unlock accounts for the cybercriminal because most consumers reuse passwords across multiple sites.

This can translate into vast damages: for example, if a credential stuffing attack attempts to log in to one million accounts using stolen credentials, that can result in tens of thousands of accounts taken over very quickly.

The criminals then drain those accounts of value to commit all types of fraud, from unauthorized bank transfers to stealing rewards points to illicit retail purchases. In the case of stolen loyalty points or fraudulently purchased goods that cybercriminals monetize by reselling through secondary markets like eBay, regular consumers unintentionally help perpetuate this fraud when they snap up those deals that are indeed, too good to be true.

In our Shape Security 2018 Credential Spill Report, we reported that over 2.3 billion credentials from 51 different organizations were reported compromised during the previous 12 months. In this same report, we delve into how cybercriminals stole, weaponized and resold those credentials and how they turn compromised accounts into profits. We also drill down into the costs of credential stuffing attacks on companies in various industries that attackers routinely target.

Shape has unique visibility into the credential stuffing ecosystem. We protect more than 1.6 billion online accounts from credential stuffing on behalf of our customers. We’re especially focused on helping to protect the leading companies in every consumer industry – those very same companies which are the biggest targets for credential stuffing attacks.

The reason for this is that cybercriminals want the greatest return on investment for their attacks, so they primarily use stolen credentials against the sites which have the largest number of users, to maximize the overlap between their stolen credentials and valid accounts on the targeted system which use the same passwords.

Is there an end-point to credential stuffing? Can you ever fully halt it?

Credential stuffing attacks are constantly getting more automated and more complex. This makes it easier for cybercriminals to leverage stolen credentials and attack more sites at a lower cost. The net result of this is that credential stuffing is going downmarket and becoming more common, not less common.

In addition, while consumer sites have been the primary focus for credential stuffing attacks to-date, B2B sites are increasingly getting attacked also. CRM, expense management, legal, and other B2B companies which store vast quantities of other companies’ data are experiencing more attacks than ever. There were even references in the news this week about credential stuffing attacks being used against critical infrastructure like our electric utilities.

New technology and processes being added to the authentication workflow help, but in the long-term this doesn’t stop credential stuffing, it only changes its nature. For example, as multi-factor authentication becomes more common, cybercriminals are developing more advanced tools to dupe users into willingly providing their second factor authentication codes and then automating their use in credential stuffing campaigns.

All of this being said, there is light at the end of the tunnel as far as consumers are concerned. Even as credential stuffing attacks moves downmarket, the majority of our most important data and assets are still stored within major service providers.

As Shape’s platform is more widely deployed, the major companies in every consumer industry around the world -- the primary service providers we all rely on -- cease to produce the required ROI for cybercriminals to continue to attack them. This results in cybercriminals moving on to sites we’re less concerned about, at least in terms of the value stored in those sites’ accounts.

In addition, Shape has a new product called Blackfish which may actually help end credential stuffing over time. Blackfish is a collective defense system against stolen credentials across our entire network.

This means that when a credential is identified as being used in a credential stuffing attack by our platform, not only can Shape protect the site being attacked, but it can invalidate the newly-identified stolen credential across our network of customers.

When this happens, neither that cybercriminal nor any cybercriminal can use those particular stolen credentials on our customers’ sites -- not even manually. The cybercriminals must go back to the drawing board in terms of trying to conduct a new data breach to obtain new stolen credentials that have not yet been discovered and invalidated. This becomes difficult and expensive to the point of becoming impractical, and as such, we hope will help end credential stuffing entirely.

Is Connect meant for businesses of a certain size? If so, how large or small?

Shape Connect brings the company’s industry-leading anti-bot and fraud protection technology to many more businesses, especially medium and small companies, at an affordable price.

With Shape Connect, organizations without security and IT teams can protect their online businesses against sophisticated bots, credential stuffing and other attacks that lead to fraud.

Shape Connect:

  • Can be deployed in 30 minutes or less for most web properties, and immediately protects an entire website against bot-driven, fake traffic.
  • Is completely seamless and transparent to genuine human users
  • Features an easy-to-use admin interface that illuminates a site’s traffic and how it is being protected
  • Can be deployed and administered without extensive security expertise
  • Offers a completely cloud-based: no hardware, nothing to install and always up to date
  • Is priced to scale with the size of an online business

How easy is it for a business to implement Connect onto a site?

We’ve sought to make it as simple as possible. Connect can be up and running in a few minutes by simply redirecting website traffic to a new address we provide.

Any IT administrator or website manager should find it easy to do.

Anything exciting coming to Shape in the coming months?

We definitely have some exciting public announcements coming up. Stay tuned.

In the meantime, we’re continuing to work hard at continuing to push technological boundaries to stay ahead of cybercriminals.

Would you like to add anything before closing?

At Shape, we spend a lot of time thinking about the future of technology and enterprises. There are a few clear industry trends that influence our long-term strategy:

  • Enterprises shifting toward utilizing services from third-parties instead of operating products internally.
  • The movement toward public cloud infrastructure instead of operating data centers.
  • The increasing complexity of both the attack and defense side of cybersecurity, leading to more comprehensive defense platforms that consolidate disparate functionality.

One effect of these trends is that security and content delivery point solutions that are commonplace today, such as standalone companies which sell CDNs, WAFs, and DDoS products, are increasingly getting subsumed into larger platforms, particularly the public cloud providers.

In a few years’ time, we expect that everyone will get their CDN, WAF, and DDoS protection primarily from Amazon, Google, and Microsoft, not from standalone companies.

We are developing Shape’s platform to complement this functionality. Just as developing an application in the public cloud enables you to develop, scale, and operate with far greater efficiency than was possible in the past, adding Shape to that application development stack allows you to immediately protect that application with the best security technology.


Image Description

Josiah Motley

Contributor at various blogs, with a focus on tech, apps, gadgets, and gaming.

All author posts

Support VatorNews by Donating

Read more from our "Interviews" series

More episodes