Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How bots impact major onsales [Webinar]

2,186 views

Published on

“Bots” first entered popular consciousness last year with the passing of the BOTS Act, and the proliferation of messaging bots. However, those of us in the ticketing industry have been dealing with bots for years.

Rami Essaid, CEO of Distil Networks, and Niels Sodemann, CEO of Queue-it present the evolution of good and bad bots, their impact on the ticketing ecosystem, current and pending legislation, and innovative onsale bot mitigation strategies.

Key Takeaways include:

·The impact of the BOTS Act and other legislation on your business
·How fraudsters, competitors and hackers leverage bots
·Four bad bot attack vectors every ticketing industry player must understand
·Determining the right bot mitigation strategy for premium onsales

Published in: Software
  • Be the first to comment

  • Be the first to like this

How bots impact major onsales [Webinar]

  1. 1. ▪Introduction ▪Bots 101 ▪BOTS Act and what it covers (and doesn’t cover) ▪How bots can impact your major onsales and associated mitigation strategies ▪StubHub case study ▪Q&A
  2. 2. Rami Essaid CEO & Co-founder, Distil Networks Niels Sodemann CEO & Co-founder, Queue-it Distil Networks is the only proactive and precise bot mitigation solution for web applications, mobile, and APIs. ▪ Founded in 2011 ▪ 180 employees ▪ 5 offices ▪ $65 million in funding The use of Queue-it has ensured online fairness during high-demand online events for more than 1.5 billion consumers worldwide. ▪Founded in 2010 ▪63 employees ▪2016 TTA winner of Supplier of the Year DenmarkSilicon Valley
  3. 3. Awards and Analyst Recognition The only anti-bot solution to be included in Gartner’s Online Fraud Detection Market Guide 2-years running “Distil’s ability to analyze behavior provides the best chance of detecting and blocking bot-driven attacks.” “Clear innovation compared to similar services.” 2017 WINNER: Best Fraud Prevention Solution
  4. 4. Bots 101
  5. 5. Good bots ▪ Search engine crawling ▪ Power APIs ▪ Check system connectivity & status A ‘bot’ is an automated program that runs on the internet Bad bots ▪ Steal content ▪ Scan for vulnerabilities ▪ Perform fraud etc. Traffic Distribution by Type, 2016
  6. 6. What concerns you most about the impact of bots on your organization’s website(s)? ▪ Website Security ▪ Transaction Fraud ▪ Lost Revenue to Scalpers ▪ Poor Customer Experience Survey
  7. 7. How are you addressing your bot concerns? ▪ Addressing now ▪ Plan to address this year ▪ Plan to address next year ▪ No plans to address ▪ Don’t know Survey
  8. 8. The BOTS Act explained
  9. 9. ▪ Prohibits the circumvention of a security measure used to enforce ticket purchasing limits for an event with an attendance capacity > 200 pers. ▪ Prohibits the sale of an event ticket obtained through such a circumvention violation if the seller participated in, had the ability to control, or should have known about it BOTS Act key prohibitions
  10. 10. ▪ Scalping ▪ Sniping ▪ Spinning 20% of traffic bad bots OWASP Automated Threats relevant to BOTS Act
  11. 11. Ticketing Bots Sophistication
  12. 12. Other legislation
  13. 13. ▪ Must Have Protections Prohibits the circumvention of a security measure used to enforce ticket purchasing limits for an event with an attendance capacity > 200 pers. Who does it impact? Primary Ticketing. ▪ Federal Trade Commission Audits: Treats violations as unfair or deceptive acts under the FTC Act. The bill provides authority to the FTC and states to enforce against such violations
  14. 14. ▪ Must Have Protections Prohibits the circumvention of a security measure used to enforce ticket purchasing limits for an event with an attendance capacity > 200 pers. Who does it impact? Secondary Ticketing. ▪ FTC Audits Treats violations as unfair or deceptive acts under the FTC Act, provides authority to the FTC and states to enforce against such violations Prohibits the sale of an event ticket obtained through such a circumvention violation if the seller participated in, had the ability to control, or should have known about it
  15. 15. Can you enforce? Who does this impact? Venues. Can you comply? Can you cooperate?
