Butchering ‘Bad’ Bots

This article was published in the August 2016 issue of STORES Magazine.

The customer service technology tool has a darker side

Rami Essaid hasn’t seen the wildly successful Broadway hit “Hamilton.” But he credits the play and its activist creator, Lin-Manuel Miranda, with helping make retailers and consumers more broadly aware of the nasty things “bad” bots can do.

It wasn’t long after Miranda wrote an impassioned, anti-bot op-ed in The New York Times that the city of New York took action to criminalize companies that use illegal automated software known as “bots” to surreptitiously snap up the best seats at major events within moments of them going on sale. By the time real fans attempt to purchase tickets, the bots have gobbled them all up.

But Essaid, co-founder and CEO of Distil Networks, doesn’t believe that legislation will solve the problem. Rather, he says, technology needs to be developed and used to identify and stop the “bad” bots. Bots are notorious for stealing everything from the stored value of gift cards to customer credit card information located in retailer accounts. And they’re getting much more sophisticated.

STORES recently spoke with Essaid about retailers, consumers and bots, and the actions they can take.

Bots sound like something out of Star Wars. What is a bot, anyway?

A bot is a computer program that’s made to automate a human task on the Internet. It’s made to take what a human would do and turn it into an automatic action that something can execute over and over and over again. But remember, there is always a puppeteer behind it.

A puppeteer? You mean like the guy behind the curtain in “The Wizard of Oz”?

Bots can be good, benign or bad. A good user would be Google, which is using bots to score and index. A benign user might be a hedge fund, which uses bots to project sales numbers by examining inventory on a site. But the really bad bots are being used to defraud — to hijack customer accounts. They are looking for vulnerabilities in the site.

Who are these nasty puppeteers?

It used to be an individual hacker who wanted to make a buck. More and more we’re seeing criminal enterprises. It’s a much bigger effort now because more money is at stake. So there’s a shift toward organized crime.

What’s the low-hanging fruit?

Any retailer with stored value — such as gift cards — sitting in their accounts. That basically means most major retailers … . The bad guys are basically trying to get into the accounts and clear them out. They can buy stuff or sell stuff on the black market.

Where do bots hide?

Most of the really sophisticated bots are embedded in the computers of the end users. They are hiding out on the computers of legitimate consumers — operating quietly in the background.

Could bots take over the retail world?

The number of bots is actually decreasing, but they’re getting much more sophisticated. Five years ago, bots were mostly being used for generic things — throwing stuff up against the wall and seeing what stuck. Now they can log into accounts and mimic human movements on a website. Two years ago, about 40 percent of bots were sophisticated, but today it’s about 80 percent.

How can retailers protect themselves?

You have to have a plan in place to detect these bots and figure out what’s going on. First, you have to talk to your IT team about where you’re most vulnerable. Next, you need to prioritize. If you find bots are hitting you in customer checkout, it needs to be high priority. If bots are just checking your inventory, that’s lower priority.

How do you actually find the “bad” bots?

There is no silver bullet to catching bad bots. You must have sophisticated blocking mechanisms or sophisticated ways to look at web traffic for the most malicious bots. You need a purpose-built system to identify the difference between a bot and a real person.

We look at dozens and dozens of behavioral characteristics. Did it click on the keyboard? Did it start at the log-in page or the home page? What country is it from? What time of day did it make the purchase? At the end of the day, the bad guys are going to do something that looks off.

“Right around Black Friday and Cyber Monday, there is a huge spike in bot activity.”

Rami Essaid
Distil Networks

What can retailers expect from “bad” bots during Holiday 2016?

Right around Black Friday and Cyber Monday, there is a huge spike in bot activity. They explode around the holidays, so it’s important to get ahead of these now. The Online Trust Alliance found that most retailers aren’t ready.

How sophisticated is the technology?

We’ve seen bots that can move the mouse on the screen and click things around on a website. They are running a full-blown browser and can do anything that you can do on your computer. It’s gotten much easier to create a sophisticated bot.

What do “benign” bots really want from retailers?

Data. Data. Data. They want to eat up information. Think about the wealth of information that every retailer has on its website. They want to gather this information and use it to advance themselves.

It can be a hedge fund or a competing retailer looking for an edge. Hedge fund bots are constantly looking at what retailers are doing, how much inventory they have moved or how much they have sold. They try to “secret shop” and learn all about you.

Say they go to your website and put in a ZIP code and place an order for 10 staplers in the shopping cart. They’re just trying to find out how many staplers you have in inventory. They can check across all of your stores and find out how many staplers you have for sale in minutes. That’s a gray area. It’s murky.

What do consumers need to know about bad bots?

You need to be aware that bots are out there. When you make transactions online, you need to be able to trust that the retailer is actually protecting your personal information. You need to think about what information you put out there. If a bot finds your mother’s maiden name and your birth date on a retailer’s site, that may be all it needs to reset your Internal Revenue Service password.

Right now, bots account for just 5 to 8 percent of mobile traffic. Mobile bots will triple or quadruple and at least catch up with desktops.

Rami Essaid
Distil Networks

What’s the next big target of bad bots?

The world of mobile. Desktop computers are already infiltrated but mobile is the next frontier. It will eventually match where we are now on the web. Right now, bots account for just 5 to 8 percent of mobile traffic. Mobile bots will triple or quadruple and at least catch up with desktops.

What’s a responsible retailer to do?

The big takeaway for retailers is to think about how much money you have attributed to security of your online store. Why would you spend more on security guards for physical loss prevention without putting at least that same amount of security online to thwart the “bad” bots?