Case Study

SMS Toll Fraud, Reverse-Proxy Attacks, and Cybercrime-as-a-Service with Fraud Boxer’s Jordan Harris

SMS Toll Fraud, Reverse-Proxy Attacks, and Cybercrime-as-a-Service with Fraud Boxer’s Jordan Harris

Transcript:

[00:00:29.010] - Speaker 1
Welcome, everybody, to another episode of the Prod Boxer podcast here. I have Kevin Goschalk from Arkose Labs here today, and I think we're going to get a little more technical than we're normally used to. Him and I caught up when we were at the Merchant Risk Council last week. I do have some episodes still in the can that I haven't put out yet. This one's going to come out ahead of those. My voice was a little off, so now we're getting The Voice back. So I'm happy to dive right back into this, get some after MRC sessions going with what people have learned there, what people talked about. Keep this conference high going. So, Kevin, how are you doing today?

[00:01:00.850] - Speaker 2
Doing great, Jordan. Thanks so much for inviting me on. I saw you wearing the merch at MRC. I'm like, hey, we should do something. There's a whole bunch of cool stuff we could talk about.

[00:01:11.420] - Speaker 1
Yeah, and I'm excited to have you on here because normally we talk so much about just fraud prevention stuff, but you guys go a little more technical into some of the more advanced things that happen to us. Bots are a big thing that I see we talk about a lot, but a lot of the software and a lot of the people out there don't really address them, and you guys do. And I think some of the stuff that you guys are working on is actually really cool. You and I obviously caught up and talked about some of those things before, so I'm really happy to bring those to my audience for people that have more questions. They hear us talk about the bots, like I said, but they don't know what to really do. They leave those conversations and they're like, what do I do? Well, now they got somebody they can call. So, yeah, when do we meet? How do we even meet?

[00:01:51.600] - Speaker 2
So I believe we met MRC. Of course. MRC brings everyone together. Shout out to the MRC. If anyone's a merchant dealing with fraud and risk, we highly recommend you head to the MRC conferences. They're great. I believe it was 2019 in Seattle, so it was one of the regional ones that they put on. And I was giving a presentation with one of our customers, Expedia, and we thought it'd be hilarious if we brought some of the expedia gnomes to the event. And we gave out these gnomes as part of the presentation. It was with Clayton Foster. He's obviously a long term MRC. Goer as well. And I believe you're in the audience. I don't know. Do you remember that?

[00:02:34.420] - Speaker 1
I do. I remember I got a gnome. It was squishier than I expected. I have it somewhere. I've moved 15 times since 2019. But man, if we would have known what was coming at that, because that was like the fall of 2019, and we were just going about life was normal. We were going out to nice dinners. We were joking and laughing, having a good time, doing quizzes. You were doing great presentation up there. And then about three months later, the world was about to end. But, hey, we're back now. Kind of, yeah.

[00:03:04.170] - Speaker 2
You could never have predicted what we just went through and the aftershock, I guess, of how this has changed the workforce and stuff like that. I don't think anyone was predicting that, ever. That was just not in cards.

[00:03:15.540] - Speaker 1
Not at all. And I was going to the office every day. I used to ride the bus and the train here. I have a car. I just don't like traffic, and I would rather do other things while in traffic. So I actually used to ride the bus in the train in La. Anybody that's from La knows it's not a pretty situation, but now I would never even dream of going back to the office. My home office, work from home. That's my forever thing.

[00:03:39.030] - Speaker 2
You and many others.

[00:03:40.490] - Speaker 1
Yeah. I do miss people, though, sometimes, actually, I get invited to go to the office. I got invited to go this Thursday and I was, like, all about it, but then I realized I have to drive 30 minutes, so I'm going to put it off another week.

[00:03:50.400] - Speaker 2
That's a good sign of humanity, that you miss other people in general. That's a good trait to have.

[00:03:55.520] - Speaker 1
Yeah. Every once in a while, I emerge from my home cave about once a week, and then for about 1530 minutes, I experience people and then I go back. But I get to see you guys all over this lovely zoom and record everybody, so we still have that. Let's talk a little bit about you, where you came from, and then we'll talk about Arkose, and then we'll get into the meat and bones of this bad boy. So let's hear all about you.

[00:04:19.650] - Speaker 2
Yeah, I'm a computer engineer, so a little bit more technical than probably the typical folks in the kind of broad space. I'm a bit of an outlier, I would say. I studied game design and computer science in Australia, so I'm obviously slight accent, but I'm originally from Brisbane, Queensland, in Australia. And then on the back of getting a bachelor of that, I went into the health space and I spent a couple of years building technology to diagnose diabetes. Earlier, of all things. It turns out the nerves at the back of the eye are a really good view into your health. And a patient without diabetes, the nerves all converge in a world in one central place, and you can see that quite clearly with these pretty fancy cameras they have that let you look at, like, 500 times magnification. And a patient without diabetes, the nerves do not converge in a well, so it's actually a very clear you can just visually see it. Problem is, they couldn't map it, they couldn't imagery. So I wrote software and we had a pattern and stuff that let them map the cornea, the back of the eye.

[00:05:28.150] - Speaker 2
And after two years of kind of building that technique and kind of proving it out and letting them build a repeatable, there's some software that let them kind of easily extract it and tell them, yeah, one has, one doesn't. There's about an eight year clinical trial period. So I wasn't involved in that. I didn't want to stick around for eight years over and over again. But they went through that and that software is now actually being used in the UK to help diagnose diabetes. And you can actually now go to an optometrist and you can find out up to two years earlier than traditional methods like blood pricks would actually inform you. So small contribution to health, which was really awesome. Fun journey, really cool.

[00:06:05.410] - Speaker 1
So, quick question about that. Is it for type one or type two or can it do both?

[00:06:09.350] - Speaker 2
Type two.

[00:06:10.490] - Speaker 1
Okay, that's super interesting. I'm going to have to go read more about that after we're done recording here.

[00:06:15.540] - Speaker 2
This study was called the Landmark study. I believe it was longitude. I can't remember what the acronym was. It was like longitudinal assessment of neuropathic. I don't know, I don't remember. It's been a long time. It's been like twelve years. But yes, I did that. And then on the back of that, I was granted a scholarship award by a large not for profit in Australia that focuses on people with intellectual disabilities called the Endeavor Foundation. They kind of saw the work I was doing as a student and said, hey, we want to see if you can build something interesting to kind of get these people up and more active. And did that for a few months. That was so successful that the government and the university co invested half a million dollars to help me commercialize that technology. And we ended up ultimately licensing that at about two or three years in. So I built that for a couple of years. But both of those I was very focused on computer vision techniques, so understanding what a machine could recognize and interpret and then use that to kind of build a social gamification experience for the people with intellectual disability and the context of the health project, be able to map and chart these images.

[00:07:22.990] - Speaker 2
And both of those obviously led to having core domain expertise in the ultimate pioneering idea of what then became Arkose shortly thereafter.

[00:07:32.550] - Speaker 1
Wow, so you did all these this is a completely different industry that you're in reality. Wow. I had no idea that you had all that previous stuff. That's really impressive.

[00:07:47.610] - Speaker 2
It's out of luck. You don't build a solution like Arkose by being someone in the space, I would say. So we certainly came at it from a very different perspective. I co founded Arkose with one of my lecturers at the university I attended, actually. So he was the early game designer. He was a game designer lecturer. So he was doing kind of the user experience design of our product. And I just caught up with him a couple of weeks back in Brisbane. He's not actively working with Arkose right now, but he was there for many of the early years. But two of us kind of came up with this concept of, hey, let's utilize things that machines aren't good at doing and shouldn't be good at doing. There shouldn't be any commercial value in them doing it. And the objective is simply make it more expensive for adversaries to attack it than their return on investment they get back. So it's a very different approach to anyone that's ever tried to build antibot software before. And we see some people talking about it. Obviously, they've seen us talking about it for all the years, but no one builds the software that way.

[00:08:45.140] - Speaker 2
It's still fundamentally built very different. The strategy is still very different to what we see the other players do. And it's really the only long term strategy against fraudsters is if they don't make any money, they don't attack you. As I'm sure your audience would be very aware, if there's nothing of value, you're probably not being attacked.

[00:09:01.230] - Speaker 1
Yeah, I always tell people you're probably never going to solve your actual fraud problem completely, but if you can make it just annoying enough that they don't make any money, they'll just go away and attack somebody else. And that's at the end of the day for most of us. I think that's the goal. But I think you're totally right. Most of the software that people use to stop bots, the bot piece of that is more of an afterthought than it is a forethought, and I think that's where you guys changed it up a little bit. This was your plan going in, if I'm not mistaken.

[00:09:33.310] - Speaker 2
Yeah, that's right. And it's kind of a pretty big contrast. Like, if you're using a bot solution, which is just designed to stop bots, which is pretty much every other player in this space, they're pretty happy if they're stopping 90% of the attacks being thrown at you, they're like, that's great. Or 99%. They're like, amazing. Look how good a job we're doing. We're constantly every day stopping 90%. The only reason you're seeing 90% being blocked every day is because the percent that gets past them is enough to fund the attacks. Whereas within Arkose, the big difference is they stop attacking once the mitigation occurs. They actually give up, and they might try and a new attack, but they just give up and they go away. So there's a pretty big difference there in terms of what the traffic actually does. And that's something you can kind of look for in your logs and your metrics and be like, hey, we just continually get hammered by attacks no matter what we put in place, just simply because there's enough of it getting in that they're still making money.

[00:10:25.350] - Speaker 1
Yeah. I think that even you block 90%, that 10% is still usually a lot like people don't realize, like box it isn't one or two, it's thousands, millions, billions hitting you at a time. So 10% of a billion getting through is still a lot of crap getting through there today.

[00:10:42.420] - Speaker 2
Yeah. And some of the stuff we're going to talk about today will really kind of talk about like even some of it getting through is very costly. So you got to have a pretty good strategy around this stuff because yeah, you're right. It's millions. We have one customer where we prevented billions of fake accounts last year. These are just tremendous scales that they're throwing people and they're making three $0.04 each account they open. Like, it's really profitable for them, right?

[00:11:08.470] - Speaker 1
Yeah. And you guys have some pretty good marquee clients on your website. You list a few so people, if you go to Arkose, their website and actually look at that, you'll see some of them. I personally have experienced it on Blizzard before trying to get into an account that I hadn't logged into in ten years. I wanted to see if World of Warcraft was still a thing, and it kind of was. And I got in there and played around a little bit during COVID times. But I did encounter your guys'your captcha, which is just one small piece of your overall business, but it was very comforting to see a familiar name pop up on my screen.

[00:11:42.670] - Speaker 2
Blizzard is a very near and dear customer to me. So the most stressful thing I've ever done in my life, not running a company during the madness that we live in right now, was running a guild in World of Warcraft in high school. That was far more stressful than running a company.

[00:11:57.480] - Speaker 1
Were you there? Were you playing guild bank time? I remember when they added the guild bank and everybody was just assholes about it.

[00:12:06.310] - Speaker 2
That's still happening for folks that don't play video games. Guild leads have access to the entire guild bank funds, and you might have a few other people. And obviously everyone's putting their money into the bank. And the intent of having a bank is it pays for the raids that you're doing every night. It pays for potions, it pays materials to go do the raids, blah, blah, blah. But then you have some horrible people that are like, well, I'm just going to steal all the gold out of the bank and then transfer servers and rename my character and start the game with a new guild with all this gold that I can use to myself. So that problem happens in real world as well as it does in video games. But yes, there's all kinds of fun stuff that happens. Fraud, and I guess that's a form of friendly fraud, I suppose.

[00:12:51.530] - Speaker 1
Yeah, it really is. I think we're seeing some of that happen right now, and I believe we're going to talk about that in a minute. But yeah, very much like all these people pay these dues, and then the one guy gets in and he does some social engineering, and off he goes with the whole bank at the end of the day.

[00:13:07.950] - Speaker 2
Yeah, gaming has so many amazing examples of it's just an entire different economy, entirely different world. There's so many interesting things that attackers do. But yeah, I'm a huge gamer, actually. Our first customer was Electronic Arts, so we met Bing Gordon at GDC and we pitched him our product, and he said, it's a terrible pitch, but we need a solution like that. So I'll introduce you to the security team. And we're like, thanks. And yeah, we still work with Electronic Arts to this day and many other gaming merchants.

[00:13:42.870] - Speaker 1
You guys kind of have the gaming thing kind of cornered there, which is a testament because people always joke about gaming. And it's for kids. It is what it is. But no, the adults that play, and there's sophisticated things that happen in games. It's weird in games now where some of the bigger games, there's full blown economies like your character in the game, especially even in World of Warcraft, it has a job to do, an actual job in a role, and you have to do it, and you have to do it well. Otherwise you get, quote, fired from your job. But you don't just pick roles. You don't just get to click the button and pull the trigger all the time. You have to heal people or you have to tank them, which is like, pull all the bad stuff while other people attack. You have actual jobs. There's economies in these games, trading. This guy can craft this thing. This guy can mine the material. So you have to trade. And there's monetary that train it's nuts. And there's value, massive amounts of value in stealing these established characters.