  16. 16. If you aren’t bypassing security measures on a website in order to get tickets, you aren’t breaking the law. ▪ Doesn’t eliminate the ability to buy & resell tickets obtained legally ▪ Doesn’t address historical relationships between sellers and reseller ▪ Doesn’t make the 40% of tickets not on public sale magically reappear What the BOTS Act does not address
  17. 17. ▪ Bots: scapegoat for a bigger problem in ticketing ▪ Humans + scripts: Cubefarm of people operating bots with industry experts managing them ▪ 7 years + $25M later, FBI cracks down in 2010 ▪ Ken Lowson now a wiseguy turned good …and then there’s Wiseguys Source: https://motherboard.vice.com/en_us/article/the-man- who-broke-ticketmaster
  18. 18. ▪ Precise log in, processing thousands of purchases faster than any human ▪ Fooling CAPTCHA, with huge database of combinations + operating at lightning speed ▪ Securing best seats & selling them at a steep markup for resale to the public How they did it Source: U.S. Attorney Office, The Star Ledger
  19. 19. Other ‘wiseguys’ like ShowsOnSale continue to pop up, historically hard & expensive to prosecute
  20. 20. Why you can’t sell out in 20 minutes Ticket onsales timeline It’s not possible to sell out in less than 2x basket/cart timeout time More info: https://queue- it.com/presentation-can-you-sell-out-in-2- minutes-no-learn-why/
  21. 21. In other words, as a venue, organization or ticketing software platform, it is still on you to defend against this fraudulent activity during your major onsales
  22. 22. How bots abuse the logic of online ticket sales Distil Networks Queue-it Distil Networks
  23. 23. Before onsale: Account Creation Distil Networks Queue-it Distil Networks
  24. 24. Before onsale: Account Takeover Distil Networks Queue-it Distil Networks
  25. 25. Account Takeover Attacks
  26. 26. Financial fraud Targets are accounts at financial or e-commerce services that store users’ banking details. The attackers perform unauthorized withdrawal from bank accounts or fraudulent transactions using the credit/debit cards on file. This includes virtual currency such as bitcoin, in-game currency, and rewards programs. This is all worth real money. Account Takeover Attacks: Why? Spam Spam can appear in any service feature that accepts user- generated content, including discussion forums, direct messages, and reviews/ratings, degrading platform integrity and brand reputation. Phishing Attackers can assume a compromised user’s identity and launch phishing attacks on others in his/her social circle to steal their credentials, personal information, or sensitive data.
  27. 27. Account Takeover Bots Sophistication
  28. 28. Day of onsale / During onsale Distil Networks Queue-it Distil Networks
  29. 29. Volume Distil Networks Queue-it Distil Networks
  30. 30. Volume ▪ To achieve this, spinner bots create many hits ▪ Queue-it can recognize this as coming from same device and will block ▪ 50% of blocking during a major onsale is due to spinner bots
  31. 31. Speed Distil Networks Queue-it Distil Networks
  32. 32. Speed ▪ Any speed scripted bots arriving before the event are placed in the randomized pre- event waiting room before the event launches Pre-event queue page Live event queue page
  33. 33. During ticket purchase Distil Networks Queue-it Distil Networks
  34. 34. Credit card fraud
  35. 35. Multiple purchases, exceeding limits Distil Networks Queue-it Distil Networks
  36. 36. IP Address Header & User Agent Information Cookie Browser 200+ Attributes of data Navigator, WebGL, Plugins, Audio, Video, etc. Tamper proofing layer Distil Hi-Def Fingerprint Identification Must Go Beyond the IP Address...
  37. 37. StubHub Case Study
  38. 38. StubHub Case Study Account Takeover and Fraud “Distil helped us greatly reduce transaction fraud and account takeovers.” Marty Boos CIO, StubHub
  39. 39. StubHub Case Study Ticket Scraping “Competitive data mining for ticket prices and inventory information was a constant threat.” Marty Boos CIO, StubHub
  40. 40. StubHub Case Study Skewed Conversion Tracking “The number of conversions were greatly deflated because of bad bot traffic. Now that we’re filtering bad bot traffic out, we’re able to see what the real data is and make decisions based on real visitors.” Marty Boos CIO, StubHub
  41. 41. StubHub Case Study Conclusions In reference to the before, wait and buyer journey: “I like this multi-layered approach” George Loyer, Director Technical Operations, StubHub Distil Networks Queue-it Distil Networks
  42. 42. Free trial Free trial www.distilnetworks.com/trial www.queue-it.com/free-trial

×