This past weekend, I needed to book my travel for an upcoming business trip. When I went to purchase my plane ticket, I found myself unable to login to my account. Instead, I encountered an ‘Access Denied’ message. I’ve traveled extensively with this airline for a while, enough to earn elite status in their rewards program, so I’ve booked enough flights to know that this message was not the norm.
I tried a few other login methods, including changing browsers and using incognito mode in Chrome, but nothing worked. Deterred, I decided to switch from booking my plane tickets to making my hotel reservations and found myself experiencing the same ‘Access Denied’ message. Having now spent a lot of time getting nowhere, I started to worry something might be amiss with my accounts or laptop. So I switched over to my tablet to try to isolate the problem. Fortunately, I was able to log in to my accounts at both the airline and hotel chain on my tablet and finish making my reservations. I was also relieved to discover my accounts with both companies had not been compromised in any way.
The next day, I again tried to log in to my airline account from my laptop… and again failed. Curious if other customers of the same airline and hotel chain were experiencing problems, I looked around online. On Twitter, I found other users complaining about similar issues.
Based on these reports, and my own odd experience, I asked our security research team if they knew of a solution to the problem. They asked if I use any ad-blocking software and, since a few decades in the security industry has made me sensitive to online privacy and security, I confirmed that I did and gave them the details.
We soon discovered the root cause of the problem. Both my airline and hotel chain use a bot detection product from one of our competitors to defend against automated account takeover attempts. Because this product collects device and user heuristics from customers by sending a piece of JavaScript to the browser making the login attempt, it looks similar to various tracking scripts used by the online advertising vendors. Consequently, a popular data feed referenced by many ad blockers recently added this bot management solution’s JavaScript to its master list and is causing issues with customers who, like me, are security conscious enough to use ad-blocking software.
Because many ad blockers are now blocking this particular JavaScript, when a customer like me submits their username and password, the request does not contain any user tracking of the information required by the bot management product when it reports back. As a result, the tool considers me to be a bot because it relies ONLY on this signal to make its block/allow decision. That’s why I got the ‘Access Denied’ message – it was from the bot management product, not from my airline or hotel’s web application.
What does this mean? Tens of thousands of security-minded users like me are now unable to log in to their accounts using a desktop browser on nearly 300 websites unless they disable their ad-blocking software. These unhappy customers have been complaining on various channels, including social media. The security vendors that use this JavaScript technique are scrambling to appease angry users, and are likely losing brand value and customers in the process.
Ironically, if my preferred airline and hotel chain had made use of Cequence Security instead of another bot management product, I would not have a story for this week’s blog post. From the beginning, we have taken a very different approach to bot detection and mitigation at large enterprises. Since Cequence Security’s solution doesn’t rely on client-side JavaScript injection, it’s much less intrusive when it comes to end user and customer experience. This innovative approach to solving the problem, which results in no friction with customers’ applications and APIs, led Gartner to recognize us as a 2018 Cool Vendor in the bot mitigation space.
Unfortunately, for both businesses and their customers, this problem is only going to get worse. In addition to ad-blocking software, several leading browser vendors have announced that they intend to start blocking third-party JavaScript in their default configurations. Fortunately, for companies seeking to future-proof their defense against bad bots, there is an alternative: Cequence Security.
