During the last Black Hat Conference, an event that brings together some of the biggest players in the cybersecurity industry, PerimeterX conducted a survey in order to assess the current perceptions of bots among the cybersecurity elite. The survey was conducted on the show floor with 304 security experts, and it provides valuable insight into the future of online retail and the external threats it faces.
Understanding the Problem
It’s no surprise that the vast majority of those questioned at the event understand what a bot is — i.e., a software application that runs automated tasks over the internet. Although bots often get a bad rap in the press, usually related to election interference, 84 percent of security experts questioned believe, rightly so, that not all bots are bad. Many of us have benign bots in our pockets or in our kitchens. For instance, smart devices such as Siri or Alexa use automated software applications to make our lives easier.
However, despite the ubiquity of bots across digital platforms, there seems to be a lack of understanding regarding the legal implications. For example, one common use of bots is to buy items in bulk during a flash sale, such as limited-edition sneakers or hot concert tickets. This can result in items selling out in minutes, only to be resold again on third-party websites for inflated prices. While the ethical implication of this practice is debatable for sneaker purchases, the legal implications are very clear when dealing with concert ticket purchases.
Bots in Retail
What's particularly interesting from a retail standpoint is the public perception of bot usage. Just 32 percent of security professionals were aware that there are no laws limiting the use of bots in the purchase of goods such as sneakers. In fact, it's entirely legal in the U.S. for a bot service to buy the entire stock in a flash sale. Interestingly, only 33 percent of respondents thought that using bots to purchase concert tickets was illegal, with only 27 percent believing that it was illegal to resell those same tickets for a higher price. Even though the BOTS Act of 2016 was enacted to provide fairer access to online tickets, awareness of the law remains low. According to the BOTS Act, it’s illegal to surpass purchasing limits posted on event ticket sites. Furthermore, it's illegal to resell event tickets bought in violation of the law with the knowledge of the seller.
The ethical questions of security professionals using bots for self-benefit provided particularly interesting insight. Indeed, 56 percent of respondents admitted that they would use bots to get a good deal during a flash sale. Even more interestingly, 20 percent said they already had used bots for this purpose! This is particularly interesting when considering the makeup of the sample group. As attendees of the Black Hat Conference, the “most technical and relevant information security event series in the world,” their answers emphasize how accessible bots are to those with the right technological savvy.
The results of this survey clearly outline that there's a bot problem in online retail, including a lack of definitive regulation preventing bot exploitation, with bots still a serious issue for most retailers. So, what can be done to prevent the use of bad bots? Retailers must ensure that the proper security protocols are in place to prevent customers from being exploited by greedy third parties. The most common check is the use of CAPTCHAs to discern bots from humans, but these have become increasingly easier for bots and harder for humans to solve. It’s vital to ensure that sites are monitored using advanced behavioral and machine learning techniques to prevent the possibility of attack by increasingly sophisticated bots as well as to ensure fair retail practices that result in a positive customer experience.
Ido Safruti is chief technology officer of PerimeterX, a company that protects the world’s largest and most reputable websites and mobile applications from malicious activities, future-proofing digital businesses from automated bot attacks and client-side stealth attacks.