top of page
2AA Header4.png
ROLE

Lead Designer / Design Owner

DURATION

5 months (Feb 2022 - Jun 2022)

Designing the future-proof access review system to mitigate multiple attack vectors

Problem

Business admins cannot detect and reject malicious requests that are attacking the business account.

Solution

A compromise detection system to monitor, review, and reject various unauthorized requests.

Impact

Reducing revenue leakage by $300k daily, protecting $10B over the course of the year.

​How are we stopping the attacks? 

Our team launched the Second Admin Approval (2AA) initiative to combat security breaches and provide businesses with an additional layer of security to monitor user requests. The system notifies a second admin in the same business account to review user requests before they can be sent or completed, allowing the admin to detect and intercept potential breach scenarios. Below is one example of an attack and how 2AA works to stop it:

Current.png
After.png

As the design owner, I created the UX strategy and identified the design approach for 2AA intervention across multiple attack flows. I worked on clarifying the product scope, gathering compromise use cases, defining product and user requirements by working closely with cross-functional partners. My goal is to design a singular review framework to stop attack paths in multiple product flows.

How do attacks happen?

I contacted different product owners experiencing attacks to understand how compromises occur. I investigated specific user requests that are directly linked to top revenue leakages, which can be addressed by 2AA. Using visual diagrams to illustrate the existing system and its underlying problems, I identified common patterns across the product flows and uncovered additional security loopholes that were potential pathways for breaches. The visual below identifies attack entry points during credit line sharing. 

AUG 2024 Portfolio Review (2).png

After aligning with partners on the attack use cases, I pinpointed the optimal entry points for 2AA to integrate within these attack flows. The 2AA system alerts admins to review and reject potential attack requests, so identifying the right entry points can stop the attacks from happening.

AUG 2024 Portfolio Review (3).png

Working with different product owners, I gathered different attack use cases and created a flexible 2AA framework design capable of reviewing and rejecting 10 different request scenarios that could be potential attacks (7 more than initial product scope). This framework is scalable and can be reused to scrutinize more business-sensitive requests in the future. The visual below shows how the same modular design is flexible to address different attack scenarios:

10 use cases.png

Impact

Since its launch in July 2022, 2AA has significantly reduced unauthorized access and activities, defending high-revenune businesses from malicious attacks. This feature is released to 100% of target audience for the Credit Line Sharing use case. Within days of launch, 2AA has already stopped hundred-millions in leakage from unauthorized user requests, and saving 300k daily. About 95% of credit line share requests were approved on same or next day, meaning 2AA is not blocking authorized and legitimate requests. $10B+ of credit lines now go through this 2AA design over the course of the year. In the future, 2AA will be incorporated into product flows to mitigate attack scenarios and protect businesses from significant revenue loss.  

bottom of page