There were two strategies utilised in bot detection:
CAPTCHA stands for "Completely Automated Public Turing Test to tell Computers and Humans Apart." It is a security feature designed to differentiate between human users and automated bots. CAPTCHAs are commonly used to prevent automated systems from performing actions like creating fake accounts, spamming, or scraping data from websites.
CAPTCHA systems assess bot behavior by selecting from various browser challenges based on client interactions and data. They can use Private Access Tokens (PATs), analyze session data, and run JavaScript challenges to gather additional signals. The system can adjust the difficulty of challenges based on the information collected from these interactions.
While Captcha solutions provide a good first line of defence against basic botting mechanisms, more sophisticated bots have been able to bypass Captcha solutions, therefore, requiring us to use alternative detection measures e.g. Honeypot traps.
As part of this approach, one of the crucial missions to be completed was the “Captcha” mission. We chose to use Turnstile by Cloudflare. Cloudflare fully manages the bot detection process, leveraging its vast experience defending against bots.
a. Based on multiple machine learning models, Cloudflare works in real-time to determine the type of widget to display
b. These actions include non-interactive, interactive or invisible challenges, that help Cloudflare to identify bots based on a variety of signals.
A honeypot is a decoy trap used to detect, deflect, or analyze bot activity. As bots parse pages, execute links, and complete missions, they can be detected and analyzed using honeypots. These honeypots are isolated, monitored traps mimicking real environments. These honeypots exist right on web pages as bots and users come to visit. Real users will not see the honeypots, but bots will detect and interact with a link or an additional button hidden in the web page, or through another honeypot trap. When bots interact with honeypots, it reveals their behaviour.
As part of this approach, we launched multiple missions that are invisible to real users on the front end, but detectable by bots that:
While they may complete the mission and receive points initially, their accounts were identified and eventually excluded during the rewards calculation.
The use of honeypot traps allowed us to detect bots that were trying to bypass our systems to create false validations while completing our missions. Honeypot traps are particularly effective because they do not produce false positives, since real users who interact with our platform directly will not see these traps.