How a Rideshare Giant Balances SMS Toll Fraud Security with Great User Experience

Summary

A prominent rideshare and delivery giant faced the challenge of protecting a superior customer experience on its platform while stopping bad actors from exploiting its services. It had prioritized a streamlined customer acquisition process for online sign-ups, but this inadvertently opened the doors to SMS toll fraud. Bad actors were using bots to create fake accounts at scale, causing skyrocketing SMS bills.

To combat this issue, the company partnered with Arkose Labs, which utilizes a wide array of Amazon Web Services (AWS) features, including strategic data center placements, to bolster the security of websites and applications worldwide. Through its collaboration with AWS, Arkose Labs was able to detect, isolate and eradicate these attacks, resulting in a substantial reduction in SMS toll fraud costs and an enhanced, secure experience for genuine consumers.

The Business Problem

To fortify its digital sign-up processes against fake account creation, the company adopted one-time passwords (OTPs) via SMS for verifying consumer identities during registration. But cyberattackers targeted the platform through SMS toll fraud, manipulating OTPs for financial gain. This fraudulent tactic involves bad actors obtaining phone numbers from premium-rate carriers, typically through carrier collusion or the exploitation of weak telecom security protocols. By initiating SMS flows from compromised numbers, the business was billed millions in fraudulent charges while the attackers split the illegally gained proceeds.

At the same time, the company needed to be circumspect in how it applied verification tactics to new sign-up attempts, because its customer base was extremely sensitive to online friction. It was vital that good users could make it through the registration process without being unnecessarily hindered or blocked. This meant that any challenge-response mechanism implemented needed to operate seamlessly in the background, interrupting the user journey only when accurately detecting suspicious activity and minimally disrupting genuine user interactions.

In addition, the company lacked sufficient visibility into traffic during the customer acquisition user experience and wanted to gain a deeper understanding of other potential cyberthreats, including account takeover (ATO), promotion abuse and website fare scraping.

The Arkose Labs Solution

The company sought a comprehensive solution that preserved the customer experience while significantly curtailing SMS toll fraud. It deployed Arkose Bot Manager, the patented bot detection and mitigation platform that aggregates real-time device, network and behavioral signals on customer workflows to spot hidden signs of bot and human-driven attacks, such as device and location spoofing. This solution is backed by a 24/7/365 managed SOC monitoring and threat management service.

Arkose Bot Manager, in combination with AWS WAFv2 and AWS CloudFront, significantly enhances security for customers running on AWS by leveraging advanced bot detection and mitigation from Arkose Labs alongside AWS’s native security capabilities. AWS WAFv2 provides customizable rules and managed rule groups for bot control, allowing for precise traffic filtering and real-time threat response. CloudFront’s global content delivery network and built-in DDoS protection (AWS Shield) ensure secure and efficient traffic distribution, SSL/TLS termination and edge security. This integrated solution ensures that malicious traffic is identified and blocked early, protecting web applications from bot attacks and other threats while maintaining high performance and availability.

The rideshare company focused its attention on sessions emanating from the 5 countries with the highest SMS costs. Arkose Labs took a tailored approach, working with the company to analyze and selectively choose a unique group of threat signatures as the basis for applying friction. When a suspicious session is detected, the solution presents Arkose Bot Manager challenges. These challenges pose difficulties for bots, leading attackers to either abandon their attempts or, more commonly, pivot to human fraud farms, which are effectively thwarted as well.

Genuine users, however, encounter little disruption, because the Arkose Bot Manager detection models enable legitimate users to pass through unchallenged. These detection models are built on passive authentication techniques to ensure that authentic users navigate the system smoothly, experiencing little to no interference during their interactions.

Demonstrated Results

By embedding Arkose Bot Manager across every point of contact safeguarded by OTPs during account registration, the company now adeptly identifies and counteracts SMS toll fraud assaults while upholding a smooth user journey. Throughout the short integration and deployment period, the company didn’t encounter a single customer registration complaint. Additionally, it better understands good user and bot traffic profiles, with improved visibility into customer acquisition traffic data.

• Savings of approximately US$2.5M from SMS toll fraud spend for select high-risk countries on an annualized basis
• Seamless consumer experience
  • 99.5% of low-risk traffic passed through unchallenged
  • The .5% of low-risk traffic that experienced challenges solved them quickly and easily, exceeding industry completion standards
  • 0 customer service complaints received
• Major improvements to data visibility at top of funnel, including
  • IP intelligence, device intelligence and fingerprinting
  • Real-time aggregation of IP addresses
  • Offline analysis of page load IDs