Can’t Snag a Hot Holiday Toy? A Grinch Bot Probably Got There First

In the animated Disney Pixair film “Toy Story 2,” the unscrupulous owner of Al’s Toy Barn steals Woody from a yard sale in order to cash in big by selling the entire Woody’s Roundup gang to a Japanese museum.

Al is an analog ancestor of so-called Grinch bots snapping up hot toys in bulk upon release or when they’re discounted, then reselling them at inflated prices on the secondary market.

Cybersecurity firm Radware told NBC News that as much as 97% of traffic to ecommerce login pages in the week ending Cyber Monday came from bots. Other, more established bad bots steal payment and credit card information.

Grinch bots can fill out online forms and move through ecommerce sites faster than consumers, and quickly purchase limited-supply items, Ron Winward, a spokesman for Radware, told NBC.

“People are really competing with automated infrastructure and bots to get hot holiday items,” Winward said. Radware said Grinch bots can even mimic an actual consumers’ online activity and deploy sophisticated measures to avoid detection, including logging into their accounts.

Third Times the Charm in Congress?

The Grinch-like threat to steal Christmas has members of Congress attempting to fight back with the “Stopping Grinch Bots Act,” introduced in the Senate on Nov. 29.

“The modern-day Grinch snatches toys from behind a computer screen,” U.S. Sen. Richard Blumenthal (D-CT) said in a tweet posted in conjunction with the legislation. “As families prepare for the holidays, Cyber Grinch bots are buying the hottest toys & reselling them at outrageous prices. My bill would protect kids, parents & small businesses from these holiday hijackers.”

Blumenthal’s bill is modeled on the Better Online Ticket Sales Act (BOTS Act) of 2016, which cracked down on bots buying up tickets to concerts, theater performances, sporting events and the like. It “prohibits the circumvention of a security measure, access control system, or other technological control measure used online by a ticket issuer … (and) prohibits selling … an event ticket obtained through such a circumvention violation if the seller participated in, had the ability to control, or should have known about the violation.”

There’s just one problem. Blumenthal first proposed legislation to crack down on holiday shopping bots in December 2017, in conjunction with Senators Chuck Schumer (D-NY), and Tom Udall (D-NM), and U.S. Rep. Paul Tonko (D-NY). They rolled it out again as The Stopping Grinch Bots Act of 2018, according to a release on Udall’s website.

Back in 2017, Fingerlings and Barbie Hello Dreamhouse were the holiday toys no one could get because Grinch bots had snapped them up. In 2017 and 2018, if your children loved the latest Harry Potter fan gear, including LEGOs, you may have been out of luck.

Grinch Bots Affect Brands, Consumers

“Bots harm regular online shoppers by jacking up the prices,” says security evangelist Deepak Patel of cyber security firm PerimeterX. “They also hurt the brands who dislike seeing their offerings go for such high prices on secondary markets and who want to ensure fairness and a good online experience for their customers.”

Patel has an idea why the federal legislation has come up three years running without being adopted. “Anything that promotes commerce will be allowed,” he says, likening the business model of those deploying Grinch bots to underlying principle of arbitrage, i.e. buy low, sell high.

Patel points to a key difference between concert tickets and items like toys and sneakers. Tickets, he says, are easier to protect from bots with regulatory action because they have short expiration dates.

“Toys, shoes and luxury items a little tougher to regulate,” Patel says, explaining that the secondary collectible market is a consumer goods tradition. As an example, he cited the Nike Air Mag sneakers Michael J. Fox wore in “Back to the Future.” They’re easy to find online – at prices that can exceed $30,000. One of the actor’s actual movie sneakers sold on eBay for more than $92,000.

Overall, the sneaker resale market is a multi-billion-dollar business, Patel said.

“Toys are exactly the same way because it creates nostalgia,” he said of the secondary market. “I don’t see it going away.”

Several factors go into that equation, as Patel explains it:

  • Amazon has made everything a commodity. Luxury brands must have limited productions, flash sales and other promotions to distinguish the brand.
  • The secondary market for collectible items has been around a long time and is deeply established.
  • At this point, the practice is so mainstream that some resale companies are even thinking about IPOs.

Surprisingly, Patel doesn’t see Grinch bots as an entirely malicious presence, saying the situation is complicated for retailers. They don’t want a splashy rollout or flash sale of a supposedly in-demand product to fall flat, for example, or if a product sells well initially but then lags, they don’t want excess inventory.

“Bots do help them make it look like some items are in high demand,” Patel says. The answer, he said, isn’t federal regulation but mitigation technology that can proactively monitor and block sophisticated bots, and manage their access and impact in real time.

“Businesses have to take it into account and use it for advantage rather than looking at (Grinch bots) as a risk,” Patel said.