It’s not that I’m not a gamer. I enjoy board games and card games: Trivial Pursuit, Settlers of Catan, SET, Hive. I’m up to level 3056 in Two Dots. As a kid, I played Super Mario Land on my brother’s Game Boy and Sonic the Hedgehog on the family Sega Genesis. But I’ve never been one to buy up the latest gaming system. We still have an old Xbox in our basement, on which my family sometimes plays Madden 2003. When the PS5 went on sale last week, I was NOT watching the websites waiting to snag one.

My security and risk colleague and partner in crime, Jeff Pollard, desperately wanted to buy the PS5. It didn’t go well:

Jeff: The Sony PlayStation 5 launch will probably be a sore spot for lots of gamers for a long time. We are right in the middle of a pandemic, and as we write this together, sweeping restrictions are being reintroduced to try and control the spread of coronavirus. In those circumstances, the release of a new gaming console is going to see unprecedented demand.

On the first day of sale, retailers broke online dates early, which meant the console was gobbled up right away — which Sony apologized for. Since then, there was the steady slow drip of releases on launch day. To give Sony credit, it did take the step of asking retailers not to release the PS5 in stores to eliminate large gatherings — but that step also exacerbated online issues. So the launch has been one tale after another of website crashes, inventory disappearing from shopping carts, outages, charge-backs, and more. So as hundreds of thousands of gamers around the world constantly spammed F5 keys and raced through checkout processes on websites hoping to get an order confirmation … someone snagged all the PS5s, and it didn’t appear to be the customers that wanted them.

And here’s where it intersects with my research. Jeff’s attempts to secure himself a PS5 were thwarted by bots — blatantly and obviously so.

Here’s a collection of screenshots across various social media sites about bots, the PS5, and resellers:

What’s happening here?

To put it simply — inventory hoarding and flipping.

This is a classic case of bots hoarding desirable merchandise and reselling it at a profit, something I discussed recently in my blog about Black Friday sales. Bot management solutions identify and thwart both simple and sophisticated bots, addressing attacks like credential stuffing, DDoS, web scraping, and, yes, hoarding. Critically, many solutions not only block the bots but deceive, delay, and frustrate them, making the attack too costly to be worthwhile. Unfortunately, it seems like some online retailers have still not implemented bot management solutions to prevent their inventory from getting to fraudsters and resellers rather than loyal customers.

Maybe some retailers consider bot mitigation a low priority because it isn’t stopping the sale — after all, whether it’s bots or people, they get the revenue from the sale, right? Obviously, this is shortsighted — if a customer finds that they can never purchase the desirable merchandise on your site, they will look elsewhere — now and possibly in the future. As a retailer, you may be happy to have bots buy up the gaming consoles, but remember that they aren’t going to come back and buy the games, gaming accessories, and other lower-demand merchandise you sell. Block the bots to keep your human customers happy and loyal.

Jeff: From Sony’s standpoint, a bot run on the PS5 may feel like a boon … until they see the number of disappointed customers on Reddit and other sites. If the only feasible way to snag a PS5 is via StockX, eBay, Facebook Marketplace, or Craigslist, there’s a real issue for customers. In fact, users on Reddit began to create their own software and browser extensions to help combat bots. To get a sense of the problem, see NowInStock.net to see how long it’s taken for retailers to run out of PS5 inventory when it drops.

Sony Direct — an online storefront for the console hardware operated by the company — has a queue system, and it hasn’t been perfect. When bots deny eager human buyers, reputations start to sour. For Sony, its real customers are the gamers that will buy the console, accessories, use its marketplaces, and pay for online services. The real worry is that some number of potential customers will walk away — after all, Microsoft released the Xbox Series X and Series S two days later, and while shortages will exist until April, the launch seemed to be quite a bit smoother than Sony’s, even though the Microsoft launch day for the console caused some traffic spikes for ISPs.

Obviously, Sony can’t force implementation of bot management for its retail partners, but it can certainly encourage and even incentivize retailers to do so — what if a retailer that sold most of its inventory to bots didn’t receive as much inventory the next time around?

Jeff: I still want a PS5, Sandy.

If you are a retailer selling popular merchandise like the latest gaming console, it’s past time to implement bot management. If you have a bot management solution, make sure that it is tuned and ready for the next big sale. Jeff and I really don’t want to have to write this blog again when the PS6 comes out.