On Black Friday 2018, the busiest shopping day of the year, four U.S. congressmen proposed a bill, the Stopping Grinch Bots Act, which focused on making it illegal to use bots to shop online and outlaw reselling items purchased by bots.
The bill builds upon the Better Online Ticket Sales (BOTS) Act of 2016 that made it illegal to purchase tickets to events in mass quantities, which ultimately drove up prices for other buyers. Many will remember how it was nearly impossible to get tickets to the Broadway production of “Hamilton” and “Harry Potter” in 2016 and 2017, respectively. This isn’t a new problem, however. One of my favorite bands, the Foo Fighters, sold tickets for one of its most in demand shows physically at the venue to prevent bots from scooping up tickets. And while the popularity of these hit shows definitely made queues longer, much of the pain was a result of cyber attackers using bots to quickly buy tickets and then resell them elsewhere for financial gain.
The BOTS Act was a good first step towards limiting the automated bot threat, but it also fell short when thinking about the many ways we all purchase online. The Act only applies to ticket sales, and proved to be difficult for law enforcement to effectively prosecute offenders. In the end, the BOTS Act didn't do much to hinder cyber attackers from using malicious bots.
The Stopping Grinch Bots Act takes it another step further by broadening the scope of the activity deemed illegal as well as the goods/products/services it applies to.
But what does all this mean for retailers? And how about for consumers? And most importantly, will this work?
What's a Bot?
The latest research on bot traffic shows that e-commerce sites and retailers face a more sophisticated bot threat than any other industry. Since the dawn of online retail, hackers have capitalized on any opportunity to abuse the system. In the case of retail, hackers use automated bots to scrape up mass quantities of in-demand products, immediately reselling them at an incredible markup to turn a profit.
Consumers are spending more money year-round on limited-edition or high-demand products like the season’s hottest toys or the latest shoe release. This demand is exactly the motivation malicious attackers need to exploit retailers and consumers. And automated bots are the easiest method for attackers to get their hands on these goods. Because of their ability to rapidly repeat a specific task, bots are used to do things at a scale that humans can’t or simply don’t want to do. In fact, the latest research says bots make up more than half of all internet activity and, more specifically, bad bots make up almost 30 percent of all internet traffic.
This does pose the question: Why don’t websites just block all bots? Unfortunately, the solution isn’t quite that simple. One problem is that retailers, whose primary focus is to sell products, shouldn’t be required to add complexities which could hinder sales. And given the subtlety and nuance with which many bots now operate, a blanket attempt to block all bots could potentially block legitimate customers instead, which is the worst-case scenario for any business. Another consideration is “if there's a will, then there’s a way.” This is the mantra of malicious hackers, as they're determined to find a way around security measures that block particular traffic. For example, if an e-commerce site was to block all traffic coming from a country it didn't do business in such as North Korea, a North Korean hacker can hop on a VPN to get around it.
Effect on Society: Retailers and Their Customers
Malicious bots have harmful effects on retailers and society as a whole. They throw off the balance of the relationship between customer and brand.
Retailers aren’t technically losing profits by unintentionally selling products to malicious bots, but they are losing consumer trust. Consumers that cannot rely on a retailer to get products at market price are more likely to look to competitors. Reliability isn't just the order arriving on time; customers also need to be able to trust that the product they want is available, and that they're actually able to purchase it rather than being booted out by a bot.
Most retailers have policies in place designed to block bots electronically and limit how many products any customer can buy, but that only does so much when malicious actors are using multiple bots.
When malicious hackers get their hands on in-demand goods, they often resell the products on e-commerce sites like Amazon.com and eBay at an incredible markup. For example, Adidas’ Yeezy sneakers are incredibly popular, but one particular style of the shoe was on resold at an average price of $1,471 on eBay, a 400 percent markup. Because of the demand for a product, consumers will likely pay the markup, putting money into the pockets of cybercriminals — and likely funding more cybercriminal activity.
The key component of the Stopping Grinch Bots Act that would deter malicious actors from committing fraud in the first place is that it would make it illegal to resell all products purchased by automated bots. Think of it like copyright laws and online piracy. That could give retailers a new legal weapon against online scammers.
In the Meantime …
There's no timetable for when or even if the Stopping Grinch Bots Act will be signed into law. While we wait, there are a few things retailers should be doing to protect consumers and their products from fraud.
Nearly all online retailers today have a fraud prevention team using a range of anti-fraud solutions to combat the various persistent threats. Most of these solutions require changes to a web application, which can be complex and time consuming to maintain. To cut down on the time expenditure, retailers should use a web application firewall (WAF) as the first line of defense to proactively prevent intruders from getting through the front door.
WAF solutions can proactively detect repeated login failures from a malicious bot that's attempting to break in using stolen credentials by defining customizable security policies that correlate the following threat vectors and accurately detect account takeover attacks. Furthermore, retailers (and other organizations looking to eliminate bot traffic) can initiate a step-up authentication sequence as a configurable mitigation action when the WAF detects a suspicious device attempting to log in as follows.
In the end, the Stopping Grinch Bots Act would be a good first step toward protecting retailers and consumers from malicious attackers. If appropriately implemented, the law might actually deter attackers from scraping up products to turn a profit, diminishing the amount of money consumers unwillingly give to bad guys.
Yoav Cohen is senior vice president of product development at Imperva, a cybersecurity software leader providing application and data security for businesses.
Related story: Gift Card Grinches: Stopping Bots From Stealing the Holiday Spirit
Yoav Cohen is senior vice president of product development at Imperva, a cyber security software leader providing application and data security for businesses.