Security Measures to prevent abuse

[heisenberg-hash]

Hello Team,

As you might already be aware there is a lot of abuse going on with respect to Cowin APIs and the cowin portal with widespread usage of scripts/bots with smart people acting in bad faith.

I understand there are no APIs to book a slot, but to only check for availability. But after checking availability there are scripts that are abusing info available on the UI level(web portal/app), along with automated scripts to mimic human interaction ( including reading OTP messages and entering it)

I have gathered the following recommendations from friends in the security community, to fix this, which I have summarised as follows.

• API rate limiters and captchas
• Flag irregular traffic ips. For example , night traffic is a giveaway.
• Red herring trap slots for flagged IPs. See if those get booked through an account/phone number. Warn them and ban temporarily.
• See if we can differentiate in any way a human books a slot and a script booking it (analyse time differences. Humans should be much slower)

Of course these are not fool proof. But I am confident that there are even better experts working with your team and in the community, who can come up with much better ideas and hope this sparks a good discussion.

I would love to know your comments on this and if there is any way we can contact you directly.

[pulse-aj]

I can help get the COWIN website and APIs integrated behind Akamai's vaccine edge platform that offers the protection we need here to create a fair vaccination drive. More details about the solution here https://blogs.akamai.com/2021/02/supporting-covid-19-vaccine-rollouts-with-vaccine-edge.html . Email me at jpakhil@gmail.com in case you want me to facilitate this discussion with Akamai.

[pulse-aj]

The Akamai solution was build to prevent similar abuse of vaccination slots availability in the US.

[avgcoderlife]

Much needed . Bots are in full swing . Saw code of few as well they are automating the appointment via browser automation. Lets introduce Captcha .

[mukuldhariwal94]

@team

Please take this at priority. Seeing alot of people misuse and book slots automatically, leading to an unfair vaccine drive. Every slot is getting booked out in a few seconds.

https://twitter.com/darthdevi/status/1389581837106782219?s=21

Example thread

[ofpiyush]

On further thoughts, one solution for API abuse is to invert the problem.

In a resource crunched situation, automated and transparent distribution is a more fair system.

Divide active slots into 80-5-15. Use a token system for 80%. Wait for a few hours use 5% as buffer for rescheduling. Then release remaining 15-25% to the current setup.

Details

Ask people to pick centers, days of the week and favourable slots near them (max 10)

Show them approximate date based on slots that have opened up in these centers so far (optional)

Whenever the slots open, allocate on first come basis.

For transparency and preventing abuse from the platform side, make this allocation data and logic public. (Release token numbers instead of PII data)

If possible, integrate with vaccine distribution data to prevent abuse from the centers.

Let people reschedule for a few hours(upto 24) if their situation has changed. Use the 20% slots to enable this.

Benefits:

• I can help book token for my maid as it is a one time thing.
• I don't need to frantically keep looking at the screen and play fastest fingers first.
• Allocation data being public really helps build transparency and trust into the system.
• Inverted control means centers also have limited capacity to game the system.

Risks:

Some people will put a token of far away centers to get through quicker, then use reschedule to get to a closer center.

[harshnisar]

Just dropping by to say that let's ensure none of the anti-cheat mechanisms to be put in place actually exclude people with inadvertent bugs or blocking or increasing barriers for people who weren't trying to cheat in the first place.

Eg. A normal captcha might be be okay but if we put the image annotation related re-captcha then it will definitely affect low literacy users.

Eg. A lot of people in rural India will be using the same computer to get slots as computing resources are limited. They'll use CSC computers, Gram Panchayat computers etc. So something which blocks people based on the same IP might also be exclusionary to these people.

Edit: To clarify, APIs in itself enables "cheats" and a good starting point is to not have them in the first place. Alerts etc can be part of the original system too as people are registering with their mobile numbers.

[heisenberg-hash]

Absolutely right @harshnisar !

The app itself, as simple as it is already, might be exclusive to tech literate. With vaccine hesitancy already creating a barrier, complicated tech can make it worse.

I have also personally seen many turning away from the Cowin app and risking direct walk-ins or queing up for miles from 5am in the morning at my local UPHC.

But, with the help of people like @ofpiyush and you, I'm sure we can find better solutions to overcome this issue.

[souvik234]

I feel that if Co-Win can implement an appointment availability notification system via SMS, it will take off a lot of the need for people to use APIs and third-party apps.

Because right now it is extremely random as to when slots open up. So people need to keep continuously checking the portal. If there are notifications, it makes it easier for people.

In Chennai atleast, when I got notified by the API(pre-rate limit), if I was able to know when the appointment was released, I didn't need the API to book the appointment.

(Maybe off-topic) - If even this is maybe tech-discriminatory, the only real solution is to mandate vaccine centres to release appts at specific times. Because I feel that the current purely-random solution is very stressful for everyone and is actually unfair to people who don't have the time to either look at or make someone look at Co-WIN every 5 minutes.

[AjinkyaJP]

I recently came across computer codes on internet that create bots to book appointments using cowin api. The sad part is, the bots are using apis that are supposed to be protected and not available for public use without Ministry of Health and Family Welfare, Government of India's permission. The bots are giving unfair advantages to computer programmers over average citizen.

I tried calling phone numbers available on Cowin website, but they were busy. Please take a note of these activities. And please ask govt to shutdown this activity.

I'm sharing with you the link of one of such codes...

https://github.com/pallupz/covid-vaccine-booking

[sudhir-trigyn]

We just implemented Captcha while booking appointment. Now that Script will wont work

[akhilesh-godi]

@sudhir-trigyn I hope this is a stop-gap measure, it doesn't and will not stop automation. I've seen that the API sends an image and the user can be prompted for input - so this is the only part where manual intervention might be needed and the rest of the process still remains automated. It is going to take only some more time before captchas are broken using captcha solving software. Also please consider updating the API documentation to reflect this breaking change.

@ofpiyush has outlined very good ideas on developing better mechanisms to allot slots. Using allocation algorithms which are 'fair' and backed by policy should be seriously considered.