The rise in adoption of consumer-based IoT devices has led to a boom in botnets, which take over these devices and use them to launch a broad spectrum of attacks. Attackers use malicious bots to orchestrate automated attacks, severely increasing the risks that e-commerce businesses and other organizations face.
In 2015, the Open Web Application Security Project (OWASP) released the first Automated Threat Handbook, which has become the de facto standard for detecting and mitigating threats to organizations from attackers using “malicious web automation” (i.e., bots). OWASP published version 1.2 in February, and bot management technology vendors and buyers use its terminology to operate under a common set of terms for the automated threats that organizations face.
The handbook lists more than 20 automated attacks. Specific e-commerce bot threats include:
- carding: making repeated payment attempts to verify that stolen payment card data is accurate
- card cracking: making repeated guesses to determine expiration dates, security codes, and other information associated with stolen payment card data
- cashing out: using stolen data to purchase items or withdraw funds
- denial of inventory: partially completing the purchasing process in order to deplete or eliminate a retailer’s stock
- scalping: buying up stock of in-demand goods to resell for profit
- skewing: taking repeated actions to artificially influence dynamic pricing models or other metrics
- sniping: bidding for auction items right before the auction ends
- token cracking: collecting, verifying and distributing codes for free and discounted goods or services
Four e-commerce bot management best practices
Build awareness of the broad spectrum of automated attacks. Malicious hackers fully understand that utilizing automation, combined with employing vast numbers of bots, significantly increases their chances of successfully attacking businesses for financial gain. Educate executive teams, web application architects, developers, and testers about the e-commerce bot threats the business will likely encounter.
Build protections into applications during the development process. Some level of defense against automated attacks can be designed within phases of a secure software development lifecycle. These include:
- randomizing the content and URLs of authentication form pages;
- limiting the number of authentication attempts;
- setting shopping cart time-outs;
- limiting the number of shopping cart items; and
- removing guest checkout.
Implement malicious activity detection mechanisms. These include ample monitoring for:
- abandoned shopping carts;
- data access rates;
- input validation failures;
- account lockouts;
- time between account creation and first use; and
- inventory allocation and de-allocation.
Deploy a bot management product. The above best practices are crucial, but they can take considerable time and budget to implement. Purpose-built bot management products are designed to detect and prevent automated attacks. They can differentiate between malicious bots, good bots, and human visitors, and manage or block their traffic accordingly.
Bot management product features
E-commerce bot management should be a high priority. Automated threats primarily come from malicious bots, so detecting and blocking this traffic is imperative. Bot management will not only improve site performance, but organizations will also benefit from better bandwidth management and reduced resource consumption overall.