There’s no denying that the way people have been using the Internet and online stores has changed over the last couple of months. As consumers change their online habits, the distinction between human and bot behavior is becoming increasingly blurred, presenting cybersecurity teams with an even bigger challenge than before when it comes to differentiating humans from bots, and good bot behavior from bad.
In the past, businesses have just blocked all bot activity. That approach simply does not work today. In 2020, businesses must find a way of navigating the new bot landscape. Otherwise, at best, they risk blocking good bots and legitimate customers and, at worst, they risk bots taking over customer accounts and tarnishing their brand reputation.
The problem with bots
Why are bad bots so bad? Well, bad bots are created by bad actors to maximize personal gain from techniques such as card cracking and credential stuffing, which are used across multiple industries.
Credential stuffing involves using stolen passwords and usernames to hijack accounts—the hacker buys a list of leaked passwords and then has a bot input these passwords on other sites to try to gain access. With research revealing that more than 50% of internet users reuse the same password for multiple accounts, there’s a good chance of success.
Doing this manually won’t get results, but a bot can try thousands of credentials every minute. Hijacked accounts can then be used to commit fraud or are sold on. (Spotify and Netflix users that find random people added to their family accounts are often victims of this type of attack.)
On the other hand, you have card cracking bots which are used to create fake profiles and buy goods with stolen credit card details; the idea is to go through a list of stolen credit cards and find those that are still valid. Again, doing this manually is impossible, but bots make finding the needle in the haystack simple.
These two techniques cause two major problems for businesses. The first is reputational damage—even if a business itself was not subject to a data breach, if breached details are used on its website, consumers will hold that business accountable. Secondly, it will impact customer’s trust and loyalty. Every user affected is likely to view that business as untrustworthy, with many thinking twice about using its services again. And these negative brand perceptions can stick, causing customers to vote with their feet.
It’s about the journey
There are of course some red flags that are indicative of bot behavior, which every business must look out for. Speed is a giveaway—bots are programmed to act faster than any human possibly could. But unknown IP addresses or traffic from unexpected countries can also be characteristic of bot behavior.
However, as the landscape becomes more complex businesses need to go one step further. They must analyze what an average user journey looks like, and then consider what an unusual journey could look like.
For online retailers, a customer is likely to search for stock levels in a few different postcodes—but if a user is searching for every postcode in the UK, this could be indicative of bot behavior. It is also likely that a human would forget their username and password combination a couple of times—but not ten thousand times.
It’s clear that the “block all bots” approach doesn’t work in today’s complex environment. Rather, businesses must focus on the intent of their website traffic, through looking at user journeys. Only then will businesses truly be able to start drawing distinctions between good and bad bot behavior and human and non-human traffic.