[00:14:42.570] - Speaker 2
It's called real money trading is the big one. So we protect a large number of game merchants beyond Blizzard, we protect Minecraft and Grand Theft Auto and Roblox and many others. But one of the objectives is taking the virtual currency from the accounts and then reselling that. So people want to get ahead in these games. They want to buy items, weapons, gear in the game. And you need virtual gold to do that. You can either go earn it yourself or you can purchase it from third parties. So there's like entire business economies where people are making millions of dollars a year by either using bots to create accounts and then automatically play the game and earn the gold or compromise people's accounts, credential, stuffing, et cetera, to then steal their virtual gold, transfer to their other characters and then sell it. So there's like a whole fraud economy around this. I'm actually giving a talk at RSA in a couple of months about lessons from the gaming world that can be applied to the metaverse and what's coming in the metaverse. Because the metaverse at the end of day is just 3D virtual world. It's going to have all the exact same problems gaming has already.

[00:15:52.540] - Speaker 2
So it's already a well defined problem space, and it's already been solved in many ways. So it's kind of just fascinating, kind of watching that all be rehashed. But it's people that don't come from the gaming space building these metaverse companies, and they're like, wow, we didn't think of these problems. These have all been solved before.

[00:16:09.540] - Speaker 1
This is the same thing we see happen. Every new startup starts their thing, and then they don't realize that fraud is a thing or bots are a thing, and then it happens to them. I can see people with these virtual deeds that they're doing in the Metaverse, where you buy a metaverse house and you get a real house in real life with it. Those things are going to be like people are going to be taking those and stealing the houses. Thank God we got the blockchain. But I mean, at the end of.

[00:16:29.230] - Speaker 2
The day, what can you do? So, like JPMorgan. Opened a virtual branch in Decentralland, I believe it's called. And if you can go into a virtual branch in the metaverse and open an account or log in to check your account, what if someone sets up a portal n that looks like that virtual bank and you go into there and you accidentally hand over your credentials? I don't know. There's a whole new world engineering potential, right?

[00:16:52.180] - Speaker 1
That is very fascinating. So I am going to be at RSA two up. You're the one in San Francisco, right? Because I know they do, like, some other smaller ones. The one I'll be there too. I'm doing a panel on synthetic identities. So we'll just shout out, everybody go to RSA, come watch both of our things. Alexander hall is going to be there too. So all my guests, all my normal suspect guests, we all have panels of some kind going on up there. Are you going to be in the big hall or are you going to be in the EFG?

[00:17:19.590] - Speaker 2
No, it's one of the big ones, like a 50 minutes presentation. So we're working on it's been a lot of work.

[00:17:25.230] - Speaker 1
No pressure.

[00:17:27.870] - Speaker 2
It's going to be a lot of fun. It's going to be a lot of fun. But feel free to reach out. I'm sure you'll tag my Twitter or link. I have a speaker discount code that I can give out to Friendlies. So if you ping me, we can give you kind of a discounted rate to get in full conference pass so you can kind of see my talk and you can see the rest of them as well.

[00:17:47.830] - Speaker 1
Excellent. Yeah, that is one of the price of your conferences, but it is one of the more technical and useful conferences that comes in this type of space. There's quite a few conferences now obviously with budgets and the way they are coming out of the pandemic, we've had to be pretty strategic about the ones that we go to. And I do have to try and take speaking spots as much as I can to lower the cost so I can bring my staff because I love to go to conferences. Selfishly, I will fully admit they are a ton of fun. But I do need to make sure that I'm training my staff and that they're learning too. So I have to do what I can to make sure that I can sacrifice being up in front of a couple of hundred people in order to get one of my staff in for you, spend the money.

[00:18:25.720] - Speaker 2
There such a sacrifice for you.

[00:18:27.670] - Speaker 1
I'm sure it's rough. You know me, I don't like being the center of attention ever.

[00:18:33.860] - Speaker 2
Yeah, no.

[00:18:35.730] - Speaker 1
So I think that's a good little segue. I think we're going to talk about Arkose and how they address all these things as we go through some of the trends that you're seeing and the things that you're seeing right now, which I think are going to be super interesting, going to be a lot different than the normal trends that we talk about. Check fraud and all that. This is going to be like actual hacking stuff that's happening. So I do want to get into that right now. Obviously we were just talking about some of the virtual banking and guild banking and some of the things that are happening with that. I think it would be kind of a missed opportunity if we didn't talk about what's happening right now with a particular bank that a lot of us have had workings with in the past. I spent some time in the Bay Area. A lot of the companies that I have worked with in the Bay Area have banked at this bank. I'm sure that you guys might have some dealings with them. So let's talk just briefly about Silicon Valley Bank and some of the scams and phishing things that might be happening as related to that and how it can be applied to the rest of us, if you wouldn't mind.

[00:19:36.120] - Speaker 2
Yeah, so I can first maybe key this off. So Silicon Valley Bank, we are a customer of SDB, as is any tech company, any of your tool providers, any of your vendors that are kind of high growth startups, they are all likely members of SDB. The reason for that is a concept called venture debt. So venture debt is basically an extension to a capital raise. So if I raise $40 million, they'll give me an extra 20 million that can bridge me a little bit further until I need to raise more capital. And the intent of high growth startup, historically not anymore, historically has been grow as quick as you can. Don't be profitable, just grow grow land grab that's shifted that mentality has changed over the last twelve months, where it's now a profitability mindset. So we're going to see some changes. There. Very different kind of businesses will survive a profitability world versus a high growth world. But the way the venture debt works is you must maintain a minimum amount of your dollars with SVB and you must do deposits with SBB, which is kind of a perfect storm. When SBB fails, everyone has all their money with them because that's what you had to do.

[00:20:42.190] - Speaker 2
I just wanted to provide that context because I don't know if everyone knew that. It's like, why don't you have multiple bank accounts? Well, you couldn't. You weren't allowed to. And they're the only one adventure debt because they had relationships. They're not the only one, but they're the best one because they have relationships with the VCs. They understand how high growth companies work, and therefore they can allocate risk based on that. A typical bank can't think that way. They look at your balance sheet, they look at your profits are like, yeah, now you're not profitable. We're not going to give you a loan. It's a very different kind of bank. So it's a very important part of the ecosystem, has been for 40 years. Many of the big tech companies were built on the back of SBB. So, yeah, it's incredibly sad to see kind of, I guess, what's happened. But the net net is last week they failed. They've now opened this bridge bank and they're backed by the FDIC, which came out over the weekend, which is great news because a lot of companies I knew people that had 50 plus million dollars in there that they couldn't extract, which impacts any business.

[00:21:39.380] - Speaker 2
There's no business that can weather $50 million is being taken off the balance sheet that's even big companies aren't okay with that sort of stuff. So it's been pretty material, I would say, certainly since shockwaves. Another question is what happens? Like, does SBD get acquired? Can they operate as a bridge bank? They got a new CEO. I was talking to him yesterday. He's very committed to making it work. We're not all really clear on what that means. We don't know how long it's going to live for, so it's a little bit uncertain right now. So what everyone's doing is they're changing their bank details. So instead of our customers paying into our SPB account, we're asking them to pay into a B of A or a Wellspower account, whatever account. And guess what? That's an amazing time to do some phishing attacks and social engineering attacks. Yeah.

[00:22:24.270] - Speaker 1
I mean, what better time to be like, hey, we understand you're a customer of please click here to sign up for your account. Blah, blah, blah, we're part of the government. And you look at those headers and it's not even close. People are panicked. They're trying to pay their employees. I think people don't understand. Like, a lot of payroll goes through SVB too, everything. Yeah, there's regular people. I know everybody wants to say, F, the bankers at the end of the day, that's just like the internet, rah rah RA thing. But there's regular people that had nothing to do and no say in the matter that were, at the end of the day, affected by this. I think one thing that's going to be kind of weird coming out of this is, and I think you touched on it, is like, what is the future of this debt going to look like? There's a lot of startups that everybody knows and uses every day that aren't profitable. It's going to have to be a very different scene, because, like you said for 40 years, the idea is you start up a company, you go, go, go.

[00:23:25.020] - Speaker 1
You get that growth. But in order to get that growth, you have to have user acquisition, which costs money in order to create a product that works and functions at scale. It takes money. So you need people to give you some money in order to do that. And even Amazon wasn't profitable until, what, like, 2015, and we all were using them every day at that point.

[00:23:44.840] - Speaker 2
And a lot of companies FPB is just kind of yet another thing. On top of the broader ecosystem changes, which I'm sure everyone's seen, the stock market and venture capital raising venture capital in general has gotten a lot harder. Pros and cons. I think we'll get, at the end of the day, better companies on the other side of this. There's going to be probably fewer jobs in tech because less random things will get funded, but I think it'll end up being a NetNet better thing for the ecosystem. Cybersecurity as a whole is just full of really bad vendors with really bad technology. I remember going to Black Hat six years ago, and every second Booth said the same thing, and then the following year, half of those companies no longer existed. And this actually is what ultimately led to the idea of we have a guarantee on our product. We have an antibod guarantee. If you buy Arkose, we contractually guarantee we will stop attacks. If we cannot stop attacks, you can actually break the contract. We're the only vendor that does that in our whole space.

[00:24:51.630] - Speaker 1
I like SLAs.

[00:24:52.960] - Speaker 2
And then the next thing we did was we put a warranty on top of it. So not only can you break the contract, we'll actually cover losses for you. So we have a million dollar credential stuffing warranty. And that was fueled from the simple fact that it's so hard to stand out amongst all these companies that are getting funding, that have terrible technology. And that was what was the genesis to me coming up with that idea. I'm thinking a lot of those companies won't get funding in the future, so maybe I wouldn't have needed to. In the world to come.

[00:25:22.680] - Speaker 1
Yeah. Bad time for me to start kicking around an idea that I had in my head for a while now, so maybe I'll just a good idea.

[00:25:35.050] - Speaker 2
We don't need the bad idea. Yeah.

[00:25:37.930] - Speaker 1
I'm not in it to get $100 million and run away. I'm in it to secure my generational wealth. So we'll see. We're going to start writing. So I think that's a good transition into with an opportunistic time to start sending these phishing emails and start trying to get ahead of what these other people are doing. As they move their money around, these large companies move them millions of dollars around. It's become this group of people, a large group of people, too, by the way, that their entire thing is to find a way to monetize, exploits and.

[00:26:17.130] - Speaker 2
Sell everything like that. That's right. Yeah. So as an example, we're reaching out to all of our customers and telling them, hey, don't send your money to SPB. Send your money to our new bank account. And that's exactly what a fraudster wants.

[00:26:31.330] - Speaker 1
That's a perfect sense of my bank account.

[00:26:33.410] - Speaker 2
Yeah, exactly. And we've good customers that are good at infosec reach out to us on other channels like Slack and things like, hey, does this employee work for you? They're asking us to change your bank details. That's what you should do if you're in the finance space. I don't know how many of your listeners are in the finance space, but, hey, if anyone's asking you to change bank details because of this, make sure to verify because it's a perfect time for fraud. This is absolutely happening as we speak. They jumped on this when there was the government handout. They jump on this like the day of they're incredibly impeccable on timing. So it's already happening.

[00:27:11.450] - Speaker 1
Yeah. I mean, these people, you got to remember, most of the cybercriminals, their day job is crime. So they're sitting there all day, and they got 15 TVs running with every single news thing. And the second they hear something, even rumbling, they're in there trying to figure out the underworkings of it. There is a tremendous amount, and they're sharing it, and they're selling what they're sharing, and they're selling what they learn. And I believe that you guys and I think that most people do is they call it cybercrime as a service. We all know software as a service, but there's cybercrime as a service. And I think that with you guys, you guys spend a lot of time, you have people that are actually in these channels looking at these things, and you have Bret Johnson on there, the chief criminal that former top Ten Most Wanted FBI. So you guys are aware of these things that are happening. And I think that it's super useful when you hire people that come from that world, because I have my sources that I do call every once in a while and say, what are they trying to do here?

[00:28:09.880] - Speaker 1
And then they say, well, this is what I would do, and it's been super helpful to figure that out.

[00:28:14.430] - Speaker 2
Yeah. So let me explain this a little bit more. So, cybercrime as a service, the term itself isn't new, but what I would say is new is the accessibility of it. So the accessibility has shifted quite a lot. So we historically, we protect some of the largest companies in the world. So we have a very large target on our back. That's just the nature of our job. And fantastic, that's what we do, bring it on. But the benefit of that is we always see the most modern techniques made against our customers before they make their way down to kind of the rest of the world. Right? And the trend has shifted from individuals kind of bringing together attack tools and making the attacks like the most common attack that's going to be relevant for your audience is credential stuffing, where they're using bots to test credentials, to break into your accounts and then figure out what's of value in the account. Maybe there's a credit card on record and they do return fraud or whatever it may be, but they're breaking into the accounts. And that used to be, hey, I used to need to go manually get a bunch of proxies, I need to go find the tools, open bullet I needed to go set it up, I had to go find the passwords, blah, blah, blah.

