Newegg’s Shuffle Sounds Like A Good Strategy, If Done Right

If you have been living under a rock, electronic launches have been problematic since the start of the COVID-19 pandemic. This is partly because supply chain orders for chips dropped; however, later rebound in the third quarter which conflicted with pre-committed orders from the technology industry (Vakil & Linton, 2021). The issue was further exacerbated by scalpers purchasing limited supply of electronics, driving the price up — as demand further increased (Kan, 2020). Utilizing bots, scalpers were able to swarm online storefronts and resale for exorbitant amounts. Many stores have been unable to keep stock of many popular electronics as a result. However, Newegg has started something that I think may provide temporary relief until supply chains are able to meet demand.

The Shuffle

Newegg has started selling in-demand products via random shuffles — called Newegg Shuffle (Hollister, 2021). Instead of purchasing a product, you enter yourself into a drawing for an opportunity to purchase the product you want. Some people seem to be against this; however, I see this as an advantage. A raffling of limited spots to purchase a product could decrease the probability of a scalper getting a product. If a store chooses a first come first serve methodology, the probability of a scalper getting a product is only decreased by the probability of passing their bot detection. However, if you layer protections — defense in depth (EC-Council, n.d.) — you can achieve layered protections typically used in cybersecurity. This also assumes Newegg has designed this system correctly.

The Problem

To answer if this has been designed correctly, we need to first answer the question of: what problem are we trying to solve? The problem is customers abusing the purchase system to obtain large amounts of electronics. You cannot stop all abuse of the purchase system and you cannot stop all scalpers. There will always be a chance they could go through the legitimate buying process; however, you can slow them down. So, we just need to solve the problem of abusing the system to purchase large amounts via an automated means.

Bots

Scalpers have been utilizing bots to purchase large amounts of electronics. These bots are applications that have been designed to make web calls to a website to mimic humans in an automated way (Cloudflare, n.d.). There are a couple ways this can be done. You can create a bot with a “head”, in which the application accesses the GUI page and can use either coordinates to click or computer vision. For example, I have written bots that used image recognition to navigate GUI applications, which allowed the bot to perform tasks even if the GUI were re-positioned or reorganized.

Another way of writing a bot is in a “headless” manner. This method interprets the HTML on a website to navigate (Smirnov, 2020). If the HTML has not changed, your application can perform the same tasks a person can. One downside being any GUI ques to attest you being a human. The application can also break easier as HTML element clicks are relying on strict HTML element paths.

The last method, and one not used too often, are direct HTTP/S calls. Utilizing the developer mode in most web browsers, you can record the HTTP requests between you and the web server. Recording these calls could allow someone to replay the requests to perform the same actions over and over.
There are, of course, protections from these. Some being CAPTCHA and basic bot detection methods. We do not need to dig into that.

Raffle Protections

Now that I have explained the problem and why I believe Newegg’s Shuffle does a good job of fixing the issue — although not eliminating — lets go over what I am assume they are also doing. The raffling of spots to purchase is all for not if they are not also adding additional layers of protection.

Verify Purchaser

One of the first things that can be done is verify the purchaser. This can be done by doing the following:
• Require a cell phone number, excluding SIP phones such as Google Voice. Verify number with a phone call to increase complexity of automated application (bot). Else, simply confirm by sending a picture of a code, this will also raise the bar to abuse the system.
• Require all card purchases be a valid debit or credit card, restricting access from prepaid cards. This may also include temporary card services like Privacy (although that would be unfortunate).
• Limit orders of in-demand products to X amount per household
IP Protection

A common thing I hear from people is the fact that bots can simply get a new IP address, bypassing IP restrictions and blocking. However, we have had an answer to this for years, you have run into this if you have ever tried to setup an e-mail server from your home. IP addresses have different categories, and email providers have been filtering based on this for years. If your email originates from a consumer IP address, it is probably going to be blocked.

Online retailers can block access from the purchase system to cloud datacenters and enterprises. You do not need to block these IP addresses at the network firewall; however, it is highly unlikely a server in AWS needs to purchase a GPU. If you are trying to purchase a GPU on your work network, you could probably just do so on your phone. This will force scalpers to find other means to get around IP restrictions, making it much more difficult.

Insider Abuse

Lastly, insider abuse. If insiders can abuse this system, then there is no point in playing. Insiders would just be able to inject their friends and provide a higher probability of landing on them. The only way around this is publicizing the source code, and even then, you would be trusting that the code provided is what is being run.

References

Cloudflare. (n.d.). What Is a Bot? | Bot Definition. Retrieved from Cloudflare: https://www.cloudflare.com/learning/bots/what-is-a-bot/

EC-Council. (n.d.). WHAT IS DEFENSE IN DEPTH? Retrieved from EC-Council: https://blog.eccouncil.org/what-is-defense-in-depth/

Hollister, S. (2021, February 25). A $329 Nvidia RTX 3060 was impossible to find, but you could give Newegg’s raffle a try. Retrieved from The Verg: https://www.theverge.com/2021/2/25/22301391/nvidia-rtx-3060-launch-supply-demand-newegg-shuffle

Kan, M. (2020, September 17). How a Bot Bought Dozens of RTX 3080 Units Before Consumers Could Grab Them. Retrieved from PCMag: https://www.pcmag.com/news/how-a-bot-bought-dozens-of-rtx-3080-units-before-consumers-could-grab-them

Leary, A. (2021, February 24). Biden Orders Broad Supply-Chain Review Amid Chip Shortages. Retrieved from The Wall Street Journal: https://www.wsj.com/articles/biden-to-address-chip-shortages-supply-chain-problems-with-executive-action-11614160803

Molina, B. (2021, February 25). Newegg Shuffle targets bots and scalpers buying PS5, Nvidia GeForce RTX 3060, other hot tech items. Retrieved from USA Today: https://www.usatoday.com/story/tech/2021/02/25/newegg-shuffle-bots-scalpers-nvidia-geforce-3060-ps-5-xbox/6817074002/

Smirnov, A. (2020, November 15). How to run a headless Chrome browser in Selenium WebDriver. Retrieved from IT Next: https://itnext.io/how-to-run-a-headless-chrome-browser-in-selenium-webdriver-c5521bc12bf0

Vakil, B., & Linton, T. (2021, February 26). Why We’re in the Midst of a Global Semiconductor Shortage. Retrieved from Harvard Business Review: https://hbr.org/2021/02/why-were-in-the-midst-of-a-global-semiconductor-shortage