How to Protect Your Business From Bots This Holiday Season

There are significant forces at play in the world of retail, not least of which is digital transformation. As transactions are increasingly completed online from a variety of devices, users have come to expect a far different experience when engaging with retailers. This holiday season, shoppers are expected to spend $682 billion, and for the first time, they may spend more online than in brick-and-mortar stores. This demand will place an onus on retailers to maintain a rich and consistent user experience online. Downtime, waiting rooms, depleted inventory and slow response times are likely to drive users to other, more reliable domains and apps.

Unfortunately, malicious actors view the holiday shopping period as an opportunity to make money through fraud and will be hard at work. Wielding advanced scripts and compromised computers that form a botnet, they will seek out retailer sites and mobile apps to compromise gift cards, deplete inventory, scrape pricing, conduct DDoS-for-ransom attacks, exfiltrate sensitive data, and more. One particular attack, credential stuffing, will likely increase, meaning hackers will attempt to access accounts via users’ stolen credentials, counting on password reuse. Given the volume of leaked credentials in previous months, hackers will prime their tools to see what sites — and user data — may be accessible. These attacks also tend to exhaust resources and slow response times, making them a threat to revenue during a particularly busy period.

To understand what to secure, retailers must look across their entire ecosystem — the channels through which they engage with and sell to customers, such as partners, mobile applications, web applications, etc. This ecosystem also constitutes the attack surface that criminals can target to commit fraud or interfere with operations (potentially driving traffic to competitors).

Consider, for example, retailers that include price elasticity in their online sales strategy. If bots can interfere with inventory by filling up shopping carts without completing a purchase, pricing algorithms will get thrown off and the strategy will be rendered ineffective. This is fairly common in the airline industry, and can make competitive offerings more compelling in the short window of opportunity to make a sale or impression. Retailers need the visibility and control over traffic to distinguish between legitimate human users and the bots impeding their experience.

It’s no surprise that e-commerce is increasingly mobile. According to Deloitte’s 2017 holiday retail survey, “smartphone users are more are inclined to use dedicated retailer apps or payment apps when making purchases.” Retailer apps create a sticky relationship with customers as they can derive more useful data to create compelling experiences. Mobile apps are also at increasing risk of attack since they’re typically reliant on API calls, which are unauthenticated. Retailers should impress on their providers that availability and integrity of API endpoints (from which data is served back to the mobile app) is critical to maintain their user's experience.

Today, the digital experience influences sales. As retailers cross the digital divide, security will be paramount to engage meaningfully with customers across different mediums. An understanding of the malicious actors targeting retail, and their tools, will enable businesses to build the proper defenses and mitigations to ensure a successful holiday shopping period. As bots become the tool of choice for criminal actors, retailers and their service providers will need sophisticated controls to fight back and stay in the game. 

For more on what retailers can do to prepare themselves for the anticipated rise in cyberattacks targeting e-commerce platforms this holiday season, see our list of best practices.

Nick Deshpande is the vice president of product development at Zenedge, a cloud-based DDoS mitigation, WAF, API protection and bot management solutions provider.