[00:29:22.630] - Speaker 2
I had to go do all that work myself. I mean, you have to kind of be somewhat technical to do that. And that information used to be a little bit hard to find, maybe on the Dark Web. And Dark Web is not that hard to access. It's Tor browser and you're in. That was maybe three or four years ago. About 18 months ago, we saw a dramatic shift from dealing with individuals attacking our customers, to dealing with organized businesses that built SaaS businesses that were designed to attack our customers. So it's completely shifted. It's pretty mind blowing. And you can now just go search on the Internet and find tools. There's a common one called Zenrose. It's a UK company that got venture funding. What prize? Surprise. That is designed to bypass antiscraping tools. And you can either pay them to do it, or they will give you tutorials on how to do it. You can go search Zenrose and you will find it. And it has copious details on how to bypass typical bot vendor software and all that kind of stuff. Or you can just pay the money and they'll do it for you.

[00:30:26.790] - Speaker 2
They can go scrape the inventory, they can go grab whatever you want them to grab. And they're a business with engineers that every day, their job is just to build ways around tools like Wax and things like that. So that's kind of one thing. The access to really sophisticated attack capability. These aren't like script kitties. These guys are really good, really good at what they do. So that's one problem. The other problem is the information has gone from being kind of buried on the dark web to being in discord channels. You can just go search like there's one called Scraping Enthusiasts where you can just go search it and you can go join their discord channel and they will tell you everything about breaking into anything you want to break into with automated tools. And it's all just publicly available. They just exist and out in the open. And it's kind of scary to think how easy and accessible the information is. There's another community where you can learn how to steal hype inventory like limited edition items, and they'll teach you how to pay taxes and they'll teach you how to do whatever you need to do to make the money look legitimate.

[00:31:41.550] - Speaker 2
It's pretty scary. This is just the cybercrime is a service concept. Whilst again, not new, just the accessibility has risen up to the forefront. And what the NetNet is is it's cheaper than ever and easier than ever to make the most sophisticated attacks that are really out there. And that's really scary because that lowers the barrier to entry for crime and it makes the effort as a defender materially harder. It's much harder to defend against these cybercrime platforms than it is to defend against individuals. It also changes the equation around how do you make it too expensive for them when they've got 1000 people funding them? So it's a really different ballgame. And this is kind of a concerning trend, I would say, going yeah, a good thing to be aware of, that it's happening because the ballgame has changed in the last twelve to 18 months.

[00:32:36.720] - Speaker 1
I was saying, like I said on a couple I think it was a couple of episodes back, that the accessibility is, I think, one of the main drivers. This was so often thought of as something that people that have computer science degrees that are sitting in their basement in Russia were doing. But now it's literally your neighbor in your suburban neighborhood that has a computer. He has a VPN, he has a Tor browser. He paid $50 to buy one of these little pieces of software that he got on Telegram or on Discord and he's out there stealing sneakers now and then he's out there then relisting and cleaning that money. It's so easy. And you never have to get up from your seat, ever.

[00:33:20.510] - Speaker 2
I have two perspectives on this. One is these people are incredibly entrepreneurial. When you say the word entrepreneur, I can't think of a better person describing than these criminals. And unfortunately, it kind of tarnishes the brand of entrepreneur. But they're incredibly entrepreneurial. These people work harder than the regular guy out of day job. They're in it to figure out how do I make money? They're form long hours. They're all talking to each other for one level. There's some respect for that. But the other part of it, the problem with the accessibility and ease of getting into this, I would consider kind of these bot attacks kind of a bit of a gateway drug to crime. Because once you it seems not that bad. Stealing some stuff from a store or buying stuff and then reselling it. It's like, hey, I'm using my credit card. It's okay, I'm making a huge return. But then it kind of gets darker and darker and darker and darker. Now I'm breaking into bank accounts because, hey, why not? It's not that hard. And now I'm suddenly buying drugs. And then I had a presentation once with the head of Cybercrime of the UN, and his perspective is, this stuff all ends in the same place, and it's all really bad.

[00:34:28.290] - Speaker 2
It gets really dark very quickly for people that go down this path. They start as an 18 year old doing these more simplistic attacks, and then by the time they're 25, they're in proper crime because that's the community. That's what you get stuck in, and it ends up in child trafficking and horrible shit. That's where the end game is for these people. So it's really important, not just to protect our merchants, but I think it's really important in general to help the baddies against themselves, to be honest. Like, stopping them doing this stuff is a good thing for them as much as it is a good thing for our customers.

[00:35:02.590] - Speaker 1
That's an excellent angle. Like, I've never thought about that because I've seen you get that rush from that first one, and then you want more everyone in, the more every one.

[00:35:13.270] - Speaker 2
Of us, we're helping stop that from occurring. So this is a really important mission for the entire industry. It's not just about protecting our customers. It's fundamentally it's helping shift people out of crime long term. So everyone should feel good about being involved in this space. We need more people in the security and fraud space, but it's something that we care quite a lot about.

[00:35:33.900] - Speaker 1
Arkose I think that as we talk about some of these little things that have been happening, you talk about these credential stuffings. I think we've all seen some of these attacks directly on our site, and we've thrown things at it. I think first, everybody's always their first exact step is to do some sort of block list, it seems like. And then after that, you usually hit a captcha, and then it's trying to find the balance on the captcha, like when to fire the capture you do to everybody. And a lot of sites, unfortunately, do say, yeah, everybody captcha, which pisses me off. And then I think over the last ten years, we moved more into these dynamic rules. And then I think then there was these companies that came up that tried to change the web forms, so every time you loaded the page, it was a scramble. It didn't say first, underscore, last. It was different. But those really slowed down sites, and they were really heavy. You had to have boxes. And now when we moved to cloud infrastructure, that got to be a little more difficult. But I'm sure as that moved from a physical box into software, that that's easy enough for these guys to block now too.

[00:36:35.150] - Speaker 1
So what are some of the things that you guys, if you can kind of take me some of the history of what you think some of those things are and how Arkose is doing that, if you could.

[00:36:43.790] - Speaker 2
So first and foremost, a good place to start is, how do I measure this type of attack occurring against me? There's a pretty easy way to measure Credential stuffing, which is the success rate of logins from attempt to login being successful. The way credential stuffing works is they're just testing hundreds of thousands of attempts, right? So naturally, when you're getting attacked by Credential stuffing, the success rate plummets off the cliff. Typical login success when it's healthy should be 60% or better. So 60% of attempts should successfully log in. So if you're around 60% or higher, you're good.

[00:37:20.780] - Speaker 1
There's your baseline, everybody.

[00:37:23.070] - Speaker 2
That's a really good metric to track. You should track that metric. Every company should track that metric. During a Credential stuffing attack, that success metric goes from 60% down to one to 3%. So if your success rate is in the one to 3% ratio, you're being attacked. Absolutely, you're being attacked. And that's, again, like a really good metric. Just as a baseline. Just start there. That's a good metric as a baseline. And then in terms of mitigations, there's a number of mitigations. Of course, it starts with the security team will have a WAF web application firewall, which is at the edge, and they're trying to mitigate at scale things like these in the same IP address over and over again. You can just block that at the WAF. That's an easy one. Really good. Attackers at this don't do that. They use proxies and they rotate through IP addresses. So they're only making a few requests per attempt and then they abandon. A WAF can't really help you once they start doing more sophisticated things like that. So then the next kind of layer is things like device fingerprinting. So, okay, so I've got unique IP address every time.

[00:38:27.750] - Speaker 2
I've got the same fingerprint every time. So everyone on the line probably uses fingerprint vendors and things like that. And that's another good kind of starting defense, right? But the really good adversaries randomize their device fingerprints. So then they start coming at you with unique looking fingerprints, or even worse, they pick the most common fingerprint, and then they just randomize the attributes that are expected to be random, like the language, the time zone, things like that, which are user configurable, the user configurable attributes the ones they randomize. They don't randomize the things that you shouldn't be changing. Like the user agent string, they won't randomize that typically. And they'll pick the really common one. So the most latest version of Chrome, if you block on user agent string, you will kill a lot of your good users. So that's not really a good strategy. Unfortunately, you'll be able to see that a huge spike, but you can't really use it as your signature to block on because again, everyone uses the same signature.

[00:39:26.380] - Speaker 1
There so many times I join smaller companies when I come in to do their fraud strategy. I will be talking to some of the other teams and they're like, yeah, we have a device fingerprint. Where does it come from? What is it like? Well, we use browser string. I'm like, so everybody's got the same one. Anybody using a regular out of the box apple with Chrome is just using the same string.

[00:39:47.450] - Speaker 2
Well, it's the thing like if you buy an iPhone in New York and you buy an iPhone in San Francisco and you turn them both on, they have the same fingerprint, right? That's just the reality. I mean, there's some differences times and the IP, et cetera, but the NetNet is going to have the same fingerprint. There's a whole bunch of different fields and features, but phones really, they clash a lot. There's not really a great way to do really unique fingerprinting on a phone. Like with a browser. Desktops are a little bit easier because you got different screen resolutions and stuff like that. But every iPhone has the same screen resolution, so you lose quite a fair bit when trying to fingerprint phones. So you got to be careful there. I can't rely on IP, I can't rely on fingerprint. So this is where it starts coming into kind of more difficult stuff. Like you then need to start thinking about, okay, what's the reputation of that IP address? Is it a proxy? You can't figure that out by yourself. You need a vendor. You need a vendor for that sort of stuff. Autos does provide an IP reputation component, but there's others that do it as well.

[00:40:50.530] - Speaker 2
It's a pretty typical kind of feature IP reputation. The device fingerprint is like, okay, I can't rely on the fingerprint being the signal for the attack. You need to look at different features of fingerprints, so you need to look for fake fingerprint signatures. So one of the capabilities we offer is device spoofing detection where they generate fingerprints that we've never seen before on any of our customers. So those are good things that you can take action on because the more unique something is, the more likely it's to be generated as opposed to being a real device. But again, you can't really build that in house because you don't have that network. So that's another vendor.

[00:41:27.120] - Speaker 1
Exactly what I was going to say, because again, additionally, all the companies that ever join. Everybody wants to just well, we have all the data. We know our customers. We could just do that. We could just do it ourselves. I'm like, well, that's great. And I think for us, specifically here at Iherb is a great example, is we do have an ATO tool that we built in house, but we set our baseline with that tool. So we know because our customer is slightly different because of the regions that we do business in, but our baseline is different than what our baseline would be for someone that's doing business primarily in the US. But at the end of the day, our fraud tool is not as successful without all of the data from all of the people that are in our space, around our space, adjacent to our space. And we get that by using a third party tool and purchasing that information from them and using that in our own model. We pull information back, especially from one of our other tools to say, this has been seen 15 other times today. It's buying regular stuff.

[00:42:21.070] - Speaker 1
Don't worry about it as much as we just saw this for the first time ever, and we have all of the top 500 merchants in the world. Probably fake.

[00:42:30.010] - Speaker 2
Yeah, I think that's big difference between buyers builds. You can't build certain things. And I think just the sophistication has changed to the point where I don't think people are going to be considering building unless you're I mean, like, again, we work with the kind of brands that don't buy and they they still bought from Ourco, so it's it's yeah, it's just a really hard problem to do by yourself in house. And the folks listening, likely. Yes, our day job is security. But the companies we work for, they're not security companies. Like, they're merchants. They're selling inventory. That's not the mission and motto and the lifeblood of what the business does. So it's a bit hard, obviously, like an Arkose. That's all we do. All we do is stop these baddies from doing stuff. We don't do anything else.

[00:43:11.440] - Speaker 1
Even the security people that they hire that are doing those jobs all day, they got other things they're doing. Their one job isn't stopping bots. They have other things.

[00:43:19.680] - Speaker 2
Right. And then another really healthy signal is, what are the attackers doing? So are they jumping straight to the login page? Are they jumping to other flows? You can kind of use that also as a pretty good signature, too. And then another good signature is behavioral biometrics, which sounds far more fancy than it really is. It's really looking at motion, movement. And yes, the attackers do have tools that spoof this even open bullet, the common tool. It does do spoofed mouse movements and stuff like that, but it's still yet another thing the attackers have to set up and do. The goal is you kind of want to do a bit of everything and force them to keep spending more money and time dealing with your defenses and someone else hasn't set up the right defenses or the profit return. Doesn't make a lot of sense. The good thing with these attacks is good and bad thing is they have to happen at scale. Which means if you can incrementally add cost, every attempt to point where that breaks the math equation, then you've won. And that's where, again, like you mentioned, dynamic rules come into play.

[00:44:24.930] - Speaker 2
So you use all these kind of data signals first and foremost to kind of make an assessment. You got to do like a risk reputation. It's not just on or off. That's a really bad way to do risk because you'll blow up your user experience if it's always on and you'll have no security if it's always off. So you can't be boolean. So that just doesn't work, especially in the merchant world where there's so many competitors that they can go buy from them. You don't want to have friction. It's not great. So you got to be risk graded. So the higher risk, the more friction you want to impose. So it might be something like, okay, we think you're a bot. A capture might be a good response. Problem is, a lot of these tools have good ways to bypass captures and that's a different problem. Another potential challenge is multifactor authentication. But you need your customer to opt into multifactor authentication. You can do email verification. That's a pretty good one. That doesn't require opt in because you already have email. Obviously vulnerable to things like email compromise, but it's a good one for stopping things like cred stuffing.

