How to Approach Bot Mitigation
As bots grow increasingly more sophisticated and difficult to detect, bot mitigation grows more complicated.
According to a recent study1, 38% of all web traffic isn’t generated by human beings at all. Instead, it is attributed to ‘bots’ – small, automated scripts that hit a website to retrieve data or perform an action. In practice, bots are classified as ‘good’ or ‘bad’. Good bots include legitimate scripts such as those used by search engines, like Google, to help measure whether customer inquiries are matched with relevant results.
Bad bots, on the other hand, are used by malicious actors to scrape data from legitimate websites and use that data to perpetrate schemes for fraud or theft. As of 2019, bad bot activity accounted for 20.4% of all web traffic – outpacing good bots by a significant amount.
Initially, bots were easily differentiated from human users, as they were limited in scope and could perform only the most basic of functions. However, bots have grown more sophisticated; and are now almost impossible to detect using legacy, static fraud prevention systems.
Related reading: Browser Languages: Detecting the Native Fraud Tongue.
How are Bots Used for Fraud?
- Credential Stuffing / Cracking
- Price Scraping
- Content Scraping
- Account Creation
- Credit Card Fraud
- DDoS Attacks
- Gift Card Balance Cracking
- Denial of Inventory
Approaches to Bot Mitigation
As bots grow increasingly more sophisticated and difficult to detect, bot mitigation grows more complicated. However, it is also important: businesses can be damaged by the fraud, theft, and exposure of sensitive information that bots enable.
There are three basic approaches to bot mitigation: static, challenge, and behavioral.
a) Static Approach
Static bot mitigation relies on the creation and enforcing, of static sets of rules. This may include blacklisting suspect IP addresses, blocking traffic that does not comply with set parameters such requests per session; or blocking traffic from outdated browsers.
Static rules are easily-implemented, and useful in blocking simple and some moderately sophisticated bots. However, they can result in false positives, inadvertently blocking authentic customers who accidentally violate static rulesets. This can damage customer relationships and block sales, eroding revenues.
b) Challenge Approach
Incorporating a tool like CAPTCHA can help to mitigate bad bots, as it ostensibly requires human judgment and interaction that less-sophisticated bots cannot replicate. However, recent research has shown that sophisticated bots can circumvent CAPTCHA – in fact, a researcher reported at Black Hat Asia 20162 that their script was 98% successful in CAPTCHA tests.
c) Behavioral Approach
The behavioral approach is the most effective bot mitigation strategy to combat all bad bots, from simple to sophisticated. With this, a company establishes a baseline of normal behavior and identifies deviations as potential bots, and in addition, can compare behavioral signatures to known bot activity. Including biometric data and analytics can be extraordinarily effective in bot mitigation, as even sophisticated bots find it difficult to replicate human biometric activities.
Related reading: How to Identify Five Account Takeover Scenarios
3 Tactics to Fight Bad Bots:
1. Understand Existing Vulnerabilities
Take stock of current infrastructure, and assess points where applications, systems and networks may be vulnerable to bot attacks. Check for exposed APIs or mobile apps, and ensure that your antivirus and other applications are all up to date.
Implement basic bot detection: flag and monitor suspicious behaviors, such as spikes in traffic and failed login / card validation attempts.
3. Mitigate Bots
Decide on the best approach for your organization to take in fraud mitigation: static, challenge, behavioral – or some combination of the three. Once you have an approach, you can implement the policies, procedures, and rules to reinforce the bot mitigation strategy, and look for tools that will support the strategy as well.
Bots are a threat to all businesses with an online presence – across a variety of industries, large and small. Whether it’s perpetrating theft, fraud, or data breaches, it is important to protect your company from bad bots using a comprehensive bot mitigation strategy.
A behavioral approach – ideally, one that incorporates biometric data into bot mitigation – is the best way to stop both simple and sophisticated bot activity, and prevent negative outcomes such as theft and Account Takeover Fraud. Precognitive’s multi-layered approach combines device intelligence with biometric and behavioral analytics, to help detect even the most advanced bots from harming your organization.
Connect with Precognitive and learn more about how our multi-factor bot mitigation and fraud prevention tools can benefit your business, decreasing fraud levels and improving revenues.