Retail
from 2,000 in June to 11,0000 in mid-November right before the winter holidays. The problem is this can make it much harder to detect which
are the real buyers and which are bots. Firewalls and volumetric anomaly detectors will look for automated threats by analysing entropy which is the unpredictability and variance of human behaviour. But they’re unable to do so when traffic surges in this manner. So, what can tech retailers do to detect and stop attackers from compromising their APIs?
Points in the process There are in fact multiple points in the purchasing journey when a retailer can detect and kill an automated attack. From when the product/s are placed in the shopping cart to when the order is placed, to the order confirmation, each step represents an opportunity to verify the authenticity of the purchaser and investigate or block their purchase using bot detection and API protection integrated with the backend ecommerce systems. Bot-driven attacks will rotate through different IP addresses
using bulletproof proxies i.e., legitimate residential proxies that are harvested and sold on the black market when they first enter the site. This is effectively the reconnaissance stage which sees the attacker repeatedly try different doors to gain entry. Consequently, many bots go unnoticed at this stage because the retailer can’t identify the suspect IP address quickly enough to prevent the next stage of the attack. What the retailer doesn’t want to do is introduce more friction
into the buying process which can quickly deter customers. One tactic some are resorting to is user registration, whereby the customer is either encouraged or forced to create an account. However, this is not an effective defence mechanism because bots can farm email addresses to create accounts. Or they may create accounts through keyboard smashing which involves fake email addresses being created from a random selection of characters, although monitoring registrations can quickly uncover these. If a bot has managed to evade detection thus far, the product
will be added to the online shopping cart. At this point, the retailer again has the opportunity to lock the account, effectively buying time to check the legitimacy of the purchase. However, this is likely to frustrate genuine customers so it makes more sense to request the user to reauthenticate using two-authentication from the supplied email address. If no authentication is made, the cart can be deleted and it’s also possible to prevent the bot from adding the same item to a new cart. If things have proceeded smoothly up to this point and the bot
still remains undetected, the order will be placed and an order confirmation will be issued. But even at this late stage, there is still the opportunity to block the bot. Interrogating the purchase orders using bot defence machine learning to look for anomalies can enable fake orders to be identified, triggering the system to issue an ‘order cannot be processed’ email.
www.pcr-online.biz
Gift card fraud Tis ecommerce killchain can be applied to multiple scenarios, helping to prevent fraud. In the case of one major retailer, a giſt card fraud scheme was stopped using bot detection. Te first indicator of compromise was the abnormally high volumes of traffic which it turned out was coming from multiple global locations despite the retailer operating in just one geographic location. Interestingly, when the requests were blocked from the bulletproof proxy, the bot quickly configured itself to submit requests from only local proxies in a bid to maintain the assault. Additional missing traffic elements
further confirmed that these were not normal giſt card transactions. Tere was no ‘referrer’, the requests came from very old user agents (browsers) and the traffic was “bursty,” meaning that the threat actor was creating a list of giſt cards and then
checking them all in a short amount of time. However, by using bot detection it was possible to block these attempts even when the malicious actor repeatedly retooled, thwarting an attack that would have cost hundreds of thousands.
Counting the costs Giſt card fraud such as this doesn’t just result in a financial loss. High- volume attacks make web sites and mobile apps non-responsive, resulting in user frustration and costing the business customers. Attacks can also monopolise resource, due to the inordinate amount of time spent investigating individual accounts, issuing account resets or deleting recommendations during fake account or ATO attacks, all of which consumes time that the fraud team could spend elsewhere. Plus these attacks can hamper data analysis, misleading sales decisions, skewing revenue projections and damaging vendor relationships. Taking down these automated bot-driven attacks is therefore
imperative and the ecommerce killchain shows how this can be done provided the retailer is able to monitor traffic effectively. As ‘Te Digital Crunch Time: 2022 State of APIs and Applications’ report by Google states, “securing APIs requires visibility across all application interactions and observing, analysing, and taking action at every level” so behaviour-based monitoring is key. It calls for “full lifecycle management” of APIs and says that “a gateway alone is insufficient for scaled API programs”. It’s this unified API protection that seeks to ensure APIs are securely
developed, tracked using a runtime inventory, and protected by using threat detection and proactive defence that retailers must now look to. Monitoring of API behaviour using machine learning can uncover malicious traffic, triggering real-time alerts to the security team about potential threats as well as immediate, automated remedial action. But it’s also important to note that what we’re looking at here is
API protection together with bot detection/mitigation. Up until recently the two have been treated as separate problems when in actual fact they’re two faces of the same coin for retailers that must be tackled together. Effectively, the retailer has to be one step ahead of the attacker and do reconnaissance themselves every day in order to thwart these attacks.
November/December 2023 | 35
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