[00:45:20.830] - Speaker 2
Each attack technique you need to use a different defense. So it's really dependent on what the attack is doing as to what's the appropriate challenge. So you really need to figure out what's the context of the attack. Credential stuffing the goal is really to make the cost for bots too high. If it's social engineering, you really need to make things like multifactor and stuff. We're going to talk about how you get around even multifactor. They've got new techniques to do that now too. But everything is about increasing pops and effort. There's no silver bullet, but it's all about incrementally raising that effort through these different types and approaches and we basically do all of that. So we have a bit of everything. And our perspective on this is you need to do a bit of everything. You can't just be a one trick pony. If I'm a behavioral biometrics vendor and they spoof biometrics so it looks legit, well, I'm no longer useful. I can't stop the problem. So you got to obviously be focused on fundamentally, how do I make the whole problem stop? Which is why we have kind of a pretty broad spread of capabilities.

[00:46:17.810] - Speaker 1
Yeah, and I did a way back in 2019 again, I did a post for the MRC about multilayer and I compared it to a lasagna. Like you have to have multiple layers. You just have to I think one of the things that too that's super important and this is where I see a lot of veteran fraud finders get stuck too, is they get really complacent in their tool and they're like this is just it does everything I need, it's all I ever need. And they don't ever look at emerging technologies and what the trends are as much like they're aware of the trends but their tool might not address it. And they close their mind off and they're not open to experimenting with new tools. And that's something that every year for me. We're always looking and evaluating at things and we made a change to our tool last year because the tool that we had didn't have the capabilities that we needed and we have to have that open mind. I think everybody, especially in this evolving world where now they're coming at us with tools just as sophisticated like those tools that you've used for the past ten years that you think is great and no one's ever going to figure it out.

[00:47:21.260] - Speaker 1
They figured it out and they know how to get around it now. So you have to start adding these other things on top to kind of prompt your customers because you don't want to get good customers. Like I always say, we always are focusing on these bad actors. But you have a large amount of your customers are good. So you don't want to be prompting them to force them into MFA or force them into solving a captcha when you know it's the same guy that you've seen 15 times the last 15 years. He's trying to buy his monthly protein. You need to be dynamic and I think that you said it excellent when you're like the different places need different things too. You need something for the credential stuffing, something to log in, you need something for purchase, you need something for account create, you need something for email change, you need different things and you need something way out on the perimeter too before they even get to any of that.

[00:48:08.250] - Speaker 2
It can be pretty overwhelming if you're starting fresh. But it does require that and that's just the sophistication. And if you don't have it then guess what? You're the target because you're suddenly now the cheapest.

[00:48:21.290] - Speaker 1
That's what we're trying to make all our people go to is you. Now let's talk about forcing people into MFA and why that isn't. Well first of all, obviously it sucks for it to be forced into MFA for most people. Especially for the regular person. Like I MFA a lot of my things just because it's the nature of what I do for a living. But I think for my mom, she would lose her shit if she all of a sudden had to do it on her bank. And the first thing she would do is probably auto opt into the text message. And why is that not good anymore?

[00:48:51.470] - Speaker 2
Yeah. MFA by the way, is a really good thing. So I always use MFA. If you can enable MFA, do it. It's a good thing we are in the security space. We should all be good citizens of good security. So I highly recommend it. We all know the friction is important but the NetNet is the average internet goer does not want any friction and does not want to have to be opted into a security experience to buy stuff on the internet. They do not feel like they are the ones that should have to go out of their way to protect themselves. They feel like that's the merchant's job. It's up to you to protect my information. I'm not using the security features. Too bad. It's up to you to protect my stuff. Which is fine and fair I think as well. I sympathize with the customer. The goal is how do we make security as invisible as we possibly can without requiring user opt in into stuff. I think user opt in is not great as a security mechanism in general. But it is obviously good to have if you're a security miner to want to protect your stuff.

[00:49:51.790] - Speaker 2
But yes, there is no silver bullet. MFA is not a silver bullet. Adversaries have figured out numerous ways to overcome it. We can talk about a couple of those. And not only that, they've also figured out ways to monetize against you all how to make money from the MFA flow itself. And it's just again it goes back to this entrepreneurialism in fraud. They're just so creative. So there's two things I like to cover. One is a concept called international Revenue share fraud or SMS toll fraud. And then the next one I'll cover is men in the middle reverse proxy phishing where they can actually bypass MFA on a phishing site. They used to have to call you to get your Pin code but they've got new ways of getting around it now. So let's talk about the SMS first. And this can be on any flow where you trigger an SMS message. This isn't just logging in OTP. That's obviously an example. But it can be forgot password. It can be account creation. Maybe you send a text message to confirm that. That's a unique customer. Another technique to raise cost is sending text messages.

[00:51:00.290] - Speaker 2
What fraudsters have figured out is they can use premium numbers where they collude with telcos and they get millions of numbers where when you call that number or when you text that number they make money. Kind of like the idol.

[00:51:19.770] - Speaker 1
Is this like the old like the 900 number things is when absolutely same concept.

[00:51:25.710] - Speaker 2
So you dial them and then you get charged for it. Typically used for game shows like I'm going to vote for this person, it's my favorite. And they make. Money because you just paid them a dollar for that text message. The difference here is OTP cost or phone. SMS cost differs by country. So in the US. It's quite cheap, like a fraction of a penny. So this fraud doesn't happen in the US. Because they don't make enough money per SMS message. But in the UK, it's a few cents. In Indonesia, it's about thirty cents to send a text message to someone.

[00:51:56.170] - Speaker 1
In Indonesia, $0.30.

[00:51:57.690] - Speaker 2
Yeah. Vietnam is about $0.15. So if you're enrolling a phone number from Indonesia, it's going to cost you thirty cents. The fraudster will keep three to. What they do is they use a bot to automate your SMS text flow. And either, every time you create an account with them, you're sending a text message. They use a bot to mass create accounts and then they make $0.03 every time they create an account, which means it's costing you $0.30.

[00:52:22.820] - Speaker 1
That's a lot of as the merchant. Yeah, as the merchant.

[00:52:25.890] - Speaker 2
Really expensive. And then same goes for login, where they can basically change the phone number that you're sending the OTP to and continually trigger, oh, I forgot my password, I forgot my password, I forgot my password. And we work with merchants where they're losing hundreds of thousands a week to this type of abuse. And these are big merchants that you're all familiar with, that huge losses. We have some customers where it's millions a month and it happens overnight. It's not something where it's like the bill goes incrementally up. It's just like once the attackers figure out you've got a vulnerability here, they completely hammer you.

[00:53:04.750] - Speaker 1
Hammer it, yeah.

[00:53:07.450] - Speaker 2
And again, you can identify this one pretty easily. So what you want to look for is, and this is the weird thing, most fraud teams don't look at the SMS bill. That's like the finance team's job. But now it's a fraud team problem. So I think we're going to start seeing more fraud teams getting looped into, hey, we're seeing fraud on our SMS bill. What the hell is that? But the countries you want to look for are primarily in Europe. I can mention a couple of them. Basically, if your baseline bill changes dramatically, but your user registration or your good traffic isn't changing in these countries, you know you've got a problem. So a couple of the big ones are, and they're all countries you're not typically probably selling to. So, like, I mentioned Philippines, Vietnam, Malaysia, Indonesia, sri Lanka, Bangladesh, Russia, nigeria. We can actually put the list maybe as part of Kenya and even the UK. Because again, in the UK, it costs several cents to send a text message. The problem with that is you can't really block these. Maybe some merchants are okay blocking some of these regions, but you're not going to block the UK.

[00:54:21.370] - Speaker 2
You still going to want people. Maybe Jordan will block the UK, but probably not. So again, you need to go back to what are the techniques to stop adversaries using automation on top of the MFA? So it's not just you can't just use MFA to stop cred stuffing because you're going to get hammered with this fraud instead. So you need to still use antibot techniques in front of your MFA now to stop this type of fraud from happening. It doesn't end.

[00:54:51.230] - Speaker 1
For two years, I've been up on all those stages, just ranting like a crazy person about you're losing more money on abuse attacks than you ever are on fraud. Like, you worry about your two basis points on your fraud losses. Meanwhile, someone's ripping you for $30 million on SMS fraud for us. People try and create fake accounts and they hit us with bots on upvoting reviews. We got privy to that, but even that, nobody's immune to these things. We were aware it was happening, but we needed to throw technology at it. And that takes a little while to throw the technology at it.

[00:55:25.400] - Speaker 2
Yeah, they do require technology solutions. And again, it's hard to keep this stuff in house. You can, you can play whacka mole if you've got the resource. You're going to need quite a lot of people. You're going to need engineers, which are really hard to get. As we all know, engineering resources are probably the hardest to get because they're all being used to grow the business. Right? Not protect the business. That's just the reality.

[00:55:44.180] - Speaker 1
Yeah, the growth. Like what they have when they put up their little project sheets. The ones that have the biggest dollars attached to it are the ones that go first. And I'm sorry, what's something that's worth $15? Even if it's a $5 million problem, the $15 million profit, one's going to go first. But at the end of the day, I feel like so much the knee jerk response to these things is like, just turn it off. Just stop it. That's always the first thing when it could be something that's useful or something that's liked when you really need to just solve the problem instead of just breaking it to make it go away. Does that make sense?

[00:56:17.350] - Speaker 2
Yes. You can't really turn off MFA so easily. That's a tricky one. You'll have problems if you do that. So, yeah, they're definitely all about boxing in. Again, it's good job security. We're not going anywhere. Security teams are pretty important. Security and fraud is a critical component. Well, justifies the cost of those orgs. So that's toll fraud. And then the last one I wanted to talk about is this new technique called actually, Microsoft released a blog yesterday. They call it adversary in the middle. We've been calling it man in the middle. Reverse proxy. I guess they came up with a new term because why not? So either it's adversary in the middle or man in the middle. But it's a new type of reverse proxy technique. So basically what the fraudster does is they set up a phishing site that looks like your site. They send out a bunch of emails claiming to be you. Your customers click the links, they go to the fake site and they input their username and password because unfortunately, that's what happens. This particular technique is focused on accounts that are protected by multifactor. So typically with multifactor, if you have username password, that's not enough to get into the account.

[00:57:22.580] - Speaker 2
So that's good. That's why we use multifactor. This new technique, when they put in the username and password, what it does is in real time, it sends those credentials to you as the merchant's real authentication server, right? So they've sent up the real username password to your real server from their fake site. And that makes your real server say, okay, you've got the correct username and password, now give me the multifactor. So I'll trigger OTP back to the user's real phone. So now your customer who's at the phishing site just got a text message from you or an OTP pin or a push notification or whatever, asking you to confirm that this is you, and type in this code to verify that you're trying to log in. And what the phishing site does is it updates the UI to say, now please input your authentication code, and then you type in your authentication code into the phishing site. And then it sends that again to your real merchant back end authentication server, which says, yes, you've given me the real authentication code. Here's the login cookie. Go about your business. And then the attacker just stores the login cookie.

[00:58:26.380] - Speaker 2
And now they can access your account anytime they want. They've got a validated cookie.

[00:58:30.300] - Speaker 1
That'd work even for Google Authenticator too, wouldn't it?

[00:58:32.690] - Speaker 2
It works for everything. Yeah, it's super scary. And there's tools that you can get the SAS cybercrime as a service tools. There's one called Evil Proxy, which will perfectly clone your website, perfectly clone the Google authentication flow, perfectly clone the Facebook flow. It looks like it's the legit thing, but it also works for push notifications. It works for, as you say, the OTP from a Google auth. It works for SMS, it works for everything. So this is the new phishing technique which can be infinitely scaled. There is no human involvement for the fraudster. It's just I'm setting up a website and I'm mass collecting login cookies. All these accounts are protected by multifactor and I'm still getting in them. Some companies we work with will require multifactor, not just on login, but also on changing account details or something like a high value item or whatever it may be, like a fintech might do on a transfer. You need to also do a multi factor. So what the phishing site does, it's pretty funny actually, is obviously when you give them the MFA, you've given the correct one and they've logged in as you, but they'll say, oh wait, we're having some Internet difficulties.

[00:59:43.310] - Speaker 2
Just wait a moment. And they'll do like a spinning wheel and then they'll say, oh we're sending you a new pin. Type that one in. When in reality what they've done is they've gone to the high value thing that triggers the second OTP. And now that's getting sent to the real customer and then they're putting it in again.

[00:59:56.590] - Speaker 1
And you could disable or you could change the device that the MFA is on by doing that, couldn't you?

[01:00:03.220] - Speaker 2
You can do everything. It's very creative. So this is where you need to do things. And you might think, well I can have a continuous authentication. Well the IP address that logged in is the IP address that's being used because they're proxying everything. So this is where things start getting quite complicated. So this is where you need to work with your authentication provider because it's really hard to protect against these kind of attacks. Again, you're basically saying hey, it's on the customer to figure it out. That's not quite true. There is technology that can solve this. There are a number of techniques. We're launching a product around this phishing technique. We actually have about six or seven customers using it today. Some really big merchants that are using our technology to stop this. But it's a really sophisticated and we've only seen it at the high end of town. But this is coming for the masses soon. Everyone should be very mindful that if you've got MFA, that's great as a great baseline. But that ain't enough anymore. You need to start thinking about how do I now protect my MFA itself? Like MFA is just not the silver bullet.

