We're Hiring!

Mobile Auction Apps: Scalping And Sniping

Shiny wooden auction gavel and block

The eBay concept first came to light as a browser based auction platform, giving sellers a chance to offer their goods to potential buyers from across the globe, before making the transition to become one of the world’s most popular mobile auction apps. Others have since emerged, with mobile auction apps giving event organisers the tools to simplify setup and management, and buyers the simplicity and speed of making bids and performing transactions with the swipe of a finger. Of course, every financial opportunity throws itself open to dishonest practices -- and mobile auction apps are no exception. Scalping and sniping are two of the major issues faced by mobile auction operators.

In this article, we’ll be looking at some of the issues involved, and some recommendations for protecting mobile auction apps from these threats.

Why Mobile Auction Apps Have Cause For Concern

Scalping is a process that uses automation to obtain goods unfairly, thereby preventing other bidders at an auction from gaining access to them. It’s a technique often employed for buying goods in bulk, or for obtaining scarce or limited-availability merchandise. Perpetrators typically employ scalping in order to buy up concert or event tickets, to resell at inflated prices.

The process routinely involves automated scripts which attack mobile auction app APIs (Application Programming Interfaces), enabling scalping bots to automatically buy and resell items at a mark-up, or to buy at volume as soon as products are released.

Sniping is a threat that can use automated scripts and bots that allow snipers to bid on items at the last possible minute, depriving other genuine bidders of the opportunity to respond in a timely enough manner to make the purchase.

Scalping and sniping practitioners may also make use of a technique known as scraping, whereby automated bots extract or “scrape” original content or real-time prices from an auction app’s database. This enables them to maintain their own running database of the latest prices and available merchandise, and also to create their own apps offering similar goods at competitive prices. Scraping at scale, perpetrators can use compromised or fake accounts, or gather data from accessible paths and parameter values from legitimate apps and APIs.

For genuine users of mobile auction apps, all of these practices can be very frustrating. They can also have a negative impact on the auction platform's market reputation, since users will quickly notice if bots and scripts are beating them to the punch.

These issues are serious, and widespread. The Open Web Application Security Project (OWASP) estimates that bot activity currently represents more than 50% of data traffic on the entire web. While some of these bots serve legitimate business applications, an increasingly sophisticated breed of bad bots are emerging, with abilities that enable them to fool traditional security solutions like WAF or CAPTCHA mechanisms.

Learning From The Scalping And Sniping Community

“Know your enemy” is one of the principal foundations of wartime strategy. And in the fight against scalping and sniping, mobile auction app owners and security professionals can gain useful insights by looking into the scalper’s and sniper’s ways of thinking, behaviour patterns, and the resources available to them.

Fortunately, these perpetrators aren’t necessarily given to hiding in the shadows. In fact, there are entire web sites and community forums dedicated to offering advice on how to subvert mobile auctions -- and providing information and tools for effective scalping and sniping.

As an example, the Auction Sniper web site dedicates itself to assisting its community members in their attempts to sabotage eBay. Some of the sniping advice offered there includes:

  • eBay will accept only the next increment over the previous bidder's maximum, so it’s safe for you [as snipers] to put in the absolute maximum you're willing to bid.
  • Don't rely on email notifications to tell you that your bid is too low. Much of the bidding happens in the last hour of an auction, where an email won't do you any good.
  • Don't Use Round Numbers. By tossing in odd dollars or cents, you can throw off the bid increment -- and you might win an item you would otherwise have lost.
  • Always check shipping and handling charges, especially on smaller and less expensive items. Sellers will often try to recover money through excessive charges.

For scalpers, the Namepros.com web site offers UK scalping practitioners opportunities for paid access to APIs.

There’s even a long standing business rationale for making these resources public. In a 2017 interview with yCombinator.com, a scalper who claims to have used bots to buy millions of tickets, (but now wants to stop them) also claims that many concert and entertainment venues actually welcome scalping, as a means of moving their tickets more quickly and efficiently: “I have never yet seen a system that cannot be beat by scalpers, including paperless ticketing, and I find that most venues and artists want to maximise profits and, more importantly, minimise risk”.

Some Recommendations For Mobile Auction App Owners

From all of these observations, it’s possible to draw up a set of best practice recommendations for mobile auction app owners and developers. These include the following:

Authenticate Your Users

An obligatory CAPTCHA test to gain access to the auction and prior to entering a bid will provide some level of protection in weeding out all but the most sophisticated bots, and help prevent sniping. This approach works best on browser based auction platforms.

In the case of mobile auction apps, there are services available to bad actors (such as 2Captcha and AntiCaptcha) that automatically or even manually solve CAPTCHA tests, so that bots can pass through. For mobile app users, these tests also introduce unwanted delay and frustration, effectively defeating the purpose of having an engaging auction app that makes speed and ease of use its selling point.

Clearly, mobile auction apps require a new approach.

Mobile app attestation (a system enabling remote apps and the auction platform to mutually authenticate each other, according to pre-defined security rules) is a powerful option -- and one that is complementary to user authentication. Mobile app attestation is all about ensuring that only legitimate apps can access the API backend, so that bots and automated scripts are blocked.

Allow Absentee Or “Autobidding” For Verified Users

Using autobidding client software, verified users can specify the maximum bid they are willing to make on an item, and their mobile app will outbid all other users until that maximum price is exceeded. This is an anti-sniping mechanism.

Set Reserve Prices For Auction Items

Setting a reserve price can force snipers to bid at or above the desired reserve price level, or even discourage them from bidding at all. The reserve price can be visible to all users, or invisible (which leaves bidders unaware if what they’re offering meets the reserve minimum). To reduce the effect of sniping, this reserve minimum should be set at a level that the seller is genuinely willing to accept as the final price.

Offer A Buy Now Option

The option to Buy Now makes it possible for any bidder to arrive at any time, and purchase an item or lot for a fixed price. To discourage sniping, this option should only be made available once an acceptable minimum bid for the item or lot has already been offered.

Allow Conditional Overtime Bidding

Extending the mobile auction if a bid is entered during its final moments will give genuine buyers a chance to outflank the snipers. Allowing the bidding to continue indefinitely until no additional bids are received for a certain amount of time will frustrate their efforts even further.

Set Mobile Auction App Policy To Prohibit Sniping And Scalping

As a legal framework, the mobile auction app’s Terms and Conditions should explicitly state that scalping and sniping are not allowed -- and that any user found engaging in these activities will face the relevant consequences.

 

 

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.