Enzoic Navigation
  • Solutions
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Account Takeover Protection
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Support
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
    • Account Takeover FAQ
  • Resources
    • Resource Hub
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Tech Docs
      • API – Dev Doc
      • Active Directory – Tech Docs
      • Security Overview
  • Company
    • About
    • Threat Intel
    • Enzoic Blog
    • Enzoic Partners
    • In the News
    • Contact Us
    • Careers
  • Sign In
  • Free Trial
  • Solutions
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Account Takeover Protection
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Support
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
    • Account Takeover FAQ
  • Resources
    • Resource Hub
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Tech Docs
      • API – Dev Doc
      • Active Directory – Tech Docs
      • Security Overview
  • Company
    • About
    • Threat Intel
    • Enzoic Blog
    • Enzoic Partners
    • In the News
    • Contact Us
    • Careers
  • Sign In
  • Free Trial
bots mitigation

Understanding Bot Mitigation Limitations

Malicious bots make up nearly a quarter of all website traffic[1]. These bots are responsible for a whole host of problems, including account takeovers, spreading spam, and price and content scraping. The sheer scale of malicious bots crawling the web is equally alarming and eerie.

Detecting bots is increasingly challenging for businesses. It’s estimated that approximately 54% of bots are moderately sophisticated, around 26% are simple, and 20% are sophisticated[2]. Bot developers are adopting new technologies at a rapid rate in an attempt to circumvent bot detection. Additionally, distinguishing bots from humans is also becoming increasingly complex. With this in mind, let’s take a look at the limitations of bot mitigation and share where compromised credential screening can be highly complementary.

Bot Attacker Retooling

Most of the bot countermeasures that companies put in place can be easily worked around by determined attackers. This is one of the fundamental flaws of any rules-based approach to fraud prevention.  Bot attacks will continue to evade antibot controls, resulting in an exhausting game of whack-a-mole.

Attackers understand how to leverage and scale technology, using automation to launch endless credential stuffing campaigns. By utilizing point-and-click attack credential tools like Sentry MBA and leveraging open source operational tools like Wget, they can run scripted web login sessions. Attackers create an army of these bots, and mayhem ensues. Remember, these tried and tested strategies are lucrative for bad actors, so they will always retool.

Avoiding User Friction

All companies are in the unenviable position of balancing stringent security with compelling user experiences in the digital age. The goal should always be to diminish the risk, but not the user experience. It sounds simple enough on paper, but it’s much harder in practice. Many of the tools introduced to detect bots create hurdles for real users.

Be particularly wary of CAPTCHAs. It should come as no surprise that 2FA and CAPTCHAs dramatically increase user friction. The human failure rates for CAPTCHA range from 15%-50%. Many users will simply try another website if they fail, and you’re left with a boosted bounce rate. Not only are CAPTCHAs frustrating for users, but there’s growing evidence that they don’t work. A San Francisco based startup has claimed their algorithm can crack CAPTCHAs with 90% accuracy[3].  

Dealing with False Positives

Even bot mitigation approaches that don’t directly require user interaction can be a source of fiction.  This is common with false positives; when a real human is incorrectly marked as a bot.

For example, today attackers can cheaply and easily rotate through thousands of different IPs thanks to proxy services. They also increasingly use residential IPs, which come with an excellent reputation. As a result, bot mitigation solutions that rely heavily on IP blacklisting are no longer as effective as they were in the past. Additionally, IPs are increasingly shared, so IP filtering carries a high risk of false positives. You risk blocking legitimate users from accessing your service.

Attackers that Bypass Detection

Despite your best efforts, some advanced attackers will manage to bypass detection and become a false negative. In bot mitigation, there is always a combination of false positives and false negatives. The balancing act is inherently challenging; if you tighten too much, you risk false positives. But if you loosen too much, you get false negatives that compromise the effectiveness of your strategy. Often, you won’t become aware of this until you see the harm in action (ATOs or fraud).

There’s no perfect strategy for eliminating bypasses because attackers will always find a way. For example, if you block users based on geographic origin, you’re unlikely to stop bots. If anything, you’ve caused a minor inconvenience and potentially locked out a legitimate person. Attackers use bots from all over the world, so they’ll just pick a different location. Most credential stuffing tools also have extensive configuration options that allow attackers to use lists of proxies.

Handling Manual Fraud

If persistent attackers hit a roadblock with automation, they might change tack and hire a manual fraud team to do the work instead. This team of bad actors will input credentials by hand using real browsers, thereby bypassing bot detection (because they’re not bots!).

How to use Compromised Credential Screening to Boost Your Resilience to Bot Attacks

Compromised credential screening is highly complementary to bot detection solutions. While bot detection helps protect you against bad login traffic before username and password authentication, credential screening can save you after authentication but beforeaccess is allowed.

Compromised credential screening allows companies to identify credentials that have been compromised in a 3rd party data breach, turning attacker’s tools into an effective ATO defensive measure.

Unlike bot detection, compromised credential screening adds zero friction when credentials haven’t been compromised.  Security measures only need to be considered when credentials are known to be unsafe.  Credential screening is also not a rules-based approach. This means there’s no retooling that hackers can use.  The approach is simple; it takes away the hacker’s ability to use stolen keys.

Conclusion

There are inherent limitations to bot detection, and it can only protect you so far. You’ll inevitably have to deal with attacker retooling, balancing security and friction, false positives and negatives, and manual fraud. And even when you have a robust bot detection solution in place, bad actors will still find a way to bypass it. This is why we recommend a two-pronged approach with both bot detection and compromised credential screening to ensure you have comprehensive protection. Use bot detection to keep the bulk of nefarious web activity away and use compromised credential screening as your last line of defense. 

[1]https://www.infosecurity-magazine.com/news/imperva-bad-bot-report-2020/

[2]https://www.infosecurity-magazine.com/news/imperva-bad-bot-report-2020/

[3]https://mybroadband.co.za/news/internet/90435-captcha-cracked-by-artificial-intelligence.html

bot mitigationcredential screening

Search

Browse blog categories

  • Account Takeover (22)
  • Active Directory (33)
  • all posts (113)
  • Continuous Password Protection (20)
  • COVID-19 (7)
  • Cracking Dictionaries (5)
  • Credential Screening (17)
  • Cybersecurity (46)
  • Data Breaches (18)
  • EdTech (2)
  • Enzoic News (11)
  • Financial Services Cybersecurity (2)
  • Healthcare Cybersecurity (9)
  • Law Firm Cybersecurity (2)
  • NIST 800-63 (20)
  • Password Security (10)
  • Password Tips (40)
  • Regulation and Compliance (8)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Developer Documentation (APIs)

Recent blog posts

  • Retail Me This
  • What Does It Take to Be Secure with Multi-Factor Authentication?
  • What’s Missing from New FINRA Guidance
  • Passwords Security: Past, Present, and Future
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2020 | Privacy Policy | Acceptable Use

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website