Could California Senate Bill 1001 deal a blow to bots?
California has certainly taken the lead when it comes to data privacy and internet security. There has been a lot of chatter surrounding California’s Consumer Protection Act (CCPA) and its impact on data protection, even though its implementation is still months away. Lesser known, however, is a new law that went into effect July 1. California Senate Bill 1001 makes it “unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”
“Bots continue to misrepresent public sentiments and perceptions about topics, or to mute dissenting opinions and distract from current events,” California Sen. Bob Hertzberg told The Daily Beast. He then added an important caveat: “The BOT Act does not prohibit the existence of bots, but rather simply requires them to identify themselves.”
Beyond Elections to Fraud
The security problems surrounding bots aren’t new and aren’t confined to skewing elections. We’ve seen how the Mirai botnet, spread via the internet of things (IoT), produced a massive DDoS attack that took down much of the internet in the eastern U.S. Botnets are also attacking businesses, and in this case, it is all about the money. Botnets have been responsible for fraud involving airline loyalty points and within the online gaming industry.
From a fraud landscape, one of the biggest problems involving botnets right now is account takeover, said Kevin Gosschalk, CEO of Arkose Labs. “What people are doing is taking the emails and passwords from these big data breaches, and then use bot software to test these credentials against websites to see if they can get into a user account.”
When used in social media, these bots create accounts and then automatically post content via automated script. This makes it look like a piece of news has been shared or retweeted tens of thousands of times, giving these messages look of legitimacy when they are anything but.
A Bot Can Mean Many Things
There is no one-size-fits-all description or use for a bot. There are good bots, of course, but there are a lot of bots out there that create a security nightmare. According to Gosschalk, there are different things a business should be looking at to see if they are being impacted by botnets. These include:
• Bids on inventory on auction sites: Using bots, fraudsters will drive up the bids on any number of items to the point where the price is out of reach for most people. Of course, the fraudsters never actually follow through with the purchase. The goal is to drive customers to auction sites owned by the fraudsters who can offer the items for a much lower bid.
• Fake ratings: Businesses today depend on their ratings on customer review sites. Unscrupulous business owners will use botnets to create hundreds of bad ratings to discredit competitors.
• Gift card fraud: Bots are used to test thousands of gift card credentials every minute, and when they finally break through, they have access to the funds on the cards and can spend the money because it can’t be traced to a specific person. And the business loses again because they are often on the hook to refund the original gift card holder.
“Unfortunately, if you are utilizing a service to host your business, there is very little you can do to protect against bots,” Gosschalk said. “It comes down to the marketplace in between to put controls in place to prevent this from happening.”
Will the California Law Make a Difference?
Botnets used for nefarious purposes are on the rise because the attacker tools are inexpensive and simple to use and because bots can easily bypass typical security defenses. The trouble caused by botnets, both for businesses and in society as a whole, makes it clear why California felt the need to take action. Whether the law will make a difference is another question.
It isn’t the first law to address the problem with botnets. The Better Online Ticket Sales Act was enacted during the Obama Administration to prevent bots from snapping up tickets for popular events, preventing legitimate customers from making those purchases. It’s helped, but it hasn’t eliminated the problem.
Gosschalk thinks the California law will be difficult to enforce as well. In most cases, there is no way to trace a bot to its creator, making policing bot traffic next to impossible. His advice to businesses to try and protect themselves from the threat of bots.
“You want to remove the incentive to create the attack,” he said. What websites need to do is implement controls that raise the cost of making the attacks by using mitigation techniques to make the business bankrupt.
“If you can make the botnet business bankrupt, and make it so it is no longer a cost-effective business, that’s how you go about solving the problem.”