WaPo article about the Grinch bots
Posted by
decline (aka Decline)
Dec 16 '20, 08:02
|
This Christmas, it’s boy vs. bot.
Thirteen-year-old John Coleman has tried everything to buy a Sony PlayStation 5. Coleman, from Bowie, Md., spent his summer cleaning and mowing lawns to save up the $500 the game console is supposed to cost. He stayed up until 5 a.m. when Target’s first units went on sale, and camped in front of a Maryland GameStop on Black Friday. A month
after the PS5’s debut, he checks inventory alerts every day after virtual school but still doesn’t have the console.
Ted Brack, 47, chases down new PlayStations in front of two computer monitors in Las Vegas — with very different results.
Brack has bought eight of the consoles so far from online retailers including Walmart, selling them for as much as $1,160 on eBay. His secret weapon: bots, or software that helps him know when products are in stock and can hammer retailers with orders faster than any regular customer could hope to on their own.
The technology has earned a bah-humbug nickname: Grinch bots.
Computer programs that automate online tasks, called bots, have aligned with the coronavirus pandemic and low inventories of hot products to create a perfect storm of holiday disappointment — or opportunity, depending on your perspective. On Black Friday, when it launched a deal on the console, Walmart.com says it blocked more than 20
million bot attempts in the sale’s first 30 minutes. Target says it’s constantly tracking and blocking bots, focusing on high-demand products such as the PS5. One British retailer called Very said it canceled at least 1,000 game console
orders after it realized they were placed by bots.
Using shopping bots to buy these products is perfectly legal in the United States, despite flustering retailers and stoking annoyance for customers like Coleman. Some bot operators are modern scalpers, in it to make money by forcing Santa to pay market prices. Others are computer-savvy shoppers now turning to bots out of desperation to fill their own gift lists.
Shopping bots aren’t new, but their use is growing fast. Deployed by people who buy and resell tickets, high-end sneakers and designer fashion, they’re now expanding into other categories where demand outstrips supply — including grocery delivery slots at the height of the pandemic. Imperva, a cybersecurity firm, says that among its
clients, “bad bots” accounted for 24.1 percent of all traffic in 2019 — up from 20.4 percent in 2018. (“Good bots” are ones like Google’s search engine scouts )
“It’s a full-on arms race that keeps escalating,” says Thomas Platt, the head of e-commerce at bot-protection firm Netacea.
Bots are only one part of the PS5 crunch — there have even been daring heists. But stopping the use of bots is easier said than done in an Internet economy that connects so many different interests: companies that want to make highly sought-after products and early adopters who will do anything to get them. Retailers primarily invested in turning inventory and online resale marketplaces hoping for a cut. And then there are small-business people like Brack, the Vegas reseller, and the people (often teenagers) who make the bots he uses.
“I can see why somebody would get upset about it. But any time that there’s demand for something, you’re always going to find somebody in between a purchaser and seller,” says Brack, who says he’ll make about $30,000 this year from his side hustle.
“I understand it’s a way to earn a lot of money quickly,” says Coleman, the 13-year-old. But “think about the little kids who’ve been waiting for it; it will be their first console.”
The PS5 battles of 2020 show it isn’t exactly clear who, even, is responsible.
A game of cat and mouse
Brack was up all night before he purchased his first four PS5s on Nov. 12. He knew he had to have his arsenal ready at exactly 9 a.m. Pacific time, when Walmart had announced its first bunch would go on sale.That was probably Walmart’s first mistake in an ongoing game of cat and mouse with bot operators: letting them know exactly when to strike.
Brack got his start three years ago buying and reselling limited-edition sneakers, and has since been perfecting the art of the “cop,” or successful purchase. His tools that morning included a bot he bought for $250. He ran it on a virtual server in Virginia, which offered a faster connection than he could muster from his laptop at home.
Inside the bot — a desktop application that looks a lot like professional workplace software, but with gamer-friendly dark colors — he pasted a link to the product he wanted to buy and entered his credit card. But “copping” hot products isn’t as simple as just switching on an app. Retailers have a number of defenses in place that bot users need to work around. Brack operates proxies to obscure his IP address, and even created slightly tweaked versions of his shipping address, to avoid having multiple orders look suspicious.
Retailers claim they are onto these tricks. “Bot scripts are constantly evolving and being re-written, so we’ve built, deployed and are continuously updating our own bot detection tools allowing us to successfully block the vast majority of bots we see,” Jerry Geisler, Walmart’s chief information security officer, said in a statement.
A gift they'll enjoy all year long. Give one year for $29. See gift subscriptions
He also said most of its demand for the consoles is from real people and that the company audits and cancels orders purchased by bots, though he didn’t say how many Walmart had canceled. “The vast majority of our next-gen consoles have been purchased by legitimate customers,” Geisler said.
Walmart didn’t stop Brack. When sales began at 9 a.m., his bot went to work. By 9:01, two icons turned from red to green inside the app — and Brack had two PS5s ordered. That afternoon, Walmart did a second stock release, and he bought two more. The retailer says its bot detection and prevention tools get more effective with each release. Imperva, which works with retailers but doesn’t disclose its clients, says its software puts up obstacles to bots, such as checking for 200 attributes of the browser to see if it’s a real device. “That way if they trip over one obstacle, then you put something like a captcha in the way to detect them,” said Edward Roberts, an application security strategist.
Captchas, short for “Completely Automated Public Turing test to tell Computers and Humans Apart,” are the quizzes that are supposed to detect bots. But Brack’s tool kit has ways around those, too, including a subscription service that farms out Captchas to humans who fill them out in real time.
Complicating the fight further, some bots just provide information such as when something is in stock — which can be even more useful for resellers than a purchasing bot.
