Bot mitigation is one of those technologies that typically falls under the security heading of CDNs that offer it as a feature of a larger suite of services. It hovers around the edges of the application security space, but is it its own thing? Or is it just another sub-segment of application security? In some sense, it doesn’t matter – what matters is helping customers solve real problems, and there are a lot of real problems in today’s market. I heard about a couple of interesting stories recently that illustrate that point. Coming off of NAB, it feels odd to be talking about non-media companies, but at the same time, they’re still brands that we all likely see or interact with on a daily basis, and there are clear parallels that can be drawn in any business.
The first story is about one of the larger financial services institutions in the U.S. You’d recognize their name if you heard it. Attackers were using bots to automate the process of validating stolen user account credentials. Many people use the same usernames and passwords with multiple sites. So, if there was a data breach at a popular retailer, you could take any leaked credentials, load them onto a botnet, test them against the login page of a bank to see which ones worked, and then login to transfer money or take out loans. This was leading to over 8,000 account takeovers per month for this company – and over $3 million per month in fraud-related losses.
What was also staggering is the amount of tech that these large financials have pointed at this problem. 2 factor authentication, fraud prevention, identity management, and no shortage of homegrown tools. I’m sure these were all making a dent, but when they put a single bot mitigation solution in place, they saw account takeovers drop to 1-3 a month and fraud-related losses drop below $50k per month. That’s a great reminder that it’s not just about getting more technology, but getting the right technology for the problem.
There’s a popular online retailer that sells very high-demand goods; think about the bot problem with event tickets, only now with retail. Essentially, grey marketeers use bots to lock up the entire inventory the second it’s made available, so that they can resell it on the grey market for profit. Over a 9-day period with multiple sales, this company saw over 500 million login and add-to-cart requests from bots, from over 1.8 million unique IP addresses in over 200 countries. This period also included a single sale event that saw almost 700,000 bot requests per minute. It’s no mystery why it’s so hard to buy these things as a regular person. Akamai (the bot mitigation vendor) said it was the largest transactional bot attack they’ve ever seen.
What’s interesting about this story – beyond the size of the attack – was why this was a problem. Surely grey marketers purchasing goods still means the company made their money, right? For some retailers, the goal isn’t only to generate revenue, but to avoid grey marketeers diluting their brand by taking users away from their own store experience, not risking genuine goods being comingled with counterfeits, and controlling pricing. Put another way, for high-demand retailers brand marketing is critical. These businesses invest in marketing to create a halo around the brand, and to reach rabid fans and online influencers who can carry the brand further downstream. Needless to say, getting scooped by bots doesn’t lead to happy fans or positive movement in brand perception.
Why is this relevant? Your company might not be a large financial services company or an online retailer doing hype sales. But if you generalize the problem, many media and broadcast customers see large amounts of bots doing similar things with their website. I’ve heard from some OTT providers that tell me bots routinely hit their systems trying login credentials, with criminals selling the logins that work. A quick scan of some of message boards where stolen data is sold shows you can buy Netflix, Hulu, Spotify and other OTT logins in bulk. Bots are a problem for all segments of the online world, including the media; publishing and broadcast industries and companies have to ask themselves, what impact are bots having to their business and what is that costing content owners? I’ve not seen a report that answers these questions, but if you know of one, please feel free to leave a link to it in the comments section.