[01:01:06.280] - Speaker 1
That's crazy what it was. I'm starting to sweat over here right now. I'm not going to lie. I got MFA on a lot of things. And my Google authenticator, I got a scroll on these days.

[01:01:18.390] - Speaker 2
This is just the arms race, right? As we build technology to combat them, they build technology to combat those tools and it will continue forever. This is not stopping. Which is why again you need to focus on as long as they're not making you're winning long term, but just using tech to stop a single kind of point of failure. You need to have a bigger strategy, a more broader strategy than that. But yeah, these are the joys of what we get to kind of figure out. This is the puzzles of being in the security space, which again is a bit different to fraud.

[01:01:48.090] - Speaker 1
It is.

[01:01:48.870] - Speaker 2
Stopping the money movement is the ultimate goal of a product like Ircoast. But we don't do that. We sit top a funnel and we try and make it as expensive as possible. And if we can't stop them at login, we give all of our data to the merchant so they have a chance to stop them before they commit the fraud. But yeah, it's a team effort and it's hard. It's grueling work. There's a lot to do.

[01:02:09.390] - Speaker 1
It's weird because like you said, it's different than fraud. But at the same time, the solutions, they're not similar technologies, but they're similar approaches where you have to have different things at different touch points on the site. That's just how it is, and it's going to go. And I'm sorry, folks, for my fraud listeners at that number. Listen, we've been talking about how you interface with your security team. It's time to get cozy. It's time to maybe even sit in the same room and really start talking about it.

[01:02:38.530] - Speaker 2
Yeah, we find most don't, so most fraud teams don't really talk that closely. And it's a true shame because the security folks have top of funnel data, really good data upstream, and they typically don't really share it with each other. You can fine tune the security systems because you say, hey, these are the ones that got in. Could you like, next time try and find things similar for doing it again? So that's great. And then the reverse is true. Any data they had, make sure that's passed down to your payment tool or whatever you're using. So in there you can write rules based on that kind of data as well. So it's a really important partnership between security maybe identity as a team in there as well. And then the fraud team, all three of those super important pillars to protecting a company.

[01:03:22.320] - Speaker 1
I think for so many years, the fraud team has just been like, security team light. And then you have the real technical folks that come in. But at Iherb here, we've been really good since I started. I say all the time, every other Thursday, I meet with that team, but we have a channel on our Gchat that we are constantly sharing. Here's some IPS, here's some accounts both ways. They say, hey, we just got 10,000 hits on the logs from this. Can you guys see anything? And then we go take a look. And the same thing is like, we just saw these 15 accounts that eight people called customer service, and they reached out to us. Can you take a look and see if there's something going on? It's a constant back and forth all day, every day. And I think the dialogue, like the communication that you need to have in your company. You're not sitting on fraud island anymore, folks. You're a larger player in your organization, so it's time to act like it.

[01:04:14.450] - Speaker 2
Yeah. And all these things, again, we don't want to sound too overwhelming. Like, this is sadly kind of the state of things, so this is all coming. But it's good to be aware of it and it's good to start thinking about what do we do about it. Either we strategize internally, build things internally, we find partners that can help us keep abreast and keep ahead of things. Obviously, at Arkose, this is what we do every day. This is just what we do. This is what we live this is what we live for. And we love it. It's kind of weird because people hate getting attacked, but we're like, bring it on. We love it.

[01:04:44.890] - Speaker 1
Every time we're attacked, bring on the challenge.

[01:04:47.090] - Speaker 2
What are they doing? We reverse engineer attacks. Every day as we speak, we're being attacked on some customer. I can see in slack, people are talking about new techniques, and it's just a life. And that's, again, you talk about fighting fraud, like this is the end game, is stop them from making money. So it all ends there, whether we stop it with bots or whatever, but end of the day is that stop them from making money.

[01:05:12.130] - Speaker 1
Well, thank you very much for coming on, everybody. I encourage you, I'm going to put all the Arkose information in the description, like I always do and in the post that I put up about this. But I encourage you, really, maybe if anything has sparked any interest, if it's happening, maybe talk to your security team about some of the things that we talked about here today. And I really encourage you guys to reach out and see a demo of the Arkose tool. It's really cool. I really think that just spending the time and looking at it and sharing it with your security teams, it might prompt some sort of something in your mind and you might discover something. So I really encourage it. Kevin, please send me all the information who you want me to have them all call.

[01:05:55.330] - Speaker 2
We're more than happy. Again, I appreciate the opportunity to come on and talk about this stuff. We love it. It scares people sometimes when we share what's coming. But again, it's important to be aware of what's coming down the line so you can figure out how to best prepare for it.

[01:06:10.520] - Speaker 1
Yeah, you need to be aware so you can spot it and you know what to do and you know who to call. So, again, thank you for lending me your time. I know you're a busy man. You got a company to run over here, and you got all these attacks that you're finding. But thank you for coming on here. I really appreciate it. Yeah. Any final thoughts?

[01:06:26.160] - Speaker 2
No, I think that's it. And again, just remember how important what we're doing is in this space. It's not just the day job of stopping fraud. It's ultimately changing people's lives. It may not sound like that, you may not pause to think, but it has a very positive impact on the world if we can divert people away from doing crime. So I think that's always worth keeping in the back of your mind as you work in this space.

[01:06:48.690] - Speaker 1
I love that. I love that. Well, I will be seeing you next month at RSA, so we'll have to get a drink.

[01:06:55.610] - Speaker 2
Sounds like a plan.

Kevin Gosschalk, Founder and CEO of Arkose Labs, joins Jordan Harris for a timely discussion on the current and evolving challenges in the cybersecurity space, including:

  • Phishing scams in light of Silicon Valley Bank 
  • The rise of Cybercrime-as-a-Service (CaaS) and how it lowers the barrier to entry for attackers
  • The growing problem posed by International Revenue Share Fraud (IRSF)
  • How Man-in-the-Middle (MITM) Reverse Proxy attacks enable threat actors to bypass multi-factor authentication without social engineering 
  • Strategies to detect and mitigate these threats
SMS Toll Fraud, Reverse-Proxy Attacks, and Cybercrime-as-a-Service with Fraud Boxer’s Jordan Harris

Transcript:

[00:00:29.010] - Speaker 1
Welcome, everybody, to another episode of the Prod Boxer podcast here. I have Kevin Goschalk from Arkose Labs here today, and I think we're going to get a little more technical than we're normally used to. Him and I caught up when we were at the Merchant Risk Council last week. I do have some episodes still in the can that I haven't put out yet. This one's going to come out ahead of those. My voice was a little off, so now we're getting The Voice back. So I'm happy to dive right back into this, get some after MRC sessions going with what people have learned there, what people talked about. Keep this conference high going. So, Kevin, how are you doing today?

[00:01:00.850] - Speaker 2
Doing great, Jordan. Thanks so much for inviting me on. I saw you wearing the merch at MRC. I'm like, hey, we should do something. There's a whole bunch of cool stuff we could talk about.

[00:01:11.420] - Speaker 1
Yeah, and I'm excited to have you on here because normally we talk so much about just fraud prevention stuff, but you guys go a little more technical into some of the more advanced things that happen to us. Bots are a big thing that I see we talk about a lot, but a lot of the software and a lot of the people out there don't really address them, and you guys do. And I think some of the stuff that you guys are working on is actually really cool. You and I obviously caught up and talked about some of those things before, so I'm really happy to bring those to my audience for people that have more questions. They hear us talk about the bots, like I said, but they don't know what to really do. They leave those conversations and they're like, what do I do? Well, now they got somebody they can call. So, yeah, when do we meet? How do we even meet?

[00:01:51.600] - Speaker 2
So I believe we met MRC. Of course. MRC brings everyone together. Shout out to the MRC. If anyone's a merchant dealing with fraud and risk, we highly recommend you head to the MRC conferences. They're great. I believe it was 2019 in Seattle, so it was one of the regional ones that they put on. And I was giving a presentation with one of our customers, Expedia, and we thought it'd be hilarious if we brought some of the expedia gnomes to the event. And we gave out these gnomes as part of the presentation. It was with Clayton Foster. He's obviously a long term MRC. Goer as well. And I believe you're in the audience. I don't know. Do you remember that?

[00:02:34.420] - Speaker 1
I do. I remember I got a gnome. It was squishier than I expected. I have it somewhere. I've moved 15 times since 2019. But man, if we would have known what was coming at that, because that was like the fall of 2019, and we were just going about life was normal. We were going out to nice dinners. We were joking and laughing, having a good time, doing quizzes. You were doing great presentation up there. And then about three months later, the world was about to end. But, hey, we're back now. Kind of, yeah.

[00:03:04.170] - Speaker 2
You could never have predicted what we just went through and the aftershock, I guess, of how this has changed the workforce and stuff like that. I don't think anyone was predicting that, ever. That was just not in cards.

[00:03:15.540] - Speaker 1
Not at all. And I was going to the office every day. I used to ride the bus and the train here. I have a car. I just don't like traffic, and I would rather do other things while in traffic. So I actually used to ride the bus in the train in La. Anybody that's from La knows it's not a pretty situation, but now I would never even dream of going back to the office. My home office, work from home. That's my forever thing.

[00:03:39.030] - Speaker 2
You and many others.

[00:03:40.490] - Speaker 1
Yeah. I do miss people, though, sometimes, actually, I get invited to go to the office. I got invited to go this Thursday and I was, like, all about it, but then I realized I have to drive 30 minutes, so I'm going to put it off another week.

[00:03:50.400] - Speaker 2
That's a good sign of humanity, that you miss other people in general. That's a good trait to have.

[00:03:55.520] - Speaker 1
Yeah. Every once in a while, I emerge from my home cave about once a week, and then for about 1530 minutes, I experience people and then I go back. But I get to see you guys all over this lovely zoom and record everybody, so we still have that. Let's talk a little bit about you, where you came from, and then we'll talk about Arkose, and then we'll get into the meat and bones of this bad boy. So let's hear all about you.

[00:04:19.650] - Speaker 2
Yeah, I'm a computer engineer, so a little bit more technical than probably the typical folks in the kind of broad space. I'm a bit of an outlier, I would say. I studied game design and computer science in Australia, so I'm obviously slight accent, but I'm originally from Brisbane, Queensland, in Australia. And then on the back of getting a bachelor of that, I went into the health space and I spent a couple of years building technology to diagnose diabetes. Earlier, of all things. It turns out the nerves at the back of the eye are a really good view into your health. And a patient without diabetes, the nerves all converge in a world in one central place, and you can see that quite clearly with these pretty fancy cameras they have that let you look at, like, 500 times magnification. And a patient without diabetes, the nerves do not converge in a well, so it's actually a very clear you can just visually see it. Problem is, they couldn't map it, they couldn't imagery. So I wrote software and we had a pattern and stuff that let them map the cornea, the back of the eye.

[00:05:28.150] - Speaker 2
And after two years of kind of building that technique and kind of proving it out and letting them build a repeatable, there's some software that let them kind of easily extract it and tell them, yeah, one has, one doesn't. There's about an eight year clinical trial period. So I wasn't involved in that. I didn't want to stick around for eight years over and over again. But they went through that and that software is now actually being used in the UK to help diagnose diabetes. And you can actually now go to an optometrist and you can find out up to two years earlier than traditional methods like blood pricks would actually inform you. So small contribution to health, which was really awesome. Fun journey, really cool.

[00:06:05.410] - Speaker 1
So, quick question about that. Is it for type one or type two or can it do both?

[00:06:09.350] - Speaker 2
Type two.

[00:06:10.490] - Speaker 1
Okay, that's super interesting. I'm going to have to go read more about that after we're done recording here.

[00:06:15.540] - Speaker 2
This study was called the Landmark study. I believe it was longitude. I can't remember what the acronym was. It was like longitudinal assessment of neuropathic. I don't know, I don't remember. It's been a long time. It's been like twelve years. But yes, I did that. And then on the back of that, I was granted a scholarship award by a large not for profit in Australia that focuses on people with intellectual disabilities called the Endeavor Foundation. They kind of saw the work I was doing as a student and said, hey, we want to see if you can build something interesting to kind of get these people up and more active. And did that for a few months. That was so successful that the government and the university co invested half a million dollars to help me commercialize that technology. And we ended up ultimately licensing that at about two or three years in. So I built that for a couple of years. But both of those I was very focused on computer vision techniques, so understanding what a machine could recognize and interpret and then use that to kind of build a social gamification experience for the people with intellectual disability and the context of the health project, be able to map and chart these images.

[00:07:22.990] - Speaker 2
And both of those obviously led to having core domain expertise in the ultimate pioneering idea of what then became Arkose shortly thereafter.

[00:07:32.550] - Speaker 1
Wow, so you did all these this is a completely different industry that you're in reality. Wow. I had no idea that you had all that previous stuff. That's really impressive.