Brack’s next four PS5 wins came thanks to a $500-a-month service from a company called Fulcrum that gives him instant updates on what’s in stock and hidden on parts of retailer sites visible only to search engines and bots. That’s how he caught a PS5 restock on Amazon just last week, completing the actual purchase without the aid of a bot.
Only so much to go around
Even if bots account for only a fraction of PS5 sales, as Walmart claims, there is clearly a massive amount of genuine demand outstripping the number of new game consoles available. If there were more units on real and virtual shelves, bot operators wouldn’t be able to make so much reselling them. New consoles come out once every six to seven years, which already creates more anticipation than more frequently updated devices. But that was only one of the issues for this year’s big releases. The pandemic and limits on social activities have pushed people around the world toward gaming in droves. The pandemic has also disrupted supply chains, according to Lewis Ward, research director of gaming at market research firm IDC, who says “there’s only so much hardware to go around.”
PlayStation maker Sony didn’t respond to requests for comment. There’s probably another reason for the shortage that isn’t related to the pandemic: The companies don’t want to sell too many units right away.
IDC’s Ward estimates Sony will ship nearly 5 million PS5s this quarter, and Microsoft will move about 3.8 million Xbox Series Xs, another hot item for bot-buying. (Microsoft declined to comment.) The companies are probably making very little profit on each console at the moment, if at all, due to the high cost of their high-end hardware
components. But the game systems will get cheaper to make in the coming years as the cost of parts falls, making consoles sold in the future more profitable for the companies, says Ward.
A gift they'll enjoy all year long. Give one year for $29. See gift subscriptions
“They are losing money on these bundles. They have incentive not to run up to a giant number,” says Ward, who points out that consoles can have a 12-year life span. “They’ll make more money on them over time.” Online marketplaces, one of the Internet’s original and most profitable businesses, also make it very easy and convenient for bot operators to sell their goods at a significant markup. Craigslist and Facebook Marketplace have
minimal moderation and make it simple to find nearby buyers willing to pay in cash in a parking lot.
Brack sold all of his PS5s on eBay. “I don’t think they mind, to be honest,” he said.
He’s right. The platform has extensive rules and protections to try to prevent people from selling fake products, but no rules against reselling bot-purchased merchandise for twice its retail price. “The reselling of real consoles is allowed and is not considered fraudulent if they are listed correctly,” said eBay spokeswoman Ashley Settle.
Gaming the system
Brack says bot operators are less like the Grinch and more like people with a side hustle. While Brack has a regular job as a Web developer, about half of his income comes from bot-related enterprises, including a website he runs called CopSupply that helps people comparison shop for bots. He also runs a Discord chat room called CopWorks Cook Group for resellers, in which they pay $30 per month to get intel on new products and
other tips. Those community services have given him a bird’s-eye view on the bot economy, in which he calls himself a mediocre player. Over the last year, it has easily doubled. “Everybody moved inside because of the pandemic,” he says. “I thought
that a recession would hit and people would be less inclined to buy products. But that’s just not the case. This is the perfect way to have a side hustle.”
Security companies also say there’s evidence groups that look more like traditional hacking outfits are joining the economy. Netacea says just one small but well-organized resale bot group in Europe made a profit of over $1 million in the first two weeks from the PS5. Seeing bot groups that well-funded “is a big change,” said Platt, Netacea’s head of ecommerce. “We are not used to people investing a million dollars to buy up stock.”
Security firms say retailers and product makers need to change the bot market economics by using more of their software. “They need to make the attacks more expensive for the bot operator. Right now, it’s too cheap and the rewards are too high,” says Imperva’s Roberts.
The United States is considering legislation based on the 2016 BOTS Act, which made it illegal to use the software to scalp tickets. Rep. Paul Tonko (D-N.Y.) sponsored that legislation, and in 2018 proposed the Stopping Grinch Bots Act, which would empower the Federal Trade Commission to sue people who use bots to circumvent anti-bot protections
from all kinds of retailers. He plans to introduce the bill again in 2021. “Why should families have to pay a higher price because someone has manipulated the market?” Tonko said in an interview. “There’s an unfairness there that seems to have grown — and its impact in the current pandemic atmosphere and the economic downturn is all the more painful.”
Walmart’s Geisler said in a blog post Tuesday that the company was asking lawmakers to take action against bots and A gift they'll enjoy all year long. Give one year for $29. See gift subscriptions hoped other retailers would join it. Still to be worked out, however, are the details around which exact behavior would be illegal, how to go after
international bot operators and what responsibility retailers would have to report bot behavior to the FTC — or even to stop using bots themselves to check prices on competitors.
In the hunt for PS5s, plenty of regular buyers reported having adopted some of the techniques from bot profiteers to stand a chance of beating them — and the thousands of other human shoppers — to checkout. They follow tip accounts such as @Wario64, which tweets out rumors about what times stores will make stock available, and they set up alerts with the help of inventory bots. Many create accounts with each retailer ahead of time, to avoid wasting time entering a credit card number and shipping address. They join Discord channels such as ScalperRevenge (with over 3,000 members) to swap tips and watch YouTube how-to videos with advice on buying.
Coleman, the teenager in Maryland, has tried much of it, including inventory alerts and having his parents set up accounts on sites such as Target, GameStop, Best Buy and Walmart. He has managed to get a PS5 in his shopping cart, but it disappears by the time he hits checkout — a common complaint among shoppers across sites. After The Washington Post asked Brack for comment on Coleman, the teenager hunting for the PS5, Brack said he
wanted to send him one of the consoles he had obtained with his bot. “It’s just something I happen to love doing,” Brack said. “It’s not about just the money.”
|
Responses:
|
Replies are disabled on threads older than 7 days.
|
|