Let’s talk about bots. And be a little provocative. A review of bot solutions (see previous blog) reveals a common assumption that I think is misleading: Namely that separating good from bad bots and blocking the bad ones is complicated and requires elaborate solutions using machine learning, AI and whatnot. This common understanding is wrong. If your organization is using mobile apps you can easily and effectively block ANY unwanted automated traffic which is not coming from a legitimate and unmodified app and do this consistently and without generating false positives. Intrigued? Then read on.
Given the increasing prevalence of bot attacks, advanced bot and online fraud protection have become strategic focuses for many cybersecurity leaders. This includes preventing scraping, account takeovers, payment fraud, and other automated attacks.
In philosophy, Occam's razor (also spelled Ockham's razor or Ocham's razor; Latin: novacula Occami) is the problem-solving principle that recommends searching for explanations constructed with the smallest possible set of elements. It’s time we applied this principle to bot detection and mitigation!
Rather than overcomplicating the threat assessment process with unnecessary information or assumptions of adversarial actions, we can use Occam’s razor to help set boundaries.
If we look at the commonly available Bot solutions, the recurring theme is complexity.
One example from one bot vendors documentation describes some steps to recognize fraudulent credit card activity by monitoring a series of “signals”: uncovering volumes of small orders, orders with high shipping costs, using IP address geolocation, inspecting data input speed, and inspecting card details such as the verification value (CVV) - the list goes on. The same document then says that trying to monitor and make sense of all this information manually would be very time-consuming, and of course the logic then leads to the need for investing at scale in AI and machine learning algorithms.
Once you start down this path, things get even more complicated. Bots are constantly evolving. Sophisticated bot operators use advanced techniques to evade detection. These include cycling through random IPs, using anonymous proxies, changing identities, mimicking human behavior, and defeating CAPTCHA challenges. This constant evolution makes it challenging to maintain effective bot protection and the AI systems must constantly be tuned and updated to be effective.
Another AI based bot vendor says that you must constantly evaluate how changing up machine learning thresholds and device-based rate limits will affect your traffic and tune it for individual pages and resources.
What this means is that vendors invest in large teams to keep their algorithms up to date and create more sophisticated tools for customers to use to gain visibility to what is going on.
Customers have to put large trained teams in place to constantly tune the bot solution.
Here are a few more issues to consider.
We mentioned this already, but solution complexity always directly leads to integration and deployment challenges as well as operational issues.
G2 reviews indicate that customers complain that sophisticated Bot solutions require significant code integration and engineering support to be operational. They also state that for effective operation, an enterprise will need to have a 24/7 SOC staffed by bot experts who have a deep and detailed knowledge of the specific attack surfaces in the enterprise. In addition there need to be solid processes in place to pass logs of traffic to the vendor when detection rules are not shared by the vendor.
The risk of false security positives interfering with genuine users is a constant threat since specific patterns, like high bounce rates and low conversion rates, can hint at bot presence, but distinguishing these from legitimate traffic is difficult. Most bot vendors emphasize that tuning thresholds is a constant and essential administration task to keep false positives from interfering with customer experience.
Another downside of complexity is performance. Other G2 reviews mention that long connection times and latency issues can be an issue with sophisticated bot solutions. This will prove a major issue if it introduces delays for genuine customers.
By their very nature, AI based bot solutions need access to a realm of personal information and the more the better to fuel their algorithms. This could include credit card information, addresses, location information. Bot management solutions managing and using this type of data opens another attack surface for the enterprise.
So we have a collective rush to complexity in the bot management business and this is a problem for everyone. What if there was a better way?
According to the Imperva 2024 Bad Bot Report mobile originated bot attacks make up more than 50% of bot traffic and this is growing.
The good news is that for mobile we can apply the principle of Occam’s razor and eliminate all of the complexity we have discussed and deploy an approach which is highly effective at stopping any bot traffic with a highly deterministic positive security model.
Instead of examining the behavior of a device and user, and trying to infer whether it is a bot, Approov uses a positive authentication model. Our custom SDK integrates seamlessly with the genuine app, allowing it to present an authorized app identity to the server. Real customers can then confidently be given full access to the backend server assets while suspicious activity can be blocked or rate limited.
No false positives to manage, easy to deploy, no complex operations and no personally identifiable information is ever needed.
Our technology incorporates sophisticated anti-tamper mechanisms and helps secure mobile APIs against the new bot threats developing in the mobile app channel.
Approov effectively mitigates risks like scraping, DDoS, and credential stuffing.
If you have APIs that are exclusively used by your mobile apps then this is all you need to keep automated traffic from abusing your APIs.
If you want to quickly eliminate all mobile bot traffic from accessing your APIs, you should talk to Approov: we are the experts on simple and effective bot management. If you have APIs which are shared between mobile and browser-based apps we can work with you to manage both. If you already have a bot management solution in place we can seamlessly integrate with that to eliminate your mobile bot issue once and for all.
Contact us to set up a call to discuss your specific requirements.
- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.