[00:07:47.610] - Speaker 2
It's out of luck. You don't build a solution like Arkose by being someone in the space, I would say. So we certainly came at it from a very different perspective. I co founded Arkose with one of my lecturers at the university I attended, actually. So he was the early game designer. He was a game designer lecturer. So he was doing kind of the user experience design of our product. And I just caught up with him a couple of weeks back in Brisbane. He's not actively working with Arkose right now, but he was there for many of the early years. But two of us kind of came up with this concept of, hey, let's utilize things that machines aren't good at doing and shouldn't be good at doing. There shouldn't be any commercial value in them doing it. And the objective is simply make it more expensive for adversaries to attack it than their return on investment they get back. So it's a very different approach to anyone that's ever tried to build antibot software before. And we see some people talking about it. Obviously, they've seen us talking about it for all the years, but no one builds the software that way.

[00:08:45.140] - Speaker 2
It's still fundamentally built very different. The strategy is still very different to what we see the other players do. And it's really the only long term strategy against fraudsters is if they don't make any money, they don't attack you. As I'm sure your audience would be very aware, if there's nothing of value, you're probably not being attacked.

[00:09:01.230] - Speaker 1
Yeah, I always tell people you're probably never going to solve your actual fraud problem completely, but if you can make it just annoying enough that they don't make any money, they'll just go away and attack somebody else. And that's at the end of the day for most of us. I think that's the goal. But I think you're totally right. Most of the software that people use to stop bots, the bot piece of that is more of an afterthought than it is a forethought, and I think that's where you guys changed it up a little bit. This was your plan going in, if I'm not mistaken.

[00:09:33.310] - Speaker 2
Yeah, that's right. And it's kind of a pretty big contrast. Like, if you're using a bot solution, which is just designed to stop bots, which is pretty much every other player in this space, they're pretty happy if they're stopping 90% of the attacks being thrown at you, they're like, that's great. Or 99%. They're like, amazing. Look how good a job we're doing. We're constantly every day stopping 90%. The only reason you're seeing 90% being blocked every day is because the percent that gets past them is enough to fund the attacks. Whereas within Arkose, the big difference is they stop attacking once the mitigation occurs. They actually give up, and they might try and a new attack, but they just give up and they go away. So there's a pretty big difference there in terms of what the traffic actually does. And that's something you can kind of look for in your logs and your metrics and be like, hey, we just continually get hammered by attacks no matter what we put in place, just simply because there's enough of it getting in that they're still making money.

[00:10:25.350] - Speaker 1
Yeah. I think that even you block 90%, that 10% is still usually a lot like people don't realize, like box it isn't one or two, it's thousands, millions, billions hitting you at a time. So 10% of a billion getting through is still a lot of crap getting through there today.

[00:10:42.420] - Speaker 2
Yeah. And some of the stuff we're going to talk about today will really kind of talk about like even some of it getting through is very costly. So you got to have a pretty good strategy around this stuff because yeah, you're right. It's millions. We have one customer where we prevented billions of fake accounts last year. These are just tremendous scales that they're throwing people and they're making three $0.04 each account they open. Like, it's really profitable for them, right?

[00:11:08.470] - Speaker 1
Yeah. And you guys have some pretty good marquee clients on your website. You list a few so people, if you go to Arkose, their website and actually look at that, you'll see some of them. I personally have experienced it on Blizzard before trying to get into an account that I hadn't logged into in ten years. I wanted to see if World of Warcraft was still a thing, and it kind of was. And I got in there and played around a little bit during COVID times. But I did encounter your guys'your captcha, which is just one small piece of your overall business, but it was very comforting to see a familiar name pop up on my screen.

[00:11:42.670] - Speaker 2
Blizzard is a very near and dear customer to me. So the most stressful thing I've ever done in my life, not running a company during the madness that we live in right now, was running a guild in World of Warcraft in high school. That was far more stressful than running a company.

[00:11:57.480] - Speaker 1
Were you there? Were you playing guild bank time? I remember when they added the guild bank and everybody was just assholes about it.

[00:12:06.310] - Speaker 2
That's still happening for folks that don't play video games. Guild leads have access to the entire guild bank funds, and you might have a few other people. And obviously everyone's putting their money into the bank. And the intent of having a bank is it pays for the raids that you're doing every night. It pays for potions, it pays materials to go do the raids, blah, blah, blah. But then you have some horrible people that are like, well, I'm just going to steal all the gold out of the bank and then transfer servers and rename my character and start the game with a new guild with all this gold that I can use to myself. So that problem happens in real world as well as it does in video games. But yes, there's all kinds of fun stuff that happens. Fraud, and I guess that's a form of friendly fraud, I suppose.

[00:12:51.530] - Speaker 1
Yeah, it really is. I think we're seeing some of that happen right now, and I believe we're going to talk about that in a minute. But yeah, very much like all these people pay these dues, and then the one guy gets in and he does some social engineering, and off he goes with the whole bank at the end of the day.

[00:13:07.950] - Speaker 2
Yeah, gaming has so many amazing examples of it's just an entire different economy, entirely different world. There's so many interesting things that attackers do. But yeah, I'm a huge gamer, actually. Our first customer was Electronic Arts, so we met Bing Gordon at GDC and we pitched him our product, and he said, it's a terrible pitch, but we need a solution like that. So I'll introduce you to the security team. And we're like, thanks. And yeah, we still work with Electronic Arts to this day and many other gaming merchants.

[00:13:42.870] - Speaker 1
You guys kind of have the gaming thing kind of cornered there, which is a testament because people always joke about gaming. And it's for kids. It is what it is. But no, the adults that play, and there's sophisticated things that happen in games. It's weird in games now where some of the bigger games, there's full blown economies like your character in the game, especially even in World of Warcraft, it has a job to do, an actual job in a role, and you have to do it, and you have to do it well. Otherwise you get, quote, fired from your job. But you don't just pick roles. You don't just get to click the button and pull the trigger all the time. You have to heal people or you have to tank them, which is like, pull all the bad stuff while other people attack. You have actual jobs. There's economies in these games, trading. This guy can craft this thing. This guy can mine the material. So you have to trade. And there's monetary that train it's nuts. And there's value, massive amounts of value in stealing these established characters.

[00:14:42.570] - Speaker 2
It's called real money trading is the big one. So we protect a large number of game merchants beyond Blizzard, we protect Minecraft and Grand Theft Auto and Roblox and many others. But one of the objectives is taking the virtual currency from the accounts and then reselling that. So people want to get ahead in these games. They want to buy items, weapons, gear in the game. And you need virtual gold to do that. You can either go earn it yourself or you can purchase it from third parties. So there's like entire business economies where people are making millions of dollars a year by either using bots to create accounts and then automatically play the game and earn the gold or compromise people's accounts, credential, stuffing, et cetera, to then steal their virtual gold, transfer to their other characters and then sell it. So there's like a whole fraud economy around this. I'm actually giving a talk at RSA in a couple of months about lessons from the gaming world that can be applied to the metaverse and what's coming in the metaverse. Because the metaverse at the end of day is just 3D virtual world. It's going to have all the exact same problems gaming has already.

[00:15:52.540] - Speaker 2
So it's already a well defined problem space, and it's already been solved in many ways. So it's kind of just fascinating, kind of watching that all be rehashed. But it's people that don't come from the gaming space building these metaverse companies, and they're like, wow, we didn't think of these problems. These have all been solved before.

[00:16:09.540] - Speaker 1
This is the same thing we see happen. Every new startup starts their thing, and then they don't realize that fraud is a thing or bots are a thing, and then it happens to them. I can see people with these virtual deeds that they're doing in the Metaverse, where you buy a metaverse house and you get a real house in real life with it. Those things are going to be like people are going to be taking those and stealing the houses. Thank God we got the blockchain. But I mean, at the end of.

[00:16:29.230] - Speaker 2
The day, what can you do? So, like JPMorgan. Opened a virtual branch in Decentralland, I believe it's called. And if you can go into a virtual branch in the metaverse and open an account or log in to check your account, what if someone sets up a portal n that looks like that virtual bank and you go into there and you accidentally hand over your credentials? I don't know. There's a whole new world engineering potential, right?

[00:16:52.180] - Speaker 1
That is very fascinating. So I am going to be at RSA two up. You're the one in San Francisco, right? Because I know they do, like, some other smaller ones. The one I'll be there too. I'm doing a panel on synthetic identities. So we'll just shout out, everybody go to RSA, come watch both of our things. Alexander hall is going to be there too. So all my guests, all my normal suspect guests, we all have panels of some kind going on up there. Are you going to be in the big hall or are you going to be in the EFG?

[00:17:19.590] - Speaker 2
No, it's one of the big ones, like a 50 minutes presentation. So we're working on it's been a lot of work.

[00:17:25.230] - Speaker 1
No pressure.

[00:17:27.870] - Speaker 2
It's going to be a lot of fun. It's going to be a lot of fun. But feel free to reach out. I'm sure you'll tag my Twitter or link. I have a speaker discount code that I can give out to Friendlies. So if you ping me, we can give you kind of a discounted rate to get in full conference pass so you can kind of see my talk and you can see the rest of them as well.

[00:17:47.830] - Speaker 1
Excellent. Yeah, that is one of the price of your conferences, but it is one of the more technical and useful conferences that comes in this type of space. There's quite a few conferences now obviously with budgets and the way they are coming out of the pandemic, we've had to be pretty strategic about the ones that we go to. And I do have to try and take speaking spots as much as I can to lower the cost so I can bring my staff because I love to go to conferences. Selfishly, I will fully admit they are a ton of fun. But I do need to make sure that I'm training my staff and that they're learning too. So I have to do what I can to make sure that I can sacrifice being up in front of a couple of hundred people in order to get one of my staff in for you, spend the money.

[00:18:25.720] - Speaker 2
There such a sacrifice for you.

[00:18:27.670] - Speaker 1
I'm sure it's rough. You know me, I don't like being the center of attention ever.

[00:18:33.860] - Speaker 2
Yeah, no.

[00:18:35.730] - Speaker 1
So I think that's a good little segue. I think we're going to talk about Arkose and how they address all these things as we go through some of the trends that you're seeing and the things that you're seeing right now, which I think are going to be super interesting, going to be a lot different than the normal trends that we talk about. Check fraud and all that. This is going to be like actual hacking stuff that's happening. So I do want to get into that right now. Obviously we were just talking about some of the virtual banking and guild banking and some of the things that are happening with that. I think it would be kind of a missed opportunity if we didn't talk about what's happening right now with a particular bank that a lot of us have had workings with in the past. I spent some time in the Bay Area. A lot of the companies that I have worked with in the Bay Area have banked at this bank. I'm sure that you guys might have some dealings with them. So let's talk just briefly about Silicon Valley Bank and some of the scams and phishing things that might be happening as related to that and how it can be applied to the rest of us, if you wouldn't mind.

[00:19:36.120] - Speaker 2
Yeah, so I can first maybe key this off. So Silicon Valley Bank, we are a customer of SDB, as is any tech company, any of your tool providers, any of your vendors that are kind of high growth startups, they are all likely members of SDB. The reason for that is a concept called venture debt. So venture debt is basically an extension to a capital raise. So if I raise $40 million, they'll give me an extra 20 million that can bridge me a little bit further until I need to raise more capital. And the intent of high growth startup, historically not anymore, historically has been grow as quick as you can. Don't be profitable, just grow grow land grab that's shifted that mentality has changed over the last twelve months, where it's now a profitability mindset. So we're going to see some changes. There. Very different kind of businesses will survive a profitability world versus a high growth world. But the way the venture debt works is you must maintain a minimum amount of your dollars with SVB and you must do deposits with SBB, which is kind of a perfect storm. When SBB fails, everyone has all their money with them because that's what you had to do.

[00:20:42.190] - Speaker 2
I just wanted to provide that context because I don't know if everyone knew that. It's like, why don't you have multiple bank accounts? Well, you couldn't. You weren't allowed to. And they're the only one adventure debt because they had relationships. They're not the only one, but they're the best one because they have relationships with the VCs. They understand how high growth companies work, and therefore they can allocate risk based on that. A typical bank can't think that way. They look at your balance sheet, they look at your profits are like, yeah, now you're not profitable. We're not going to give you a loan. It's a very different kind of bank. So it's a very important part of the ecosystem, has been for 40 years. Many of the big tech companies were built on the back of SBB. So, yeah, it's incredibly sad to see kind of, I guess, what's happened. But the net net is last week they failed. They've now opened this bridge bank and they're backed by the FDIC, which came out over the weekend, which is great news because a lot of companies I knew people that had 50 plus million dollars in there that they couldn't extract, which impacts any business.

[00:21:39.380] - Speaker 2
There's no business that can weather $50 million is being taken off the balance sheet that's even big companies aren't okay with that sort of stuff. So it's been pretty material, I would say, certainly since shockwaves. Another question is what happens? Like, does SBD get acquired? Can they operate as a bridge bank? They got a new CEO. I was talking to him yesterday. He's very committed to making it work. We're not all really clear on what that means. We don't know how long it's going to live for, so it's a little bit uncertain right now. So what everyone's doing is they're changing their bank details. So instead of our customers paying into our SPB account, we're asking them to pay into a B of A or a Wellspower account, whatever account. And guess what? That's an amazing time to do some phishing attacks and social engineering attacks. Yeah.

