InfoSec Insider

Sneakers, Gaming, Nvidia Cards: Retailers Can Stop Shopping Bots

Jason Kent, hacker in residence at Cequence Security, says most retailers are applying 1970s solutions to the modern (and out-of-control) shopping-bot problem, and offers alternative ideas.

In the 1970s the United States encountered an “oil embargo” that dramatically curtailed people from being able to purchase gasoline for their vehicles. “No Gas Today” signs were everywhere. Gas rationing was imposed by only allowing car owners to buy gas based on whether the final numbers on their  license plate was odd or even. This regulation simply resulted in many stolen license plates to allow car owners to buy gas on any day. The game was afoot, and the scarcity was overcome by what drives most human behavior: The drive to getting ahead of others.

Today, waiting in lines for desirable things — usually now electronics or footwear — has has simply been replaced with waiting online to purchase those items. We are rarely forced to even be in-person to acquire the most sought-after commodities. However, that doesn’t prevent that “get-ahead” behavior from rearing its ugly head when a new item is driving up demand.

As scarcity and demand increase, gaining the online advantage through automation has taken hold as shopping bots invade online retailers to purchase desirable items, then resell them on the secondary market. Recently, the latest high-demand sneaker drop, PS5, Nvidia GPU cards and Xbox all saw listings on resale sites before the actual drops happened, with prices well above their MSRPs.

The bot writers readied their tools, and the “cooks” formulated their plans for how they were going to buy the items to fill the orders they already had. The bots started firing quickly, overwhelming regular humans and making it nearly impossible to  compete. Try as they might, the mom or dad trying to buy their child a special Christmas gift was often met with failure.

This activity is repeated over and over and frankly, and I don’t know about you, but as a human up against bots, I for one am sick of it. As bots become more commonplace, human buyers are unleashing their dissatisfaction on the retailers through social media and taking their business elsewhere — but what happens when bots take over and there is nowhere else to turn?

Fighting the Online Shopper-Bot Army with Friction

Retailers are applying the same 1970s technology to the online shopping experience as a means of combating bots. Some are moving high-demand sales back to an in-store purchase model where they can make sure each person is carrying only one of the desired items to the register. This means you drive to the store and wait in the cold/heat for your chance to buy the next cool item. While this level of friction may defeat an automated bot, it does not preclude hiring individuals to be your “shopper.”

A second response to combat bots is having a virtual waiting room where users wait for two, three or four hours online (like waiting in line in the 70s to buy gas), just to be given the opportunity to make a purchase. No guarantees. This was the Best Buy experience for the last PS5 drop, essentially creating virtual lines – but without the real-life benefit of being able to see the hundreds or thousands of people in line in front of you.

But, of course, the bots have a response to every problem that keeps them from success. Whether the waiting room is based on first-come/first-served basis, or it’s random or otherwise, the speed and scale of automated bots means that the (manual) real human will still be relegated to the back of the line, losing out on an attempt to make a purchase.

Added ways in which retailers are applying friction to defeat bots is to allow all purchases to go through, then manually validating them, canceling those deemed fraudulent. A variant to this approach is to apply raffle-based check-outs to allow select purchases to go through.

The beauty of online retail is the many ways in which we humans can access the items for purchase – the website, mobile applications, syndication or other partnerships that may use an API for the transaction. The bots however bypass the ancillary steps humans go through, applying their automation to the path of least resistance, skipping the “telemetry” that most bot defense mechanisms use to stop them. Combined with the legitimate users waiting in a waiting room and the inventory being purchased by the bots anyway, the user friction resulting from retailers’ attempts to defeat automated bots only adds insult to the injury of the “out-of-stock” notice that the vast majority of shoppers will see, and to make matters worse, it doesn’t solve the problem that bots scored all the goods.

Modernizing Anti-Bot Solutions

The right solution might be an approach that allows legitimate users to purchase available inventory and keeps the bots tied up trying to solve a (purposely) unsolvable captcha or perhaps rat-hole them with page after page of useless links to click. The goal is to apply enough friction that the real humans get the goods (or the gasoline!), while bots are relegated to the endless waiting room.

This approach requires some understanding of the application flow, analysis of “good” traffic, and the use of mathematical models to precisely identify automation and present it with no work around. Making the bots wait in line seems like the most powerful message that can be sent, not to mention, it feels amazing when they struggle to retool and figure out what they are up against.

Creating bot friction, now that is a concept I can get behind! Let’s get our retailers to enable users to make a purchase and keep the bots running in circles, accomplishing nothing.

Jason Kent is Hacker in Residence at Cequence Security.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles

Discussion

  • Jonny bot on

    No offense, but..how? Retailers, as you point out, have tried a wide array of methods already. What does an unsolvable captcha look like that humans can still solve? What does any method look like that stops automation yet the average customer can understand? This article equates to we can end gun violence by stopping gun violence..ok true, care to expand?
  • T. on

    Retailers have the ability to stop the bots. As long as they're making their money, they don't care who it's from. There are many methods to ensure a human is buying the product and not a bot. Roadblocks such as captchas, email and physical address filtering, and other measures may not stop selfish line cutting jackasses but it will impede the low effort ones enough to actually allow regular Joe's who refused to stoop to those pathetic methods a glimmer of hope in actually acquiring an upgrade.
  • Jason on

    Sending the attacker an unsolvable captcha increases their cost and wastes their time. Utilizing Math Models we can compute how far outside the norm a transaction is and determine if it is a human or bot. We don't want to create user friction, we want to create bot friction and in a growing number of cases we do.
  • JottoJotto on

    Well, a good example os what LinusTechTips has done for their verified gamer drops of GPU's. The first one had a series of obscure videogame questions that you had to answer in order to purchase the GPU. I didn't think this was the best example as there were many questions I didn't know the answer to. The second release, They made a mini in browser game that you had to win in order to purchase. It was simple platforming game. Now, botters would eventually be able to crack the second one if it were used repeatedly, but if a company REALLY wanted to stop botters making silly little short games each release wouldn't be that hard. The question is, would a retailer really consider the effort worth it?

Leave A Reply to T. Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.