In 2020, the festive retail chaos started early – but it wasn’t the crowds of shoppers who were to blame.
With people forced to stay at home because of lockdowns, demand for technology for both work and play has reached record levels – according to a recent Gartner report, PC shipments had its biggest growth since 2010. However, several high-profile tech launches have been marred by a growing threat: bots.
From the Nvidia 3000 series GPUs to the PS5 and Apple AirPods Max, networks of malicious bots of unprecedented sophistication and scale are overrunning digital storefronts, hoovering up stock in as little as 60 seconds before genuine consumers have a chance to make their purchases. Scalpers profit from inflated prices after reselling items.
The result is that customer experience suffers and so do retailers. Consumers are left frustrated having missed out on prized items as online shelves are cleared. This bitter experience sticks in their mind – which is a problem for retail brands hoping to retain customers for the long-term.
With a bevy of highly anticipated tech products launched at CES in January – from TVs to mobile phones, CPUs and laptops – the question is: how can retailers ensure they get them into the hands of eager consumers?
Old bot, new tricks: The rise of bots during the pandemic
A botnet is an automated network of infected devices or ‘bots’ which are centrally controlled to perform actions by an attacker – in this case, they are used to work through checkout processes at a speed which a normal human would never be able to match by following automated scripts.
Using bots to scoop up desirable products is not new. In the world of high-end fashion and streetwear, sites like Foot Locker, Champs, and Supreme are regularly ‘botted’ to corner in-demand stock for resale at huge markups.
However, scalpers are expanding their operations to consumer technology products. The first warning signs emerged early in the pandemic with Nintendo’s Switch and Switch Lite consoles being bought at scale by scalpers using bots in April 2020. This then spread to other products like Nvidia’s 3000 series GPUs which launched in September and remain out of stock 4 months later.
The problem escalated further with the release of the Xbox Series X and PS5 – 2020’s most hyped tech products. Sensing an opportunity to make money, scalpers pounced. Walmart in the US blocked over 20 million attempts by bots to purchase PS5s during Black Friday within 30 minutes of it coming back in stock. In the UK, Very had to manually cancel over 1,000 pre-orders after scalpers bragged about their hauls on social media.
This level of bot activity compounded supply constraints and exceptionally high demand which resulted in stock shortages which persist today. There are also reports that consumers themselves are turning to bots to get their hands on the consoles.
A vicious circle has emerged.
Identifying friend from foe
The battle between retailers and scalpers has turned into a game of Whac-A-Mole: the former race to keep up with the latter as their techniques evolve.
Not all bots behave in the same way but given they are automated scripts, the majority share common characteristics (some of the most prolific retails bots, like Bird Bot, are also readily available) which can help establish a baseline.
Typically, bots use internet proxies to evade retailers’ bot detection and blocking tools. Bots tend not to log in, instead utilizing guest checkout. The bot also adopts the same user-agent profile – how browsers and devices identify themselves to a website so the website knows how to format the content to best fit the device – as popular browsers so it appears to the website it appears as a browser.
So what are the key differences? The bot user has most likely set the bot to run and then left it running – they are no longer interacting with your website directly. The bot will also probably not be using the regular user interface that the web browser provides. Instead, the bot will be invoking APIs directly and masking its origin using proxies.
So all that being said, what can retailers do in response?
Beating back the bots
The good news is that while bots may be fast they are also dumb – they do exactly as they are instructed and nothing else. The bad news is that technical solutions are effective but only temporarily: long-term, retailers will have to pay persistent attention to scalpers’ tactics as they enact countermeasures.
Because bots hide their origin, you cannot simply block a particular internet address. However, there are many third-party security services that monitor the internet for bot activity and collate lists of IP addresses from where such bots are known to originate, which can be referenced before a session is issued.
Another approach to combating bots is based on the idea of digital identity – stored information which organisations use to differentiate one user from another and tailor their services to them accordingly. Having a robust digital identity framework in place will have many benefits for retailers – from enhancing security posture to streamlining customer experience.
But in the case of retail bots, it allows retailers to bake in additional contextual information and assurance. For example, it can help adjust user journeys by turning off measures as appropriate around peak shopping seasons or product launches. It also facilitates A/B testing of measures on small subsets of test customers to gauge the commercial impact.
Digital identity also enables retailers to identify whether traffic is likely to be originating from a bot through the use of gateways. A gateway examines internet traffic trying to access your website and decides whether or not to let it through.
Its decision is based on whether the traffic has been issued a token, commonly referred to as a session. Gateways examine sessions and either allow or deny traffic to your site based on the determination of session validity.
Once you have the gateway in place, you need to ensure that your website is only issuing sessions to real customers and not bot-generated traffic. When the journey is complete, a session is issued if a retailer’s digital identity system deems it to be legitimate.
Other preventative measures include limiting purchases to one per customer, implementing an online queue-based system and manual processing of orders once they are submitted (to weed out suspiciously high numbers of orders with overlapping details).
Another industry practice is to implement reCAPTCHA – the ‘I am not a robot’ / image challenge-response during checkout. Bots struggle to complete these. However, they can be frustrating for consumers so they should be only deployed where there is a high likelihood of bot activity and not as a blanket policy.
Other more effective solutions are in the works as well. Artificial intelligence (AI) has opened up new approaches to determining if you’re dealing with a real human or a bot.
In future, AI and behavioural biometrics – using unique contextual and environmental clues such as a user’s gait or how they are holding a device – will be able to stymie reverse engineering efforts from scalpers because a bot is physically incapable of replicating these clues.
The bot security arms race has begun
The bot security arms race is well and truly underway – bots aren’t going away anytime soon. For retailers and consumers alike, they represent a lose-lose situation.
Digital identity can help retailers deploy smart, future-proofed approaches that mitigate a majority of the problems they can cause, helping them build user journeys and processes that quickly identify real users and channel them to websites while simultaneously blocking bots, when combined with other measures.
Barring a change in the law (another instance of innovation outpacing regulation), retailers are being left to fend for themselves. They need to be as nimble as the scalpers and stay ahead of them to ensure real customers are having a safe and positive retail experience.
After all, once this passes consumers will remember those retailers who prioritised this and, more importantly, those who didn’t – and vote with their wallets accordingly.
By Nick Caley, Vice President of UK and Ireland, ForgeRock