It is hard not to measure just how much bots impact our lives. While many bots play a legitimate role in an online business strategy, others could harm businesses in various ways. A lot has been written about bots, right from favoring election outcomes to cyber-attacks that brought major internet services down, to running user account fraud campaigns utilizing the credentials stolen from various data breaches. As the cohesive nature of the internet brings users and services closer, businesses are no longer confined to just desks or buildings. Organizations must use internet as a channel to expand their digital footprint and build deeper engagement with their consumers.
One industry that has been constantly innovating in the digital space is the financial services sector. Per data from NCPI, the number of UPI transactions grew by 40.6 million in December 2017, showing the growth in the adoption of digital transactions. Be it the use of digital payments, user reward systems or bringing account sign-up services online, the leaders are clearly the ones that are enriching the online user experience with technology alongside agile operating models. A report by the Boston Consulting Group (BCG) and IAMAI found that India’s internet economy will grow to $200 billion by 2020 and will contribute 5 per cent to the gross domestic product (GDP) of the country. While the numbers are staggering, as more users and devices come online every day, security and usability are in constant scuffle to attain a balance, thereby posing a major challenge. Service endpoints such as user login interfaces/APIs and transactional services are being exposed to the internet, which increases the overall risk due to an ever-expanding attack surface and emerging cyber threats. One such threat vector that we at Akamai constantly observe and analyze is the threat emerging from Bots, which are also becoming increasingly sophisticated by the day. The degree of Bot sophistication varies according to the financial outcome that the bot operation is hoping to achieve, which in case of fraudulent transactions could be substantial. The ease of renting a botnet and readily available attack tools is making the situation only worse.
At Akamai, we analyzed close to 600 million user login events for some of our largest customers across various industries over a 24-hour period and found that almost two thirds of the logins were automated and illegitimate. API endpoints are more targeted with malicious automated login attempts than traditional form based login. Unauthorized login attempts against digital wallets are also growing at an alarming rate. Recent discovery of leaked 1.4 billion credentials on dark web only makes the situation intricate as attackers use such stolen credentials in attempt to carry out fraudulent transactions. Targeting API vulnerabilities for data ex-filtration and authentication bypass is also commonly employed using Bot traffic.
However financial services is not the only industry that faces bot related issues. E-commerce also witnesses fraud in the form of fake bookings, price scraping, inventory grabbing and card abandonment amongst others. Festive season online sales are generally a very lucrative target for such bot attacks. Taking an example of aviation, airlines incur higher costs to Global Distribution System (GDS) due to bots performing flight searches for various reasons. The lack of visibility into such malicious traffic is one of the key reasons because of which businesses suffer. Many organizations don’t have the technology and solutions to analyze bot traffic and hence it is often assumed to be non-existent or inconsequential. Bot traffic often goes undetected as operators use hundreds of different IP addresses and software to simulate a near real user experience to bypass traditional measures such as IP and request-response analysis. Effective bot traffic handling needs a complete bot management framework that not only detects highly sophisticated bots but provides flexibility to businesses to apply various actions to different types of bots traffic in a business context.
Not all bots can be treated in the same way. Use of advance user behavior analysis and machine learning techniques becomes essential to provide businesses with insights into real time bot traffic and actionable reporting. Businesses can then take the appropriate action on different types of bots, based on their business and IT impacts.
Two things that clearly emerge as learnings from the last lustrum are that Bots are here to stay and the human intent behind the non-human (bot) traffic is worth exploring.