Piñata, a New York-based startup that recently raised $13 million in Series A funding, has its sights set on making renters feel rewarded while building their credit. Launched in mid-2020, Piñata is the first and only service to report renters’ payments to major credit bureaus for free.
With the stated goal of helping renters get more out of their largest expense every month—by building their credit sufficiently to eventually be qualified for a home loan— Piñata incentivizes its one million users with an in-app currency and reward system. Renters using Piñata’s platform can earn “Piñata Cash” for making on-time rent payments. This reward cash can then be spent at over 300,000 different brands including Amazon, Starbucks, and Target.
Piñata, “the app that makes rent rewarding,” operates through its website at www.pinata.ai and mobile apps available for both iOS and Google platforms.
The Piñata engineering team became aware of multiple cyber incidents occurring on platforms similar to their own. As reported in the news, these cyberattacks were causing other company websites along with their mobile application programming interfaces (APIs) to become unresponsive due to a large amount of incoming traffic specifically tied to targeted API cyberattacks involving:
- Distributed denial-of-service (DDOS)
- Credential Stuffing
DDOS attacks are a major concern for Internet security today. They involve a malicious attempt to disrupt the normal traffic of a targeted server by overwhelming it with a flood of traffic. Similar to an unexpected traffic jam clogging up a highway, it prevents regular traffic (customers and bona fide users) from arriving at their destination (site and app slowdowns/outages).
Some of these companies were also experiencing credential stuffing, another cyber threat in which credentials obtained from a data breach on one service are used to attempt logins with another unrelated service. Many times attackers leverage user management APIs to check for the accuracy of illegally purchased credentials.
Not wishing to become the target of a similar attack, a forward-thinking executive at Piñata contacted JBS Dev. Upon learning that JBS had successfully handled similar challenges with national retailer Petco’s mobile app and platform, Piñata partnered with JBS to help solidify their own API security and to provide monitoring tools to thwart any potential API cyberattacks, especially like the ones currently being reported in the news.
Moreover, based on prior experiences with clients such as Petco, they also requested JBS to assess the health of their overall project—including site and mobile app codebases—and to provide appropriate recommendations.
How JBS Helped
After talking with Piñata, the team at JBS conducted a thorough review of Piñata’s platform and provided a tailored approach to secure it from threats and attacks by bad actors.
During discovery, JBS found that the following areas could be further bolstered to prevent a successful cyberattack from occurring:
- Through some evident loopholes, sophisticated attackers might be capable of reverse-engineering their mobile app to understand how to send direct requests to the backend systems.
- Backend systems were not protected outside of some static keys or values, making it fairly easy to create a script that could automate username and password logins.
- There was a monitoring gap at Piñata. As it stood, the engineering team would only became aware of cyberattacks upon noticing that their website and mobile app APIs were down due to a large amount of incoming traffic. There was no rate limiting and they didn’t yet have a way to know if bad actors were in the process of trying to attack the system.
- Piñata’s current cloud infrastructure relied on deployed servers which meant that in the event of an attack, their website and mobile app APIs would eventually go down because the dedicated hardware running them would almost surely get overloaded.
To address all these concerns, JBS quickly put a plan in place—with demos and deliverables—and then deployed a solution with several tools and services operating in tandem. These tools and services included setting up a PagerDuty account, a Sumo Logic account, Google reCAPTCHA, a custom login signature hash implementation, and several serverless microservices using Amazon Web Services (AWS). Each is discussed below.
The solution was deployed using a self-managed agile process. JBS curated a backlog based on Piñata’s feedback and technical discovery sessions. There were weekly standup sessions and demo calls each week to show the progress of the work.
PagerDuty for Quick Incident Response
To automate, orchestrate, and accelerate critical incident responses related to Piñata’s digital infrastructure and integrations, JBS set up an account with PagerDuty. In the event something goes wrong or there is a potential cyber threat to their APIs, this platform will be immediately triggered and send an automated email, text message, or phone call to the “on call” team member at Piñata for a quick incident response.
