Why Ecommerce Companies Should Care About Bot Mitigation

simonjonzie Leave a comment

Ecommerce companies are a huge target for bots for a variety of reasons and should focus a lot of attention on bot mitigation.  Bots are created by fraudsters because they are extremely easy to run and there is something of value to be gained by leveraging the bot.  There are many assets on the Internet that are valuable, but if you sell goods or services, then you’re an obvious target.  Here are the top 3 reasons why eCommerce companies should care.

1.  Data and Price Scraping

Product data and pricing are easily accessible by a bot because there is no paywall or authentication required to view it. You can go to just about any eCommerce site and look at every single product they sell and what it costs. This makes it very easy for bots to scrape and steal this information to use it against you. Some bots will scrape this information and use it to create another website.

You’re probably wondering why a hacker would do this when they can’t actually sell those products.  It’s not like the hacker has access to those products, warehouses that store them, etc…However, hackers use this data to drive traffic away from your site and to another site that they own.  At least they have your shoppers eyeballs now.

The other common reason bots will scrape this information is because those bots are being run by competitors.  If your competitors can quickly gather your inventory levels and pricing, they use this information against you.  Google likes to rank items higher based on the best price available, so competitors can undercut your prices to get there.  And remember, bots that scrape content are not illegal.

2.  Skewed Analytics

Any online business relies on their analytics to make key business decisions.  Ecommerce companies in particular, rely heavily on this data.  Bot traffic can skew these analytics in a couple of ways that hurts these companies.

Ecommerce organizations spend a ton of money on advertising.  This drives traffic to their website in hopes to gain new customers.  A lot of this traffic is actually just bots.  Bots click on banner ads and links that redirect to the ecomm site, which causes several issues.

First off, the ecomm brand is paying on a per click or impression basis, so if bots are clicking on these ads, it’s a waste of ad dollars.

The second big issue with having a lot of bot traffic is that it makes it very difficult to make accurate business decisions.  The marketing department may look at their traffic numbers and not have any clue that a large percentage of the traffic is non-human.  You can’t make strategic decisions based on false numbers. This could be pretty detrimental to growth over the long term.

3.  Online Fraud

There’s a variety of ways that bots are used to engage in online fraud.  Here is a list of the OWASP threats specifically related to account fraud and descriptions of each…

Credential Stuffing

Credential stuffing is when a bot uses known username and password combinations to gain access to a website.  Most of us use the same username and password combination for many of the sites we visit on a regular basis.  It would get way too difficult to remember a unique combination for each and every web service we used.  This makes it easy for bots to crack your account.  Fraudsters will purchase lists of username and password combinations from the black market.  They will then spin those lists up into an automated script and run brute force attacks on a website to gain access.  One of those combinations is likely to work.

If you look at some of the big security breaches over the last few years like Neiman Marcus and Yahoo, where millions of account credentials were stolen, the likelihood is pretty high that a Yahoo user also shops at Amazon.  What are the chances that that user uses the same email and password on both sites? Probably pretty good.  This is just an example, but one in which credential stuffing makes it very easy for hackers to break in.

Neiman-Marcus-Security-Breach
Neiman-Marcus-Security-Breach

Credential cracking is very similar to credential stuffing.  Cracking involves already having either the username or password and trying to guess the other.  It’s more difficult to find a valid combination of username and password.  It’s much easier to find a list of just usernames and there are usually many more available.  Then it’s just a matter of guessing the other.  This usually involves trying known values rather than just blind guessing.

What happens when an account is compromised?

This may seem like an obvious answer, but it’s important to point out.  A lot of eCommerce sites let you save your billing details in your account to save you time on future orders.  It helps to drive conversion rates because the less time it takes a customer to shop online, the more likely they will buy something. It can be really annoying having to fill out all of your billing and credit card information every time you shop. This in turn leaves customers extremely vulnerable if a hacker cracks into their account because they now have your credit card information and billing address.  They could either use your information to purchase goods on this website and just change the shipping address, or they could steal your info to use elsewhere.

The next few OWASP threats involve account fraud with credit cards specifically.

Carding

As an eCommerce site, you’re most likely handling the shopping cart and transaction process.  This makes you extremely susceptible to carding.  Carding involves taking existing credit card credentials and running many small transactions to test the validity of those credentials.  These types of attacks fly under the radar because it looks like human traffic and won’t be caught by web application firewalls or other traditional security defenses.

If the credit cards being tested don’t work, they are filtered out and placed into an invalid category.  They are then used by bots to engage in card cracking.

Card Cracking

Card cracking is similar to credential cracking on a user’s account, it’s just done against the credit card. The hacker will have a list of incomplete credit card data and make attempts at guessing the missing information.  For example, they may know the 16 digit card number and the expiration date, but they are missing the 3 digit CVV code.

Cashing Out

If the hacker is successful in their carding and card cracking attempts, then the real damage begins.  The hacker has just landed on a gold mine and can use the valid credit cards to purchase almost anything they want.

Why should eCommerce companies be concerned?

A few reasons.  First of all, if user accounts are being hacked into, it will hurt your brand and image. There have been studies done that show that 20% of customers won’t return if their accounts have been hijacked. Not to mention, it will most likely make the news and millions of people will find out about it.

The second reason is the financial one.  When fraud occurs, it is extremely costly to an organization in a variety of ways.  Chargeback fees are the big one.  When a fraudulent transaction occurs, it’s entirely the merchant’s responsibility.  Typically, the cardholder will file a complaint with their bank and the bank will investigate the issue.  If the transaction is proven to be fraudulent, the bank will issue a refund to the cardholder.  The bank will then take back the entire transaction amount from the merchant, plus a chargeback fee.  These fees range from $0-$100 depending on the merchant’s bank.  In these situations, the merchants are at risk of not only paying the fee, but losing the products that were already sold, the payment, payment processing fees, money for the chargeback penalty, and even commissions from currency conversions.  Another thing to keep in mind is if you receive too many chargeback fees, your organization could be flagged as fraudulent by various credit card companies. This can be very damaging to your image.

The other financial impact worth noting is operational expenses.  When fraud occurs, various departments within your organization have to spend a lot of time reviewing this activity.  They’ll spend time reviewing the transactions that took place, when they were made, what was purchased, where the purchase came from, who made it, etc…They will also have to spend time dealing with the credit card companies in the investigations.

Some final thoughts

As you can see, bots wreak serious havoc in the eCommerce industry.  The bot mitigation market is growing rapidly and there are many providers out there now.  Even if you haven’t had an issue specifically related to bots, it’s either because you don’t know you have, or you’re lucky.  After all, if you don’t have an advanced bot mitigation solution in place, then how do you know how much bot traffic you have?  You probably just can’t detect it with the current solutions you have in place.

The bot mitigation industry is beginning to look a lot like the ddos mitigation industry in the beginning. Eventually, bot mitigation will be a standard in anyone’s security stack, even if it’s just an insurance policy.

JOIN OUR NEWSLETTER
I agree to have my personal information transfered to MailChimp ( more information )
Stay up to date about botnets and the bot mitigation industry!
We hate spam. Your email address will not be sold or shared with anyone else.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.