How to Hijack Bots, Not Your Customers


We’ve all been there – we’re on our favorite website trying to buy the latest gadget, book concert tickets or claim an advertised reward. We may be in a hurry, we may be thrilled to nab the item we’re looking for, and we fill in our information and click to complete the transaction. Just as we think we’re almost there… to yell! The process stops because we are first asked to identify red lights or pedestrian crossings.

Why does this happen? The site presented a challenge to make us to prove that we are a person and not a robot.

Malicious bot operators target websites and their users with large-scale automated business logic attacks such as account takeover, inventory hoarding, and card fraud; businesses want to push bots back so their customers can do business and have a better (and safer) experience. As customers, we share retailers’ frustrations with bots. When we lose the last flagship because the bots arrived before us, we are disappointed, even angry. But challenges also annoy us – Forrester research has shown that some consumers will abandon transactions when faced with Captchas and challenges.

So what should an online retailer do?

Bot management solutions today offer a wide range of options for bot responses, including visual and invisible challenges. Most consumers have encountered Google’s reCAPTCHA at some point, but visual challenges also include solving puzzles, holding down buttons, or drawing frames around objects. Invisible challenges bypass the human consumer and analyze the request in depth or present the customer request with puzzles such as cryptographic challenges. The bot response and challenge options available to you depend on your bot management solution. Additionally, the quality of bot detection and response rules will determine how often your end users (i.e. vacation customers) will even see challenges.

While conventional wisdom holds that low-friction challenges are best, the reality is a bit more nuanced:

  • Captchas are not the only reason for abandoned transactions. Yes, consumers will abandon transactions when faced with high-friction challenges, but there’s more to the story. Abandonment rates vary by generation, with millennials most likely to abandon transactions and baby boomers least likely (although this group also shop the least online). Moreover, consumers are After likely to abandon a transaction if the site is slow or unresponsive – so make sure invisible detection or challenge techniques don’t present themselves to your consumers as a slow site.
  • Some consumers feel safer with a visual indicator. One of the most surprising findings from our research is that some end users feel more secure when they see a Captcha or other visual challenge. In fact, just over half of adults online feel safer when they see a challenge – about the same as those who said they felt frustrated. It might not seem intuitive, but remember that the challenges will block bots that try to take over account, card fraud, and web reconnaissance – all attacks that could lead to loss of customer data. Additionally, seeing a challenge can give users the impression that the company takes security seriously in other areas as well. We found that younger generations – Gen Z and Millennials – are particularly likely to feel safer. If your site caters to a customer base that tends to feel safer with a visual challenge—or if your own customer research shows that is the case—consider trying a low-friction challenge that doesn’t. does not frustrate users but provides this protective signal.

Bot management solutions offer a range of challenges with varying levels of friction and visibility. Some tools allow customers to test challenges or responses with a segment of the user population. Consider this type of A/B testing to find the best response approach for your customer base to minimize customer frustration, reduce transaction abandonment, and increase customer sentiment. of security.

This post was written by Senior Analyst Sandy Carielli and it originally appeared here.


Comments are closed.