Robotic, autonomous computer programs (a.k.a bots) are an inevitable feature of the internet as we know it today. They can be a helpful way of accomplishing tasks on the front or back end of the internet, like chatbots that help direct users on a webpage, or crawler bots that index webpages to make them available on your search engine. There are, however, many bad bots out there that will try to steal information, spread spam and misinformation, carry out prohibited tasks, and other malevolent activities.
Not only do these bad bots affect individual users, but they can have a negative impact on businesses through loss of revenue or a tarnished reputation. According to a report by Imperva, bad bot traffic accounts for at least a quarter of all internet traffic. One of the most significant threats that bad bots pose is account takeover, where a bot will try to impersonate a valid user with stolen or bogus credentials. According to the same report, 34% of all login attempts are malicious bots. This means that if your business has any type of login page, whether it be a social media service, online retailer, financial portal, etc., it is vulnerable to account takeover or impersonation.
To take a deeper dive into this issue, let’s take a look at two sample scenarios and their solutions.
Limited release and high-demand drops
Let’s say that you are an event ticket retailer releasing tickets to a popular music artist’s concert. In order to allow as many people as possible to get tickets, there is a limit of 4 tickets per purchase/person, and tickets will be held for only 5 minutes during each transaction. Bots will create hundreds of fake accounts with bogus emails from proxy IP servers and be able to secure the majority of released tickets in seconds before real human users are able to purchase tickets.
For example, according to a report by the New York Attorney General, a single bot bought 1,012 tickets to a U2 show in 2014. The bots then relist the tickets at an increased price, sometimes exceeding the original price by hundreds or thousands of dollars depending on how popular the artist is. According to the same report, one bot broker listed tickets for a One Direction concert with a face value of $101 for up to a $7,244 markup. This type of scenario would cause nothing short of an uproar with fans, the artists and a tarnished reputation as a trustworthy ticket retailer.
There are a couple of strategies that one could use in combating this issue:
- In order to create and use the bogus accounts, many bots will create fake/temporary emails hosted on proxy IP servers to simulate a large number of customers in different locations. By implementing DOTS Email Validation and IP Validation, you can flag transactions that come from known fake email servers and proxy IP servers for further review before allowing the transaction to complete.
- In order to make this process even stronger, you can use Lead Validation to combine the power of Email Validation, IP Validation, Address Validation, and Name Validation to ensure that transactions are genuine. Address Validation will ensure that the address provided is valid and deliverable, and flag suspicious activities common to bots such as using a PO box for the shipping address. IP Validation can verify that the IP connection is coming from the location expected from the address. Email and Name Validation will make sure that the email and name provided are not bogus, and also check to make sure the name matches the email.
If any of these checks provide a mismatch or a potentially malicious flag, you can require the user to complete some sort of authentication measure; like a CAPTCHA, or input a special code sent to their phone.
Social media spam accounts
If you are a social media user, you have inevitably stumbled across an account that seems to be a bot. They could be in the responses of a popular post spreading fishy information, or maybe they sent you a message about some “great” offer to make money, but first, you have to send them money. These are just a few examples, but they are illustrative of the malicious and predatory nature of these accounts pretending to be real people. If you are a proprietor of a social media site, these types of accounts can clog up your system, skew statistics, and damage your reputation as a credible site.
Let’s take a look at how you can use data validation to deter these bot accounts:
- Lead Validation with Email/Phone/Name data points at account creation can seriously hinder the ability to create a bot account. If there are flags that indicate a mismatch of data, such as an email or a phone number that does not match the input name, you could require the user to perform a dual authentication as suggested above.
- To add to the strength of the (1), by implementing IP Validation at account creation, you can monitor where accounts are being created from and flag malicious IPs, proxy IPs, and IPs from countries known for malicious online activity. You can also compare it with the other data points from email, phone, and name in order to see if the IP is coming from the same location that the phone number is registered to, for example.
Fight bots with data validation
Service Objects has a large collection of data validation tools to help you detect fraudulent behavior before it has a chance to affect your business. We offer bundled services that can cross-test and validate your client data, and we can work with you to create a custom test type for our Lead Validation service so that the flags and results that come back make sense for your business. Curious to know more about how we can help protect your business? Reach out to our data validation, anti-fraud experts!