Backstage with Arkose Labs
Arkose Labs, a global technology leader, takes a novel approach to fraud prevention by bankrupting the business model of fraud. The company uses advanced technologies to remediate attacks in real time, posing a series of step-up challenges designed to wear down fraudsters without adding any friction to the customer experience.
Headquartered in San Francisco, with offices in Brisbane, Australia and London, UK, Arkose Labs was recognized as a 2021 Cyber Defense Magazine “Hot Company in Fraud Prevention”, and recently raised a $70 million Series C funding round led by SoftBank Vision Fund 2 with additional participation from Wells Fargo Strategic Capital and previous investors M12 and PayPal Ventures.
MPC recently sat down with Kevin Gosschalk, CEO and Founder at Arkose Labs. Following are highlights from our interview.
MPC: What inspired the idea of bankrupting fraud and how does your model work?
The idea was inspired by looking at how to effectively stop fraud long-term. For too long, businesses have been playing a cat-and-mouse game with fraudsters, constantly responding to attacks, putting new protocols in place, which fraudsters then adapt to, and so on. It’s akin to plugging holes in a dam.
Instead, we focus on taking away the ROI fraudsters make when they launch attacks. Fraudsters are like anyone else, they get up every day and do a job. If they can’t make money on it, they’ll stop doing it. To do this, businesses need to take a step back and focus on what fraudsters are after rather than simply implementing tools and technology to block them. Work backward to figure out how they get money out of your platform and how to make that more difficult. It could be by making it more costly to buy proxies by utilizing robust IP intelligence. Or device fingerprint forcing them to invest in more software. You can trigger additional step-up measures for suspicious traffic. It’s important to not just rely on passive signals, as fraudsters can not only get around those, but it also can lead to false positives.
MPC: How has technology changed the game in fraud prevention?
Technology has changed the game for both fraudsters and for businesses looking to stop them. Businesses have access to a great number of tools that help them detect and stop fraud, including behavioral biometrics, advanced data analytics to analyze traffic for signs of suspicious activity, and much more.
On the flip side, advancements in technology have also given fraudsters greater ability to hide their tracks and successfully pull off attacks. Proxy IPs are readily available, and enterprise plans allow fraudsters to buy hundreds of thousands for an economical price. If they need more compute power to launch massive attacks at scale, that is readily available as well. They can buy SaaS software to load combo lists and launch attacks at scale with ease. Many of these come in premium tiers that also feature customer support.
Fraudsters are continually innovating and changing their tactics, and it can be difficult for businesses to keep up without the right fraud defenses in place.
MPC: What are the key components of your technology suite and how do they complement each other?
The Arkose Labs Fraud and Abuse Prevention Platform is an advanced technology suite designed to thwart fraud without adding friction to the customer experience. Our patented technology platform uses telemetry to identify bad actors, then issues a series of adaptive step-up challenges to wear them down, effectively removing financial incentives and removing return on investment.
The platform has two components that work together to deter attackers without impacting customers: Arkose Detect, a sophisticated risk engine, and Arkose Enforce, which uses targeted step-up challenges to sap fraudsters’ efficiency and diminish their ROI. These are further informed by robust network intelligence provided by the Arkose Labs Global Network, which monitors attack patterns across the company’s clients in multiple industries worldwide.
Arkose Detect analyzes data from user sessions, behavior and their interactions with technology. It unearths behavioral patterns across devices and networks in real-time that signal suspicious or anomalous patterns. In light of fraudsters’ ability to continually change and obfuscate identifiers, Arkose Labs runs deep analysis looking for telltale signs of fraud, and then segments suspicious traffic.
This traffic is served challenges use visual puzzles created with 3D technology and are rendered in real-time so that they are not vulnerable to being solved through automation and computer vision technology. When human click farms are detected, they are served increasingly complex challenges designed to waste their time and ultimately abandon the attack. No traffic is blocked, which means good user experience is not impacted and false positives are drastically reduced.
MPC: How does your unified platform continuously adapt to evolving attack patterns?
Our AI-driven decision engine uses advanced analytics to confidently root out suspicious traffic, determine the appropriate attack response, and evolve models in real-time to rapidly adapt to threats. Challenge interaction data is fed back into the decision engine as instant truth data to validate the risk classification and further train machine learning models.
This feedback loop between the custom enforcement challenge and detection engine enables the platform to continually adapt to new threats.
MPC: As you have noted, bad actors are also leveraging technology. What emerging threats are you seeing and what dangers do they pose to businesses and individuals?
When it comes to fraud, bad actors, now more than ever, are able to hide their tracks and obfuscate their identity very easily with the tools available to them. This means very little traffic falls into an outright “bad” category, but much of it falls into a “gray area” that can’t be clearly defined as good or bad. That means businesses can’t rely on traditional methods of fraud detection but must dig deeper into accurately analyzing traffic that comes to their site.
In terms of attack types, we are seeing a big rise in credential stuffing attacks, these are attacks where bots to constantly try different username/password combos at scale until a match is found. Credential stuffing powers account takeover attacks, which are highly popular among fraudsters because of the many ways they can be monetized. Bad actors can drain money from compromised accounts, or use them to launder money, steal personal data or resell on the dark web.
We are also seeing a rise in microtransaction fraud, this is when attackers make small, in-app transactions – often in online gaming platforms – in order to test stolen credentials or launder money.
MPC: What advice do you have for organizations tasked with protecting critical assets and infrastructure?
Businesses must always be vigilant and evolving in their fraud prevention techniques. If nothing else, fraudsters are an innovative and persistent bunch, they do not give up quickly and will continually try new techniques and use new tools to pull off an attack. Businesses can never rest on their laurels or think they’ve got it figured out.
We also highly recommend sharing best practices and collaborating with fellow colleagues in the fraud prevention space, and events like this are a great place to do that. You can be sure are constantly collaborating and sharing tips and tricks, and we should be as well. Being an active member of industry groups is a great way to share best practices and work together in the fight against fraud.