As we strive to create safe online spaces for users, the battle against bots has become a barrage of strategies. Visual challenges (CAPTCHAs), rate limiting, AI detection, and behavioral-based solutions each claim to have the upper hand when it comes to beating bots.
Calling this all into question – a devastating academic paper recently went viral on X (formerly known as Twitter), showing just how quickly and accurately bots can now solve different types of CAPTCHAs. Are any of these solutions effective at all?
A well-known bot-stopping enthusiast himself, Elon Musk chimed in on the thread with a bold claim – the “only” method that works to beat this threat at scale is a user-pays subscription model. His comments come hot off the back of recent reports indicating that X (FKA Twitter) has been losing $60M a year from SMS pumping attacks… Insane!
This definitely sounds like a silver bullet to the problem… but is Musk right? Is making users subscribe for services/content the “only” way to stop bots?
User Subscription-based Bot Detection
Employing user subscriptions as a way of fortifying your application against the endless assault of bots hinges on one idea. By making attackers pay for each unique account, you significantly increase the cost to attack.
The rationale is simple – if bots can’t be stopped, they can at least be slowed down by making them pay a hefty fee for every breached fortress. This fee also helps the defender foot the bill for bot-driven expenses like SMS verification and infrastructure surges.
The Assumptions
Like any theory, this one rests on a bed of assumptions that deserves our scrutiny. It supposes that:
- The only problem worth tackling is bots orchestrating mass-scale actions by impersonating logged-in, subscribed users
- Bad actors aren’t willing to shell out the funds needed to pay for subscriptions
- Obtaining access to subscribed accounts without coughing up the cash is an unlikely scenario
But are these assumptions true all the time? And what if they aren’t?
The Theory Unravels
The subscription-based defense strategy quickly unravels when faced with defending applications where these assumptions aren’t true.
This means login, registration, password reset requests, page views, checkouts, etc. are all beyond the scope of protection – each of these actions is inherently performed by users who haven’t logged in yet (and therefore aren’t subscribed). Account takeover, credential stuffing, web scraping, SMS pumping, toll fraud, carding attacks, and more cannot be stopped by a subscription model. These attacks, driven by bots, can cause massive damage – directly through large bills or indirectly by hurting your brand image.
And let’s not forget the actions that can be carried out by logged-in users still lingering in the free tier. Taking X as an example, free-tier users can still post, re-post, like, and view tweets. That means a malicious actor could have a single subscribed user and amplify their message with thousands of free, automated accounts serving as their foot soldiers.
Presently available in underground marketplaces for X, you can find services that enhance likes, followers, and views – as depicted below. Adversaries are also selling “aged” accounts, which helps to reduce suspicion that automation/bots are at play. In the past 90 days, Kasada has identified over 21,000 X accounts sold for as low as 65 cents an account with more than 73,000 accounts still on the market today. These accounts include free accounts, premium accounts (blue check), and developer accounts.
State actors and well-funded individuals with enough motivation are more than happy to pay for more than a single account. They could easily afford the cost of paid accounts, automating each one to achieve their goals – whether profit-driven or otherwise.
Hurting Your Business
Beyond these weak points, the user subscription model fails to protect against some of the most devastating attacks that can still be crafted by a mere handful of influential, subscribed accounts. The collateral damage is no less noteworthy.
And while subscriptions are adept at targeting specific bot threats, they also inadvertently cut down the number of legitimate users. Not everyone wants to pay and not everyone can afford to (hence the free tier). The result? A decline in your user base, perhaps even alienating loyal users who feel the cost simply isn’t worth it.
The Bot Management Saga Continues
So, where does this leave us? Is the subscription-based approach a failed idea?
While there is some valid reasoning behind this approach, it’s not the winning solution Musk makes it out to be. It certainly has its merits, effectively beating bots in some specific use cases. But as an overarching, foolproof, drawbackless solution – it’s more appropriate for revenue generation than a complete defense strategy.
The bot landscape is as diverse as it is dynamic. It’s a place where the unexpected thrives and where cunning outwits rigidity. As you march forth in your battle against bots, remember that the war isn’t confined to a single front. It’s a multi-dimensional chess game, requiring a cohesive mix of strategies and countermeasures to be effective.
So, while you could embrace subscriptions as part of your bot management toolkit – remember, a song is only as good as its parts. Though it’s true that past bot defenses are failing, the modern ones have raised the bar. It’s now possible to curtail the problem against a wide range of use cases, without hurting your user experience or relying on outdated defenses like visible CAPTCHAs. To truly win the war, you need a solution that can beat the bots on every battlefield.