[00:22:24.270] - Speaker 1
I mean, what better time to be like, hey, we understand you're a customer of please click here to sign up for your account. Blah, blah, blah, we're part of the government. And you look at those headers and it's not even close. People are panicked. They're trying to pay their employees. I think people don't understand. Like, a lot of payroll goes through SVB too, everything. Yeah, there's regular people. I know everybody wants to say, F, the bankers at the end of the day, that's just like the internet, rah rah RA thing. But there's regular people that had nothing to do and no say in the matter that were, at the end of the day, affected by this. I think one thing that's going to be kind of weird coming out of this is, and I think you touched on it, is like, what is the future of this debt going to look like? There's a lot of startups that everybody knows and uses every day that aren't profitable. It's going to have to be a very different scene, because, like you said for 40 years, the idea is you start up a company, you go, go, go.

[00:23:25.020] - Speaker 1
You get that growth. But in order to get that growth, you have to have user acquisition, which costs money in order to create a product that works and functions at scale. It takes money. So you need people to give you some money in order to do that. And even Amazon wasn't profitable until, what, like, 2015, and we all were using them every day at that point.

[00:23:44.840] - Speaker 2
And a lot of companies FPB is just kind of yet another thing. On top of the broader ecosystem changes, which I'm sure everyone's seen, the stock market and venture capital raising venture capital in general has gotten a lot harder. Pros and cons. I think we'll get, at the end of the day, better companies on the other side of this. There's going to be probably fewer jobs in tech because less random things will get funded, but I think it'll end up being a NetNet better thing for the ecosystem. Cybersecurity as a whole is just full of really bad vendors with really bad technology. I remember going to Black Hat six years ago, and every second Booth said the same thing, and then the following year, half of those companies no longer existed. And this actually is what ultimately led to the idea of we have a guarantee on our product. We have an antibod guarantee. If you buy Arkose, we contractually guarantee we will stop attacks. If we cannot stop attacks, you can actually break the contract. We're the only vendor that does that in our whole space.

[00:24:51.630] - Speaker 1
I like SLAs.

[00:24:52.960] - Speaker 2
And then the next thing we did was we put a warranty on top of it. So not only can you break the contract, we'll actually cover losses for you. So we have a million dollar credential stuffing warranty. And that was fueled from the simple fact that it's so hard to stand out amongst all these companies that are getting funding, that have terrible technology. And that was what was the genesis to me coming up with that idea. I'm thinking a lot of those companies won't get funding in the future, so maybe I wouldn't have needed to. In the world to come.

[00:25:22.680] - Speaker 1
Yeah. Bad time for me to start kicking around an idea that I had in my head for a while now, so maybe I'll just a good idea.

[00:25:35.050] - Speaker 2
We don't need the bad idea. Yeah.

[00:25:37.930] - Speaker 1
I'm not in it to get $100 million and run away. I'm in it to secure my generational wealth. So we'll see. We're going to start writing. So I think that's a good transition into with an opportunistic time to start sending these phishing emails and start trying to get ahead of what these other people are doing. As they move their money around, these large companies move them millions of dollars around. It's become this group of people, a large group of people, too, by the way, that their entire thing is to find a way to monetize, exploits and.

[00:26:17.130] - Speaker 2
Sell everything like that. That's right. Yeah. So as an example, we're reaching out to all of our customers and telling them, hey, don't send your money to SPB. Send your money to our new bank account. And that's exactly what a fraudster wants.

[00:26:31.330] - Speaker 1
That's a perfect sense of my bank account.

[00:26:33.410] - Speaker 2
Yeah, exactly. And we've good customers that are good at infosec reach out to us on other channels like Slack and things like, hey, does this employee work for you? They're asking us to change your bank details. That's what you should do if you're in the finance space. I don't know how many of your listeners are in the finance space, but, hey, if anyone's asking you to change bank details because of this, make sure to verify because it's a perfect time for fraud. This is absolutely happening as we speak. They jumped on this when there was the government handout. They jump on this like the day of they're incredibly impeccable on timing. So it's already happening.

[00:27:11.450] - Speaker 1
Yeah. I mean, these people, you got to remember, most of the cybercriminals, their day job is crime. So they're sitting there all day, and they got 15 TVs running with every single news thing. And the second they hear something, even rumbling, they're in there trying to figure out the underworkings of it. There is a tremendous amount, and they're sharing it, and they're selling what they're sharing, and they're selling what they learn. And I believe that you guys and I think that most people do is they call it cybercrime as a service. We all know software as a service, but there's cybercrime as a service. And I think that with you guys, you guys spend a lot of time, you have people that are actually in these channels looking at these things, and you have Bret Johnson on there, the chief criminal that former top Ten Most Wanted FBI. So you guys are aware of these things that are happening. And I think that it's super useful when you hire people that come from that world, because I have my sources that I do call every once in a while and say, what are they trying to do here?

[00:28:09.880] - Speaker 1
And then they say, well, this is what I would do, and it's been super helpful to figure that out.

[00:28:14.430] - Speaker 2
Yeah. So let me explain this a little bit more. So, cybercrime as a service, the term itself isn't new, but what I would say is new is the accessibility of it. So the accessibility has shifted quite a lot. So we historically, we protect some of the largest companies in the world. So we have a very large target on our back. That's just the nature of our job. And fantastic, that's what we do, bring it on. But the benefit of that is we always see the most modern techniques made against our customers before they make their way down to kind of the rest of the world. Right? And the trend has shifted from individuals kind of bringing together attack tools and making the attacks like the most common attack that's going to be relevant for your audience is credential stuffing, where they're using bots to test credentials, to break into your accounts and then figure out what's of value in the account. Maybe there's a credit card on record and they do return fraud or whatever it may be, but they're breaking into the accounts. And that used to be, hey, I used to need to go manually get a bunch of proxies, I need to go find the tools, open bullet I needed to go set it up, I had to go find the passwords, blah, blah, blah.

[00:29:22.630] - Speaker 2
I had to go do all that work myself. I mean, you have to kind of be somewhat technical to do that. And that information used to be a little bit hard to find, maybe on the Dark Web. And Dark Web is not that hard to access. It's Tor browser and you're in. That was maybe three or four years ago. About 18 months ago, we saw a dramatic shift from dealing with individuals attacking our customers, to dealing with organized businesses that built SaaS businesses that were designed to attack our customers. So it's completely shifted. It's pretty mind blowing. And you can now just go search on the Internet and find tools. There's a common one called Zenrose. It's a UK company that got venture funding. What prize? Surprise. That is designed to bypass antiscraping tools. And you can either pay them to do it, or they will give you tutorials on how to do it. You can go search Zenrose and you will find it. And it has copious details on how to bypass typical bot vendor software and all that kind of stuff. Or you can just pay the money and they'll do it for you.

[00:30:26.790] - Speaker 2
They can go scrape the inventory, they can go grab whatever you want them to grab. And they're a business with engineers that every day, their job is just to build ways around tools like Wax and things like that. So that's kind of one thing. The access to really sophisticated attack capability. These aren't like script kitties. These guys are really good, really good at what they do. So that's one problem. The other problem is the information has gone from being kind of buried on the dark web to being in discord channels. You can just go search like there's one called Scraping Enthusiasts where you can just go search it and you can go join their discord channel and they will tell you everything about breaking into anything you want to break into with automated tools. And it's all just publicly available. They just exist and out in the open. And it's kind of scary to think how easy and accessible the information is. There's another community where you can learn how to steal hype inventory like limited edition items, and they'll teach you how to pay taxes and they'll teach you how to do whatever you need to do to make the money look legitimate.

[00:31:41.550] - Speaker 2
It's pretty scary. This is just the cybercrime is a service concept. Whilst again, not new, just the accessibility has risen up to the forefront. And what the NetNet is is it's cheaper than ever and easier than ever to make the most sophisticated attacks that are really out there. And that's really scary because that lowers the barrier to entry for crime and it makes the effort as a defender materially harder. It's much harder to defend against these cybercrime platforms than it is to defend against individuals. It also changes the equation around how do you make it too expensive for them when they've got 1000 people funding them? So it's a really different ballgame. And this is kind of a concerning trend, I would say, going yeah, a good thing to be aware of, that it's happening because the ballgame has changed in the last twelve to 18 months.

[00:32:36.720] - Speaker 1
I was saying, like I said on a couple I think it was a couple of episodes back, that the accessibility is, I think, one of the main drivers. This was so often thought of as something that people that have computer science degrees that are sitting in their basement in Russia were doing. But now it's literally your neighbor in your suburban neighborhood that has a computer. He has a VPN, he has a Tor browser. He paid $50 to buy one of these little pieces of software that he got on Telegram or on Discord and he's out there stealing sneakers now and then he's out there then relisting and cleaning that money. It's so easy. And you never have to get up from your seat, ever.

[00:33:20.510] - Speaker 2
I have two perspectives on this. One is these people are incredibly entrepreneurial. When you say the word entrepreneur, I can't think of a better person describing than these criminals. And unfortunately, it kind of tarnishes the brand of entrepreneur. But they're incredibly entrepreneurial. These people work harder than the regular guy out of day job. They're in it to figure out how do I make money? They're form long hours. They're all talking to each other for one level. There's some respect for that. But the other part of it, the problem with the accessibility and ease of getting into this, I would consider kind of these bot attacks kind of a bit of a gateway drug to crime. Because once you it seems not that bad. Stealing some stuff from a store or buying stuff and then reselling it. It's like, hey, I'm using my credit card. It's okay, I'm making a huge return. But then it kind of gets darker and darker and darker and darker. Now I'm breaking into bank accounts because, hey, why not? It's not that hard. And now I'm suddenly buying drugs. And then I had a presentation once with the head of Cybercrime of the UN, and his perspective is, this stuff all ends in the same place, and it's all really bad.

[00:34:28.290] - Speaker 2
It gets really dark very quickly for people that go down this path. They start as an 18 year old doing these more simplistic attacks, and then by the time they're 25, they're in proper crime because that's the community. That's what you get stuck in, and it ends up in child trafficking and horrible shit. That's where the end game is for these people. So it's really important, not just to protect our merchants, but I think it's really important in general to help the baddies against themselves, to be honest. Like, stopping them doing this stuff is a good thing for them as much as it is a good thing for our customers.

[00:35:02.590] - Speaker 1
That's an excellent angle. Like, I've never thought about that because I've seen you get that rush from that first one, and then you want more everyone in, the more every one.

[00:35:13.270] - Speaker 2
Of us, we're helping stop that from occurring. So this is a really important mission for the entire industry. It's not just about protecting our customers. It's fundamentally it's helping shift people out of crime long term. So everyone should feel good about being involved in this space. We need more people in the security and fraud space, but it's something that we care quite a lot about.

[00:35:33.900] - Speaker 1
Arkose I think that as we talk about some of these little things that have been happening, you talk about these credential stuffings. I think we've all seen some of these attacks directly on our site, and we've thrown things at it. I think first, everybody's always their first exact step is to do some sort of block list, it seems like. And then after that, you usually hit a captcha, and then it's trying to find the balance on the captcha, like when to fire the capture you do to everybody. And a lot of sites, unfortunately, do say, yeah, everybody captcha, which pisses me off. And then I think over the last ten years, we moved more into these dynamic rules. And then I think then there was these companies that came up that tried to change the web forms, so every time you loaded the page, it was a scramble. It didn't say first, underscore, last. It was different. But those really slowed down sites, and they were really heavy. You had to have boxes. And now when we moved to cloud infrastructure, that got to be a little more difficult. But I'm sure as that moved from a physical box into software, that that's easy enough for these guys to block now too.

[00:36:35.150] - Speaker 1
So what are some of the things that you guys, if you can kind of take me some of the history of what you think some of those things are and how Arkose is doing that, if you could.

[00:36:43.790] - Speaker 2
So first and foremost, a good place to start is, how do I measure this type of attack occurring against me? There's a pretty easy way to measure Credential stuffing, which is the success rate of logins from attempt to login being successful. The way credential stuffing works is they're just testing hundreds of thousands of attempts, right? So naturally, when you're getting attacked by Credential stuffing, the success rate plummets off the cliff. Typical login success when it's healthy should be 60% or better. So 60% of attempts should successfully log in. So if you're around 60% or higher, you're good.

[00:37:20.780] - Speaker 1
There's your baseline, everybody.

[00:37:23.070] - Speaker 2
That's a really good metric to track. You should track that metric. Every company should track that metric. During a Credential stuffing attack, that success metric goes from 60% down to one to 3%. So if your success rate is in the one to 3% ratio, you're being attacked. Absolutely, you're being attacked. And that's, again, like a really good metric. Just as a baseline. Just start there. That's a good metric as a baseline. And then in terms of mitigations, there's a number of mitigations. Of course, it starts with the security team will have a WAF web application firewall, which is at the edge, and they're trying to mitigate at scale things like these in the same IP address over and over again. You can just block that at the WAF. That's an easy one. Really good. Attackers at this don't do that. They use proxies and they rotate through IP addresses. So they're only making a few requests per attempt and then they abandon. A WAF can't really help you once they start doing more sophisticated things like that. So then the next kind of layer is things like device fingerprinting. So, okay, so I've got unique IP address every time.

