This artical was originally published on another siteReading Time: 4 minutes
Jason Kent, hacker in residence at Cequence Security, says most retailers are applying 1970s solutions to the modern (and out-of-control) shopping-bot problem, and offers alternative ideas.
In the 1970s the United States encountered an “oil embargo” that dramatically curtailed people from being able to purchase gasoline for their vehicles. “No Gas Today” signs were everywhere. Gas rationing was imposed by only allowing car owners to buy gas based on whether the final numbers on their license plate was odd or even. This regulation simply resulted in many stolen license plates to allow car owners to buy gas on any day. The game was afoot, and the scarcity was overcome by what drives most human behavior: The drive to getting ahead of others.
Today, waiting in lines for desirable things — usually now electronics or footwear — has has simply been replaced with waiting online to purchase those items. We are rarely forced to even be in-person to acquire the most sought-after commodities. However, that doesn’t prevent that “get-ahead” behavior from rearing its ugly head when a new item is driving up demand.
As scarcity and demand increase, gaining the online advantage through automation has taken hold as shopping bots invade online retailers to purchase desirable items, then resell them on the secondary market. Recently, the latest high-demand sneaker drop, PS5, Nvidia GPU cards and Xbox all saw listings on resale sites before the actual drops happened, with prices well above their MSRPs.
The bot writers readied their tools, and the “cooks” formulated their plans for how they were going to buy the items to fill the orders they already had. The bots started firing quickly, overwhelming regular humans and making it nearly impossible to compete. Try as they might, the mom or dad trying to buy their child a special Christmas gift was often met with failure.
This activity is repeated over and over and frankly, and I don’t know about you, but as a human up against bots, I for one am sick of it. As bots become more commonplace, human buyers are unleashing their dissatisfaction on the retailers through social media and taking their business elsewhere — but what happens when bots take over and there is nowhere else to turn?
Fighting the Online Shopper-Bot Army with Friction
Retailers are applying the same 1970s technology to the online shopping experience as a means of combating bots. Some are moving high-demand sales back to an in-store purchase model where they can make sure each person is carrying only one of the desired items to the register. This means you drive to the store and wait in the cold/heat for your chance to buy the next cool item. While this level of friction may defeat an automated bot, it does not preclude hiring individuals to be your “shopper.”
A second response to combat bots is having a virtual waiting room where users wait for two, three or four hours online (like waiting in line in the 70s to buy gas), just to be given the opportunity to make a purchase. No guarantees. This was the Best Buy experience for the last PS5 drop, essentially creating virtual lines – but without the real-life benefit of being able to see the hundreds or thousands of people in line in front of you.
But, of course, the bots have a response to every problem that keeps them from success. Whether the waiting room is based on first-come/first-served basis, or it’s random or otherwise, the speed and scale of automated bots means that the (manual) real human will still be relegated to the back of the line, losing out on an attempt to make a purchase.
Added ways in which retailers are applying friction to defeat bots is to allow all purchases to go through, then manually validating them, canceling those deemed fraudulent. A variant to this approach is to apply raffle-based check-outs to allow select purchases to go through.
The beauty of online retail is the many ways in which we humans can access the items for purchase – the website, mobile applications, syndication or other partnerships that may use an API for the transaction. The bots however bypass the ancillary steps humans go through, applying their automation to the path of least resistance, skipping the “telemetry” that most bot defense mechanisms use to stop them. Combined with the legitimate users waiting in a waiting room and the inventory being purchased by the bots anyway, the user friction resulting from retailers’ attempts to defeat automated bots only adds insult to the injury of the “out-of-stock” notice that the vast majority of shoppers will see, and to make matters worse, it doesn’t solve the problem that bots scored all the goods.
Modernizing Anti-Bot Solutions
The right solution might be an approach that allows legitimate users to purchase available inventory and keeps the bots tied up trying to solve a (purposely) unsolvable captcha or perhaps rat-hole them with page after page of useless links to click. The goal is to apply enough friction that the real humans get the goods (or the gasoline!), while bots are relegated to the endless waiting room.
This approach requires some understanding of the application flow, analysis of “good” traffic, and the use of mathematical models to precisely identify automation and present it with no work around. Making the bots wait in line seems like the most powerful message that can be sent, not to mention, it feels amazing when they struggle to retool and figure out what they are up against.
Creating bot friction, now that is a concept I can get behind! Let’s get our retailers to enable users to make a purchase and keep the bots running in circles, accomplishing nothing.
Jason Kent is Hacker in Residence at Cequence Security.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.