Bad actors were performing credential stuffing attacks on all possible channels: both the Canadian and US websites, mobile apps, and even OFX API endpoints. Not only were the attacks leading to account takeover fraud losses, but the sheer volume of attacks also put significant strain on the Bank’s infrastructure. The bank was experiencing rolling outages on both their Canadian and US websites, which prevented customers from accessing their accounts. These service outages were unacceptable to the Bank’s leadership, so the security team was determined to find a solution.