The Proof-of-Work challenge: Your secret weapon to block bad bots
For high-value sales and registrations, bad actors create advanced bots that take several spots in the waiting room, making it harder for genuine visitors to get through. Queue-it’s Abuse and Bot Protection now includes a Proof-of-Work challenge that blocks sophisticated bots by significantly increasing the “cost of business” for bad actors.
When your visitors see individualized wait information, like how many people are ahead of them in line, it makes the wait fair and transparent. When bots take up queue numbers, it undermines this fairness and transparency.
Using lightweight, scripted programs, it is relatively easy and cost efficient for bad actors to create simple bots or scripts that can obtain multiple spots in the waiting room. These bots or scripts give the bad actors an advantage over genuine visitors in completing transactions on your website.
To give a sense of scale, consider the following statistics from Imperva’s 2020 Bad Bot Report: bad bots made up 45.7% of website traffic in education; 37.5% in government; 25.8% in ticketing; and 18.6% in ecommerce.
A CAPTCHA challenge has been the traditional solution to keep bad bots out of websites. But the tool has its drawbacks. It can frustrate genuine visitors and be ineffective in blocking bots. There are services that offer to solve CAPTCHAs with real users through APIs. And more sophisticated bots use machine learning to beat CATPCHA. Computer scientists have created machine learning algorithms to beat Google’s image recognition CAPTCHA 92.4% of the time. Similar algorithms have reached a 100% success rate on the text-based CAPTCHA tests.
In many cases it is valuable to get through a waiting room quickly, in numbers, to buy a front row ticket, get a limited-edition sneaker, or complete a government registration. So, for bad actors, the cost of mass-solving CATPCHAs to get multiple spots in line is low in the grand scheme of things.
A key part of the solution to this problem is to increase the cost of making bots that can gain access to the waiting room. Bots that just run a few HTTP requests are simple and cheap to make. But forcing bots to complete performance-intensive tasks—tasks that a real visitor’s browser could complete easily—significantly increases the costs to the bot makers and bad actors.
To block sophisticated bots from obtaining multiple queue positions, Queue-it has introduced the option to use a Proof-of-Work challenge. Well established in blockchain technology, Proof of Work requires a service requester (in this case your visitor’s browser) to solve a mathematical puzzle using computing power. Bots cannot use any scripting language to solve this puzzle and enter the waiting room. They need to run a programming language that can solve that puzzle.
Queue-it’s Proof-of-Work challenge uses computing processing power as the cost driver. The more queue positions that bad actors seek to obtain, the more CPU is drained and the more costly their project becomes.
At the same time, the Proof-of-Work challenge will be barely if at all noticeable to real visitors. Their browsers can easily solve the puzzle to grant them a spot in line.
We’ve had the feature in beta testing with some customers since the fall of 2019, and the results are promising. For one major concert onsale in October 2019, about 11% of visitors failed the Proof-of-Work challenge, meaning these were bots that had even made it through existing bot mitigation solutions. In another example, Proof-of-Work blocked 39% of users in a January 2020 airline ticket sale.
You can find the Proof-of-Work feature under the “Bots and Abuse” tab on event settings in the GO Queue-it Platform. If you cannot locate the tab, please contact your Queue-it support representative at firstname.lastname@example.org.
The Proof-of-Work feature is part of Queue-it’s Abuse and Bot Protection package.
Queue-it’s new Proof-of-Work challenge gives you another tool to keep bad bots out of your waiting room and website. Proof-of-Work is invisible to visitors, but hard on bots.
When tickets or products with high resale potential go on sale, bad actors are likely to use advanced bots to take spots from real visitors. Compared to CAPTCHA, the Proof-of-Work challenge is less intrusive on the user experience and has the potential to block more bad bots.
The Bots and Abuse package contains several features that you can use to mitigate the bots and abuse you experience. For more information on how you can tailor your bot and abuse protection to your needs, contact your Queue-it support representative at email@example.com.