Kevin Gosschalk, Founder/CEO of Arkose Labs is an industry expert on the evolving fraud and cybercrime landscape.
Bots have come a long way in recent years. They are able to accurately mimic human behavior, solve many puzzles designed to stop them and perform a wide range of tasks. The level of sophistication in automation is, quite frankly, stunning. While this may seem interesting from a high-level viewpoint, why should businesses care about this development?
Well, the answer to that is because these intelligent bots power many of the fraud attacks that target digital businesses and their customers. These are increasing not only in volume, but also in sophistication. Bots have become more nuanced and advanced by the day, able to bypass the legacy solutions and defenses that businesses have in place.
And these sophisticated bots are easy to obtain and deploy for even the novice attacker. Using tactics such as IP and fingerprint spoofing and headless browsers, today’s advanced bots rely on complex signatures to look like a legitimate user and sneak past traditional bot defenses.
Unfortunately, many bot defense solutions that businesses currently have in place have not kept up with the pace of innovation in automation. That means many are vulnerable to these advanced attacks.
The Importance Of Detecting Advanced Bot Attacks
This is a problem because such attacks can be devastating for businesses. They affect areas such as revenue generation, customer acquisition and retention, brand reputation and compliance.
Arkose Labs conducted a poll of 100 IT executives and found that there are many negative consequences to failing to deter these attacks. Damage to brand reputation, operational costs and loss of new customers were the top three business impacts cited by respondents as a result of bot attacks.
Half of the executives we polled also said bot attacks severely disrupt the user experience. Despite these negative consequences, many businesses still struggle to detect advanced bots.
Why Are Advanced Bots So Hard To Detect?
Part of the reason sophisticated bot attacks can be hard to stop is due to the complexity inherent in intelligent bots. Internal fraud and security teams need to meticulously analyze signals and traffic patterns to suss out bots from real human users. In fact, according to an Arkose Labs analysis, modern intelligent bots have three times as many signatures that fraud and security teams have to analyze than previous “dumb” bots, making accurate risk detection that much more difficult.
Often, it can take days or even weeks after the fact to detect an attack. It’s increasingly difficult for businesses to detect these attacks in real time: nearly three-quarters of respondents in our survey said that detecting bot attacks in real time was either extremely or somewhat difficult.
Bots, as noted above, can be made to appear as if they are humans when interacting with a website or login form. Reactive fraud solutions that rely only on known patterns and historical data are fairly ineffective, because fraudsters use AI to evade detection and present signals meant to deceive most bot detection systems. It’s no surprise then that more than half of the IT executives we polled reported that it was difficult to tell bots apart from human users.
In the old days, it was fairly easy to tell a bot from a human, based on factors such as IP address and device information. Now, attackers use IP obfuscating, headless browsers and keystroke and mouse movement tactics to make bots appear as human.
AI-powered bots are often “taught” in areas such as natural language understanding and computer vision technology, meaning they are smarter and harder to detect than ever before. They understand and can mimic human interaction with a website with a stunning degree of accuracy.
How To Stop Advanced Bots
Despite the advancement in automation, there are still ways businesses can ensure they are protected against sophisticated attacks. For one, they should focus on signals bad actors inherently won’t typically fake, due to the costs associated with it. For example, they can utilize advanced IP intelligence to identify proxies and employ a graduated approach to then taking action on these requests, like a more modern CAPTCHA technology that uses real-time 3D models over static photos.
Businesses should also use advanced machine learning and artificial intelligence in their detection engine to determine real humans from bots posing as them. This technology can be used to detect traffic pattern anomalies that may indicate a volumetric attack. Various AI models that leverage many different data points can help parse and analyze the traffic from different viewpoints and help detect attacks.
Robust analysis of user behavior using both behavioral biometrics and behavioral analysis is also effective. Behavioral biometrics examine the manner a user interacts with a device, while behavioral analysis gives context to the actions that they take. Using these tactics can help differentiate man from machine.
While the automated tools attackers have at their disposal are increasingly sophisticated, with the proper defenses in place, businesses can ensure they and their customers are safe from even the most advanced bot attacks.
