Fighting Bots with Military Intelligence: PerimeterX

The war on ticket-scalping bots just got a powerful new ally: a security outfit backed by military intelligence dedicated to staying months ahead of hackers by studying the minute differences between human operators and programs.

Meet PerimeterX, the San Mateo, California-based company taking on hackers not just to help frustrated concert-goers, but people looking to buy limited-edition sneakers, protect bank accounts and keep sensitive personal information out of the hands of international crime syndicates.

Sounds like something out of a spy movie, right? It kind of is.

PerimeterX’s programs and techniques “can identify a non-human visitor, helping us with a wide variety of bot attacks,” says Omri Iluz, the company’s CEO and co-founder. “We provide a real-time answer to the critical question: Is the user behind a web request a human being or not? It’s a question that’s been getting harder to answer because hackers are getting better as they try to mimic human behavior even more.”

It’s all in the subtle differences in how a human interacts with a website compared with a bot. Humans using laptops need to move a mouse around on a page in order to process a transaction; using mobile devices, the image must be zoomed in and out. Bots don’t need to do any of that, instead running operations much, much faster and without having to interact with the page by moving a cursor, Iluz says.

Tracking these infinitesimal differences—including knowing that a smartphone will never stay perfectly flat at a 90 degree angle without picking up the vibrations of passing car, or reading how a laptop battery not connected to an AC charger drains—is the foundation of what PerimeterX does to help its clients recognize and take action against illegal users or those looking to circumvent the law.

But Iluz says his company isn’t trying to put up roadblocks, like captcha text, to slow the bots down.

“It’s not how you defeat the bots, it’s how do you defeat the people running the bots,” he says. “In my opinion, it’s looking at them as businesses. These are people trying to make money. They’re not doing it as a hobby, they want to buy the tickets and go and resell them on StubHub or EBay for five times what they’re worth.”

Looking at the people behind the bots as businesses transforms the conversation to one of creative, almost capitalistic, competition. Scalpers want the best return on investment for the goods they purchase and invest in the infrastructure that allows them to do this in the most cost-effective way. By installing anti-bot programming and security measures, scalpers have to spend “a lot of time, money and effort on bypassing or fighting us on getting the tickets,” Iluz says. “Let’s hurt them on the other side of the business, when they sell. Let’s make sure people can sue them, that they can actually get a criminal record for doing this. If we’re making it harder to buy tickets and we’re making it riskier and more expensive to sell a ticket, we’re basically taking out the whole motivation for them to run the business.”

As to the state-level legislation introduced to make the use of bots a crime punishable by incarceration, he says that’s another piece of the puzzle that can be strengthened by the use of programs like PerimeterX. But many of the people or groups behind the bots are based in different countries, making prosecution nearly impossible.

When the entire ecosystem is modified, through legislation, increased costs and anti-bot digital defenses, it eliminates the incentive. Right now, scalping tickets, scooping up rare sneakers, thieving identities and stealing passwords is safer and easier than selling drugs on the street. Companies like Iluz’s are working do change that.

Protection like this doesn’t come cheap—clients are currently paying PerimeterX  monthly fees starting at $2,000 for its services—but “that’s a relatively small number based on their total infrastructure spend and what it costs them to deliver a website,” says Mike Sawyer, the company’s vice president of marketing. “It’s not a big expense for them, it’s a matter of getting it done” and protecting their overall business, to say nothing of fees and potential legal actions from customers and clients whose identities are compromised.

The program is as simple to learn and integrate as Google Analytics, Iluz says.  “As far as accuracy, it’s highly accurate. It’s always a cat and mouse game, there’s no silver bullet. The hackers are going to get smart and they’re going to go after new technology, and we’re going to improve our technology. We have a great team of researchers, most of them ex-military intelligence who have been doing this their entire careers. We’re well ahead of the curve here.”

But won’t the hackers and bots see these countermeasures and take evasive action?

“They try,” Iluz admits. “We see that all the time. But we have the advantage here because we see the changes before them. We have people who live inside (a dark room)…they know what’s coming up next. We take tactics from military intelligence, we try to learn as much as we can about what’s coming in the next few months. We’re already learning the bots in the lab that will hit the ticket sits in the next six months.”