story.
Why Ecommerce Companies Should Care About Bot Mitigation
There is intense competition in the eCommerce space globally. And this is what makes eCommerce websites a prime target for a diverse range of automated threats. These automated web attacks are mostly launched by either competitors or bad actors to leverage competitive intelligence or steal confidential user data. Here are top 3 reasons why eCommerce businesses need to have a bot mitigation solution in place:1. Product Information and Price Scraping on eCommerce Websites
Product data and pricing information are easily accessible by online bots because there is no paywall or authentication required to view it. You can go to just about any eCommerce website and look at every single product they sell, and what see the price points they sell at. This makes it very easy for competitors and bad actors to quickly gather your inventory levels and pricing data to stay a step ahead. Search engines will rank the website with lowered prices higher than yours.
2. Skewed Web Analytics on eCommerce Websites
Ecommerce businesses heavily rely on web analytics to make critical business decisions. Bot traffic can skew web analytics in a couple of ways that hurts eCommerce businesses.
Ecommerce organizations spend a ton of money on advertising to drive traffic and convert more visitors into customers. A lot of this traffic is just bots. Bots click on banner ads and links that redirect to the eCommerce website, which causes several issues.
First off, the eCommerce brand is paying on a per click or impression basis, so if bots are clicking on these ads, it’s a waste of marketing and advertising dollars.
The second big issue with having a lot of bot traffic is that it makes it very difficult to make accurate business decisions. Marketing teams may look at their web traffic numbers and not have any clue that a large percentage of the traffic is non-human. You can’t make strategic decisions based on inaccurate numbers.
3. OWASP Top 20f Automated Threats on Ecommerce Websites
There's a variety of ways that bots are used to engage in online fraud on eCommerce websites. There is a list of the OWASP top 20f threats specifically related to account fraud and descriptions of each. Here are a few that related closely to the eCommerce space.
- Credential Stuffing is when bad actors employ online bot to gain access to a website using a known username and password combinations. Most of us use the same username and password combination for many of the sites we visit on a regular basis. Bad actors will purchase lists of username and password combinations from the black market. They will then spin those lists up into an automated script and run brute force attacks on a website to gain access.
- Credential cracking is very similar to credential stuffing. Cracking involves already having either the username or password and trying to guess the other. It's more challenging to find a valid combination of username and password. It's much easier to find a list of just usernames, and there are usually much more available. Then it's just a matter of guessing the other. This usually involves trying known values rather than just blind guessing.
The next few OWASP threats involve account fraud with credit cards specifically.
- Carding involves taking existing credit card credentials and running many small transactions to test the validity of those credentials. As an eCommerce site, you’re most likely handling the shopping cart and transaction process. This makes you extremely susceptible to carding. These types of attacks fly under the radar because it looks like human traffic and won’t be caught by web application firewalls or other traditional security defenses. If the credit cards being tested don’t work, they are filtered out and placed into an invalid category. They are then used by bots to engage in card cracking.
- Card Cracking is similar to credential cracking on a user's account; it is just done against the credit card. The hacker will have a list of incomplete credit card data and make attempts at guessing the missing information. For example, they may know the 16-digit card number and the expiration date, but they are missing the 3-digit CVV code.
- Cashing Out If the hacker is successful in their carding and card cracking attempts, then the real damage begins. The hacker has just landed on a gold mine and can use the valid credit cards to purchase almost anything they want.
What happens when user accounts are breached?
A lot of eCommerce websites let you save your billing details in your account to save you time on future orders, and it helps to drive conversion rates. It can be annoying having to fill out all of your billing and credit card information every time you shop. This, in turn, leaves customers extremely vulnerable if a hacker cracks into their account because they now have your credit card information and billing address. They could either use your information to purchase goods on this website and just change the shipping address, or they could steal your info to use elsewhere.
Why should eCommerce worry about automated threats?
First of all, automated web traffic gets a lot of bad bots that are responsible for nefarious activities like content and price scraping that takes away customers to your competitor websites.
The second reason is the financial one. When fraud occurs, it is extremely costly to an organization in a variety of ways. Chargeback fees are significant. When a fraudulent transaction occurs, it's entirely the merchant's responsibility. Typically, the cardholder will file a complaint with their bank, and the bank will investigate the issue. If the transaction is proven to be fraudulent, the bank will issue a refund to the cardholder. The bank will then take back the entire transaction amount from the merchant, plus a chargeback fee. In these situations, the merchants are at risk of not only paying the fee, but losing the products that were already sold, the payment, payment processing fees, money for the chargeback penalty, and even commissions from currency conversions. Another thing to keep in mind is if you receive too many chargeback fees, your organization could be flagged as fraudulent by various credit card companies. This can be very damaging to your image as an eCommerce brand. Also, if user accounts are being hacked into, it will hurt your brand and image.
The other financial impact worth noting is operational expenses. When fraud occurs, various departments within your organization have to spend a lot of time reviewing this activity. They’ll spend time reviewing the transactions that took place, when they were made, what was purchased, where the purchase came from, who made it, etc. They will also have to spend time dealing with the credit card companies in the investigations.
Bot Mitigation Solution Is the New Standard for Ecommerce Businesses
As you can see, bots wreak serious havoc on eCommerce websites. The bot mitigation market is growing rapidly and there are many providers out there now. Even if you haven't had an issue specifically related to bots, it's either because you don't know you have, or you're lucky. After all, if you don't have an advanced bot mitigation solution in place, then how do you know how much bot traffic you have? You probably just can't detect it with the in-house bot detection techniques you have in place.