Monday, January 17, 2022

Privacy vs Security: Is Your Bot Mitigation Solution Effective Given Web Privacy Trends?

Bad bots disguised as humans to bypass detection

Bot mitigation providers place significant emphasis on stopping bots with the highest accuracy. After all, it only takes a handful of nasty bots to come to your rescue to wreak havoc on your online businesses. One challenge of stopping bad bots is keeping false positives (where a human is incorrectly classified as a bot) to a minimum.

The more aggressive rules are tuned within a bot mitigation solution, the more sensitive the solution becomes to false positives as it needs to decide whether to grant requests for an uncertain risk score. As a result, genuine users are inadvertently blocked from websites and/or being served CAPTCHA to verify that they are indeed human. This inevitably creates a poor user experience and reduces online conversions.

Much of the ongoing innovation in modern bot mitigation solutions has been a response to the increasing sophistication of adversaries. The fact that bad bots increasingly look like humans and act like humans in an effort to evade detection makes it more difficult to rely on rules, behaviors, and risk scores to make decisions – eliminating false positives. to clarify more.

Man is now disguising himself for privacy

A more recent trend is increasing false positives, and without proper innovation, it renders legacy rules and risk-score dependent bot mitigation solutions inadequate. This is the result of accelerated trends concerning humans taking action towards greater privacy on the Internet. Ironically, the move toward greater privacy on the web could actually compromise security, making it even more difficult to differentiate between humans and bots.

To understand why it’s important to know how most bot detection techniques work. They rely heavily on device fingerprinting to analyze device characteristics and bad behavior. Device fingerprinting is performed client-side and collects information such as IP address, user agent headers, advanced device attributes (such as hardware defects), and cookie identifiers. Over the years, information gathered from device fingerprints has become a key determinant for analytics engines, which are used to determine whether a request is a bot or a human.

The device fingerprint is, in principle, treated like a real fingerprint. Due to which its fingerprint can identify every user in a unique way. Fingerprinting technology has evolved toward this goal – aka High-def device fingerprinting – By collecting an increasing abundance of client-side information. But what happens when the device fingerprint may not be a reliable unique identifier or – worse – ends up looking like one presented by bad bots?

fading device fingerprint

Previously, we have posted how bot operators are avoiding device fingerprint based detection. They Harvest Digital Fingerprints And use them in conjunction with anti-detect browsers to trick the system into thinking the request is legitimate. It’s one of the early drivers that led Cassada years ago to move away from device fingerprinting to an effective means of distinguishing between humans and bots.

In addition, there are several recent trends regarding web privacy that are making the “evidence” obtained through device fingerprinting methods even more questionable.

Trend #1 – Residential Proxy Network Use

Certainly, residential proxy networks are used by bot operators to hide their fraudulent activities behind seemingly innocuous IP addresses. But there is also a growing tendency for legitimate users beyond traditional data-center proxies to hide behind such residential proxy networks. brightdata, Residential proxy networks have become increasingly cheap, and in some cases, free; They provide an endless combination of IP addresses and user agents to hide your activity.

While some of these users hide behind residential proxies for questionable reasons, such as to circumvent access to restricted content (such as geographic restrictions), many people actually use it to ensure their privacy online and protect personal data from being stolen. do for. The fingerprinting technology used to trace those behind proxy networks has become ineffective in the light of modern residential proxy networks that hide your identity.

Conclusion: You can’t rely on IP addresses and user agents to differentiate between humans and bad bots because they look the same when hidden behind a residential proxy.

Trend #2 – Privacy Mode and Browser Access

The recent surge in availability and adoption of private mode and new privacy browsers has made it difficult to rely on device fingerprinting.

Private browsing modes, such as Chrome Incognito Mode and Edge InPrivate Browsing, reduce the density of information stored about you. These mods take moderate measures to protect your privacy. For example, when you use Private Browsing, your browser will no longer store your viewing history, approved cookies, completed forms, etc. after your session is complete. It is estimated that over 46% of Americans have a . have used private browsing mode in the browser of their choice.

Moreover, privacy browsers on the lines of Brave, Tor, Yandex, Opera and optimized Firefox take privacy on the web to the next level. They add additional layers of privacy such as blocking or randomizing device fingerprinting, providing tracking protection (in conjunction with privacy search engines like DuckDuckGo to avoid tracking your search history), and cookies that make ad trackers ineffective. remove the

These commands about the privacy browser 10% of the total market share today, and they are growing in popularity. They have enough market share to present major challenges for anti-bot detection solutions relying on device fingerprinting.

Conclusion: You cannot rely on advanced device identifiers or first-party cookies due to the increasing percentage of users taking advantage of Privacy Mode and the browser.

Trend #3 – Elimination of third party cookie tracking

There will always be a large percentage of internet users who don’t use privacy mode or a browser. Google and Microsoft have a very high market share. But even for these users, device fingerprinting will be very difficult. One example is due to a widely publicized effort by Google to eliminate third party cookie tracking. and while the deadline is Recently delayed to 2023, it will inevitably make it more difficult to identify suspicious behavior.

Third party cookies collected from the device fingerprinting process are often used as an indication of bot-powered automation. For example, if a particular session with an identified set of third party cookies has made 100 login attempts, this is an indicator that you might want to force them to re-verify and establish a new session.

Conclusion: You will soon no longer be able to use third-party cookie identifiers within browsers to help identify bot-powered automation.

Moving beyond device fingerprinting

Realizing the growing limitations of obtaining accurate device fingerprints from both humans and bots, Cassada moved away from device fingerprinting years ago. The team pioneered a new method that doesn’t require looking for a unique identifier that can be linked as a human, but rather looks for tell-tale, undeniable evidence of automation that occurs whenever a bot visits websites. Interacts with the mobile, then presents itself. Apps, and APIs.

We call this our customer inquiry process. Attributes are invisibly collected from clients that look for indicators of automation including the use of headless browsers and automation frameworks such as puppeteer and playwright. So instead of asking whether the request can be uniquely identified as human, Cassada asks whether a request is in the context of a legitimate browser rendering itself.

With this approach, there is no need to collect device fingerprint and no ambiguity by specifying rules and risk scores for bot or human to decide. Decisions are made on the first request, without ever being requested in your infrastructure, including new bots never seen before – without requiring a captcha for verification.

If you’re already using a bot mitigation solution, ask them about their reliance on outdated device fingerprinting methods and how to address the inevitable increase in false positives and undetected bots as a result of the movement toward a more private Web. What measures are being taken for

Want to see Cassada in action? request a demo And observe the industry’s most accurate bot detection and lowest false positive rate. you can also run one immediate test Check to see if your website can detect modern bots, including those taking advantage of the open source Puppeteer Stealth and Playwrite automation frameworks.

*** This is a Security Bloggers Network syndicated blog by Cassada written by Neil Cohen. Read the original post here:

Nation World News Desk
Nation World News is the fastest emerging news website covering all the latest news, world’s top stories, science news entertainment sports cricket’s latest discoveries, new technology gadgets, politics news, and more.
Latest news
Related news
- Advertisement -


Please enter your comment!
Please enter your name here