×

How bots hijack holiday shopping

Your children are begging Santa for a hard-to-get Droid, drone, Minion, or Meccanoid this season and you aim to please. But your cyber shopping spree is likely to leave you empty handed and headed to the mall in frustration. Even though more and more people do their holiday shopping online, the hot toys seem to be harder and harder to get. Why, after only two weeks on the market, is it so easy to find the Galaxy Gear VR on eBay when it's sold out on Amazon and BestBuy.com? What's going on?

It's called scalping. And it's not just for tickets any more. Cyber Grinches scalp Santa with an automated arsenal of software programs that snap up new toy releases faster than any parent's frantic fingers can click "buy." Once they have the goods, it's a simple matter of auctioning them off for an easy profit. Bots beat humans because they can work far faster than a typist on a keyboard. They are remarkably difficult to detect and even more difficult to stop.

Robot with shopping cart
Kirillm | Getty Images

Adidas, with its line of perennially popular shoes, has dealt with the scourge for years. Software developers target new sneaker releases with a wide array of "shoe bots" designed specifically to beat humans to the punch. With names like "Cart Bot" and "Yeezy Boost Bot," these software packages promise certain success to users who want to score limited-release shoes for themselves or for profit. Last February, Adidas threw its virtual hands up and concluded that the bots had become too much. They released a reservation app called "Confirmed" to attempt to control the sneaker madness — with limited success.

And Adidas is not alone. Every retailer with a hot product is a target for cyber scalpers because automated bots work – humans just can't compete. These bots place orders the moment that new products first appear online, and they make it easy to manage multiple accounts so scalpers can sidestep quantity limits. Secondary markets like eBay help the scalpers cash out. It all adds up to a system that feels rigged if you're the poor parent looking to provide a little magic under the tree.

Bots are notoriously difficult to stop. Unlike other cyber attacks, which penetrate sites through known weaknesses, bots can succeed against well protected and designed sites. The most common bot defense asks the site visitor to complete a test before proceeding to the protected content. If you've ever squinted at wavy letters and tried to decode the hidden phrase, or stared at a set of images to figure out which ones have a common object, you've taken a CAPTCHA test. (CAPTCHA, by the way, stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" – you're welcome). Another common anti-bot defense blocks visitors who are on blacklists of known bots.

Both approaches have weaknesses. Bots have gotten better and better at solving CAPTCHA tests – so the tests have gotten harder. The problem is, harder CAPTCHAs are harder for humans too; visitors often simply leave the retailer's site in frustration. To make matters worse, some scalping software vendors enlist "human farms" of workers who decode CAPTCHAs for a few pennies per test. As a defense against bots, CAPTCHA has met its match.

Blacklisting, another common defense that tries to keep track of bad computers, is also easily defeated. The technique only works if the scalper consistently uses the same computer. That can inconvenience casual scalpers, but more determined professionals can easily launch attacks from botnets that make the attack appear to come from hundreds or thousands of different computers, making it impossible to prevent an attack using blacklisting.


So how can we help Santa put a lump of coal in the bad guy's stockings? Security researchers are designing new ways to stop bots by embedding unseen traps (called "countermeasures") in critical site pages. These hardened pages resist automation and prevent bot-delivered attacks. Major airlines, banks, insurance companies, and even some larger retailers have already adopted some of these more sophisticated and effective anti-bot measures.

Bots will still wreak their usual havoc this holiday season, but if retailers can reliably answer one deceptively simple question — are you human, or are you a bot? — next year's holiday season could be a bit more merry. That's going to be a big relief for Santa — as well as the hundreds of millions of users affected by automated attacks on sites across the Internet.


Commentary by Sumit Agarwal, co-founder of online-security firm Shape Security. Agarwal, the former head of Google mobile-product management and a 14-year Air Force Reserve network warfare officer at the Department of Defense, works with enterprises across the world to improve network performance and customer experience by eliminating unwanted automated website traffic. Follow him @SumitAgarwalUSA.