JBS also worked with Piñata to establish a simple on-call rotation with their IT team to facilitate this process.
Sumo Logic for Critical Monitoring
JBS also established a Sumo Logic account to make Piñata’s digital experiences—website and mobile app—even more reliable and secure. Sumo Logic enables organizations, like Piñata, to create log queries, application dashboards, and automated alerts based on log information and metrics. JBS set up monitoring for all login attempts, suspicious activity, and failure alerts.
All of these alerts fed directly into PagerDuty. Login failure rate detection was also defined via Sumo Logic queries based on application logs. They leveraged a custom webhook to remotely activate Google reCAPTCHA in the event of a high volume of failed login attempts.
Google reCAPTCHA for Detecting Suspicious Logins
Google reCAPTCHA allows hosts, such as Piñata, to distinguish between human and automated access to websites or mobile apps. JBS worked with Piñata’s mobile application team to integrate this service to further secure login requests without any code deployments.
Once activated, a standard Google reCAPTCHA would test logins via Piñata’s mobile app. The backend would then verify with Google to ensure that the login reCAPTCHA was successful, indicating that a real human being—as opposed to a bot controlled by a malicious actor—was legitimately trying to gain access to the Piñata app.
Signature Hashing to Bolster Security
Signature hashing, a cryptographic process for authenticating a user login, was implemented by JBS to further bolster security for Piñata’s mobile app. Specifically, once a user has given information as part of a login request, a client-side hash must be replicated by the backend system. In the event that the client-side hash and the backend hash do not match, the login attempt to the mobile app is denied.
With client-side code obfuscation settings in place, a signature hash is difficult for bad actors to reverse engineer from a client application, making it more difficult to execute successful cyberattacks such as DDOS and credential stuffing.
AWS Serverless Architecture Using Lambda and WAF
JBS converted Piñata’s dedicated server instance architecture in Amazon Web Services (AWS) to a Lambda function-based architecture. Lambda allows applications to run code without provisioning or managing infrastructure. It automatically responds to code execution requests at any scale—whether it be a dozen events per day or hundreds of thousands of requests per second.
By leveraging AWS Lambda, Piñata’s ability to scale while under significant load increased dramatically. They no longer had to manage servers for handling real-time traffic or worry about slowdowns or outages due to large volumes or spikes in incoming traffic.
Additionally, JBS set up AWS Web Application Firewall (WAF) to protect against common web exploits and bots—including DDOS attacks and credential stuffing—that can affect availability, compromise security, or consume excessive resources. This service would allow Piñata to more easily monitor, block, or rate-limit common and pervasive bots. It also improves web traffic visibility by providing granular control over how metrics are emitted.
JBS established the initial firewall rules that included blocking international traffic. The team also worked with Piñata to design future solution possibilities using even better WAF managed rules including rate-based rules.
Once everything was put into place, Piñata had a sophisticated alerting mechanism to make them aware, in real-time, of any potential cyber threats to their platform. JBS handed-off PagerDuty, Sumo Logic, and Google reCAPTCHA tooling configuration access along with full knowledge transfer of working sessions and documentation to ensure that Piñata’s team was trained properly.
With the suite of tools deployed by JBS, the in-house team at Piñata now had readily available insights into their users and incoming traffic along with what they were doing at any given time. In this way, any potential attack attempts would be appropriately detected and triaged in a proactive—rather than reactive—manner.
Not only was their architecture more future-proofed against login attacks, but it was also secured against other traffic surges. This would thwart slowdowns and outages that might have impacted their APIs and platform. The new tools, including the serverless architecture provided by AWS, also provided Piñata with a better starting point for more business-oriented metrics, dashboards, and data visualizations. Overall, Piñata’s website and mobile app security were improved making it much more difficult for attackers to disrupt their applications and business operations.