Akamai CTO Patrick Sullivan explains how bots affect pricing and availability for various retail items. He also offers consumers advice on protecting themselves from fraud.
Dan Patterson, a Senior Producer for CBS News and CNET, interviewed Patrick Sullivan, Akamai CTO, Security Strategy, about the ways bots are used in e-commerce and retail. The following is an edited transcript of the interview.
Dan Patterson: Let's walk through a day in the life of a bot user, and let's say I want to deploy a bot against an e-commerce website to scrape the site, find better prices, and maybe arbitrage my way into some profit. Walk me through the process. What's step one? And then what is deployment?
Patrick Sullivan: If you look at the motivations there, there's a few. One would be a competitor. You can figure out with a very, very low interval what pricing that your competitor has. I think, historically, you could always walk through a competitor's physical store, but you weren't able to gather a ton of data, and the regularity was pretty low.
SEE: Point of sale security guide and checklist (TechRepublic Premium)
Now, if you operate on an e-commerce site, you have to assume that your competitors are pulling your pricing, and we've even seen them figure out your inventory levels. They'll put different numbers of items in the checkout cart and see if they can hit a delay in shipping to infer what your inventory is. That's one threat that you have to deal with.
Any retail item that is limited inventory, which is something that we see across retail--we see that with concert tickets. As a human being, if you're trying to buy one of those limited-edition items, you're at a significant disadvantage because you should assume that you're competing with an army of bots that are looking to buy those items.
Anywhere you can buy an item that's limited edition, and often the sites are offering those at a lower price than the market would command for that, for marketing purposes, for customer loyalty, if you can purchase that as a bot operator, you can go turn around and resell that on a secondary market with a significant markup. If you're trying to buy that limited edition item, you absolutely are competing with probably multiple botnet operators who are trying to game the system and purchase all of those items.
Dan Patterson: Bring me into that process. I really want some specifics on this so we can understand how bots impact the retail world. I shop, I buy things... you do, too--it's kind of shocking to me, although it shouldn't be, that some of those prices are automated and can be manipulated by bots.
Let's say I want to go to a concert this summer, or let's say I'm buying an airplane ticket, help me understand what role bots play in automating pricing or manipulating the algorithms that automate pricing.
Patrick Sullivan: One is just the availability, right? If you want to go to a concert this summer, if it's a popular concert, you'll be competing with bots to even be able to purchase that from the original vendor there. If you're unable to purchase that, the botnet operator purchases that, and they're going to resell that on a secondary market. You will pay a higher price, basically additional profit to that botnet operator to get that inventory. And that's true not just of concerts, but that's true across most anything with a limited inventory where there's a secondary market and an opportunity for markup.
I think the other place to keep in mind is if you're operating a commerce website and you sell something that is a commodity or is sold across multiple websites, you should assume that somebody is inspecting your pricing at a very, very high regularity. They're constantly monitoring your pricing and, if you drop your pricing, they may choose to drop theirs as well. It does really give, particularly a small commerce site, some things to think about, as larger sites will manipulate their pricing at a greater frequency and undercut their pricing.
The other area there is aggregators. Many of the areas, like you mentioned with travel, there are businesses that aggregate travel across multiple airlines, hotels, cruise lines, rental cars, and they populate some of their pricing data by scraping through the inventory of the airlines, the hotels, generating a tremendous burden on the hotel website themselves or the airline website as part of that exercise.
Again, many of these businesses are making inferences based on popularity of requests. If people are putting things in an inventory, maybe that leads them to believe there's more demand, and they adjust pricing based on that as well. It is something that's impacting the economics of e-commerce in that space.
Dan Patterson: And you're positive... you can't talk about sneaker bots?
Patrick Sullivan: I am.
Dan Patterson: All right. I have one last question, and that's just as a consumer, if I'm on social media and I'm concerned about political bots, or if I'm buying an airplane ticket, I'm going to a concert, and I'm concerned (I'm sure the business owners are concerned as well), but if I'm concerned that bots may have manipulated the prices, what can I do? How can I identify bot activity, and then what can I do about it?
Patrick Sullivan: I think as a consumer, the number one thing that you can do is protect yourself from the fraud element. Primary use of these bots is credential stuffing and account takeover. The classic advice is use a unique password on each site--that will really reduce your risk there.
I think beyond that, just awareness. Be aware that bots are operating. I think most of us operate with a "buyer beware" mentality. Apply some critical thinking to what you see being generated on social media. Maybe something isn't as popular as it seems on either side of the spectrum, because somebody is influencing a particular topic. Buyer beware, I think, is always good advice--I think those are the two pieces of advice I'd leave you with.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)