[00:38:27.750] - Speaker 2
I've got the same fingerprint every time. So everyone on the line probably uses fingerprint vendors and things like that. And that's another good kind of starting defense, right? But the really good adversaries randomize their device fingerprints. So then they start coming at you with unique looking fingerprints, or even worse, they pick the most common fingerprint, and then they just randomize the attributes that are expected to be random, like the language, the time zone, things like that, which are user configurable, the user configurable attributes the ones they randomize. They don't randomize the things that you shouldn't be changing. Like the user agent string, they won't randomize that typically. And they'll pick the really common one. So the most latest version of Chrome, if you block on user agent string, you will kill a lot of your good users. So that's not really a good strategy. Unfortunately, you'll be able to see that a huge spike, but you can't really use it as your signature to block on because again, everyone uses the same signature.

[00:39:26.380] - Speaker 1
There so many times I join smaller companies when I come in to do their fraud strategy. I will be talking to some of the other teams and they're like, yeah, we have a device fingerprint. Where does it come from? What is it like? Well, we use browser string. I'm like, so everybody's got the same one. Anybody using a regular out of the box apple with Chrome is just using the same string.

[00:39:47.450] - Speaker 2
Well, it's the thing like if you buy an iPhone in New York and you buy an iPhone in San Francisco and you turn them both on, they have the same fingerprint, right? That's just the reality. I mean, there's some differences times and the IP, et cetera, but the NetNet is going to have the same fingerprint. There's a whole bunch of different fields and features, but phones really, they clash a lot. There's not really a great way to do really unique fingerprinting on a phone. Like with a browser. Desktops are a little bit easier because you got different screen resolutions and stuff like that. But every iPhone has the same screen resolution, so you lose quite a fair bit when trying to fingerprint phones. So you got to be careful there. I can't rely on IP, I can't rely on fingerprint. So this is where it starts coming into kind of more difficult stuff. Like you then need to start thinking about, okay, what's the reputation of that IP address? Is it a proxy? You can't figure that out by yourself. You need a vendor. You need a vendor for that sort of stuff. Autos does provide an IP reputation component, but there's others that do it as well.

[00:40:50.530] - Speaker 2
It's a pretty typical kind of feature IP reputation. The device fingerprint is like, okay, I can't rely on the fingerprint being the signal for the attack. You need to look at different features of fingerprints, so you need to look for fake fingerprint signatures. So one of the capabilities we offer is device spoofing detection where they generate fingerprints that we've never seen before on any of our customers. So those are good things that you can take action on because the more unique something is, the more likely it's to be generated as opposed to being a real device. But again, you can't really build that in house because you don't have that network. So that's another vendor.

[00:41:27.120] - Speaker 1
Exactly what I was going to say, because again, additionally, all the companies that ever join. Everybody wants to just well, we have all the data. We know our customers. We could just do that. We could just do it ourselves. I'm like, well, that's great. And I think for us, specifically here at Iherb is a great example, is we do have an ATO tool that we built in house, but we set our baseline with that tool. So we know because our customer is slightly different because of the regions that we do business in, but our baseline is different than what our baseline would be for someone that's doing business primarily in the US. But at the end of the day, our fraud tool is not as successful without all of the data from all of the people that are in our space, around our space, adjacent to our space. And we get that by using a third party tool and purchasing that information from them and using that in our own model. We pull information back, especially from one of our other tools to say, this has been seen 15 other times today. It's buying regular stuff.

[00:42:21.070] - Speaker 1
Don't worry about it as much as we just saw this for the first time ever, and we have all of the top 500 merchants in the world. Probably fake.

[00:42:30.010] - Speaker 2
Yeah, I think that's big difference between buyers builds. You can't build certain things. And I think just the sophistication has changed to the point where I don't think people are going to be considering building unless you're I mean, like, again, we work with the kind of brands that don't buy and they they still bought from Ourco, so it's it's yeah, it's just a really hard problem to do by yourself in house. And the folks listening, likely. Yes, our day job is security. But the companies we work for, they're not security companies. Like, they're merchants. They're selling inventory. That's not the mission and motto and the lifeblood of what the business does. So it's a bit hard, obviously, like an Arkose. That's all we do. All we do is stop these baddies from doing stuff. We don't do anything else.

[00:43:11.440] - Speaker 1
Even the security people that they hire that are doing those jobs all day, they got other things they're doing. Their one job isn't stopping bots. They have other things.

[00:43:19.680] - Speaker 2
Right. And then another really healthy signal is, what are the attackers doing? So are they jumping straight to the login page? Are they jumping to other flows? You can kind of use that also as a pretty good signature, too. And then another good signature is behavioral biometrics, which sounds far more fancy than it really is. It's really looking at motion, movement. And yes, the attackers do have tools that spoof this even open bullet, the common tool. It does do spoofed mouse movements and stuff like that, but it's still yet another thing the attackers have to set up and do. The goal is you kind of want to do a bit of everything and force them to keep spending more money and time dealing with your defenses and someone else hasn't set up the right defenses or the profit return. Doesn't make a lot of sense. The good thing with these attacks is good and bad thing is they have to happen at scale. Which means if you can incrementally add cost, every attempt to point where that breaks the math equation, then you've won. And that's where, again, like you mentioned, dynamic rules come into play.

[00:44:24.930] - Speaker 2
So you use all these kind of data signals first and foremost to kind of make an assessment. You got to do like a risk reputation. It's not just on or off. That's a really bad way to do risk because you'll blow up your user experience if it's always on and you'll have no security if it's always off. So you can't be boolean. So that just doesn't work, especially in the merchant world where there's so many competitors that they can go buy from them. You don't want to have friction. It's not great. So you got to be risk graded. So the higher risk, the more friction you want to impose. So it might be something like, okay, we think you're a bot. A capture might be a good response. Problem is, a lot of these tools have good ways to bypass captures and that's a different problem. Another potential challenge is multifactor authentication. But you need your customer to opt into multifactor authentication. You can do email verification. That's a pretty good one. That doesn't require opt in because you already have email. Obviously vulnerable to things like email compromise, but it's a good one for stopping things like cred stuffing.

[00:45:20.830] - Speaker 2
Each attack technique you need to use a different defense. So it's really dependent on what the attack is doing as to what's the appropriate challenge. So you really need to figure out what's the context of the attack. Credential stuffing the goal is really to make the cost for bots too high. If it's social engineering, you really need to make things like multifactor and stuff. We're going to talk about how you get around even multifactor. They've got new techniques to do that now too. But everything is about increasing pops and effort. There's no silver bullet, but it's all about incrementally raising that effort through these different types and approaches and we basically do all of that. So we have a bit of everything. And our perspective on this is you need to do a bit of everything. You can't just be a one trick pony. If I'm a behavioral biometrics vendor and they spoof biometrics so it looks legit, well, I'm no longer useful. I can't stop the problem. So you got to obviously be focused on fundamentally, how do I make the whole problem stop? Which is why we have kind of a pretty broad spread of capabilities.

[00:46:17.810] - Speaker 1
Yeah, and I did a way back in 2019 again, I did a post for the MRC about multilayer and I compared it to a lasagna. Like you have to have multiple layers. You just have to I think one of the things that too that's super important and this is where I see a lot of veteran fraud finders get stuck too, is they get really complacent in their tool and they're like this is just it does everything I need, it's all I ever need. And they don't ever look at emerging technologies and what the trends are as much like they're aware of the trends but their tool might not address it. And they close their mind off and they're not open to experimenting with new tools. And that's something that every year for me. We're always looking and evaluating at things and we made a change to our tool last year because the tool that we had didn't have the capabilities that we needed and we have to have that open mind. I think everybody, especially in this evolving world where now they're coming at us with tools just as sophisticated like those tools that you've used for the past ten years that you think is great and no one's ever going to figure it out.

[00:47:21.260] - Speaker 1
They figured it out and they know how to get around it now. So you have to start adding these other things on top to kind of prompt your customers because you don't want to get good customers. Like I always say, we always are focusing on these bad actors. But you have a large amount of your customers are good. So you don't want to be prompting them to force them into MFA or force them into solving a captcha when you know it's the same guy that you've seen 15 times the last 15 years. He's trying to buy his monthly protein. You need to be dynamic and I think that you said it excellent when you're like the different places need different things too. You need something for the credential stuffing, something to log in, you need something for purchase, you need something for account create, you need something for email change, you need different things and you need something way out on the perimeter too before they even get to any of that.

[00:48:08.250] - Speaker 2
It can be pretty overwhelming if you're starting fresh. But it does require that and that's just the sophistication. And if you don't have it then guess what? You're the target because you're suddenly now the cheapest.

[00:48:21.290] - Speaker 1
That's what we're trying to make all our people go to is you. Now let's talk about forcing people into MFA and why that isn't. Well first of all, obviously it sucks for it to be forced into MFA for most people. Especially for the regular person. Like I MFA a lot of my things just because it's the nature of what I do for a living. But I think for my mom, she would lose her shit if she all of a sudden had to do it on her bank. And the first thing she would do is probably auto opt into the text message. And why is that not good anymore?

[00:48:51.470] - Speaker 2
Yeah. MFA by the way, is a really good thing. So I always use MFA. If you can enable MFA, do it. It's a good thing we are in the security space. We should all be good citizens of good security. So I highly recommend it. We all know the friction is important but the NetNet is the average internet goer does not want any friction and does not want to have to be opted into a security experience to buy stuff on the internet. They do not feel like they are the ones that should have to go out of their way to protect themselves. They feel like that's the merchant's job. It's up to you to protect my information. I'm not using the security features. Too bad. It's up to you to protect my stuff. Which is fine and fair I think as well. I sympathize with the customer. The goal is how do we make security as invisible as we possibly can without requiring user opt in into stuff. I think user opt in is not great as a security mechanism in general. But it is obviously good to have if you're a security miner to want to protect your stuff.

[00:49:51.790] - Speaker 2
But yes, there is no silver bullet. MFA is not a silver bullet. Adversaries have figured out numerous ways to overcome it. We can talk about a couple of those. And not only that, they've also figured out ways to monetize against you all how to make money from the MFA flow itself. And it's just again it goes back to this entrepreneurialism in fraud. They're just so creative. So there's two things I like to cover. One is a concept called international Revenue share fraud or SMS toll fraud. And then the next one I'll cover is men in the middle reverse proxy phishing where they can actually bypass MFA on a phishing site. They used to have to call you to get your Pin code but they've got new ways of getting around it now. So let's talk about the SMS first. And this can be on any flow where you trigger an SMS message. This isn't just logging in OTP. That's obviously an example. But it can be forgot password. It can be account creation. Maybe you send a text message to confirm that. That's a unique customer. Another technique to raise cost is sending text messages.

[00:51:00.290] - Speaker 2
What fraudsters have figured out is they can use premium numbers where they collude with telcos and they get millions of numbers where when you call that number or when you text that number they make money. Kind of like the idol.

[00:51:19.770] - Speaker 1
Is this like the old like the 900 number things is when absolutely same concept.

[00:51:25.710] - Speaker 2
So you dial them and then you get charged for it. Typically used for game shows like I'm going to vote for this person, it's my favorite. And they make. Money because you just paid them a dollar for that text message. The difference here is OTP cost or phone. SMS cost differs by country. So in the US. It's quite cheap, like a fraction of a penny. So this fraud doesn't happen in the US. Because they don't make enough money per SMS message. But in the UK, it's a few cents. In Indonesia, it's about thirty cents to send a text message to someone.

[00:51:56.170] - Speaker 1
In Indonesia, $0.30.

[00:51:57.690] - Speaker 2
Yeah. Vietnam is about $0.15. So if you're enrolling a phone number from Indonesia, it's going to cost you thirty cents. The fraudster will keep three to. What they do is they use a bot to automate your SMS text flow. And either, every time you create an account with them, you're sending a text message. They use a bot to mass create accounts and then they make $0.03 every time they create an account, which means it's costing you $0.30.

[00:52:22.820] - Speaker 1
That's a lot of as the merchant. Yeah, as the merchant.

[00:52:25.890] - Speaker 2
Really expensive. And then same goes for login, where they can basically change the phone number that you're sending the OTP to and continually trigger, oh, I forgot my password, I forgot my password, I forgot my password. And we work with merchants where they're losing hundreds of thousands a week to this type of abuse. And these are big merchants that you're all familiar with, that huge losses. We have some customers where it's millions a month and it happens overnight. It's not something where it's like the bill goes incrementally up. It's just like once the attackers figure out you've got a vulnerability here, they completely hammer you.

[00:53:04.750] - Speaker 1
Hammer it, yeah.

[00:53:07.450] - Speaker 2
And again, you can identify this one pretty easily. So what you want to look for is, and this is the weird thing, most fraud teams don't look at the SMS bill. That's like the finance team's job. But now it's a fraud team problem. So I think we're going to start seeing more fraud teams getting looped into, hey, we're seeing fraud on our SMS bill. What the hell is that? But the countries you want to look for are primarily in Europe. I can mention a couple of them. Basically, if your baseline bill changes dramatically, but your user registration or your good traffic isn't changing in these countries, you know you've got a problem. So a couple of the big ones are, and they're all countries you're not typically probably selling to. So, like, I mentioned Philippines, Vietnam, Malaysia, Indonesia, sri Lanka, Bangladesh, Russia, nigeria. We can actually put the list maybe as part of Kenya and even the UK. Because again, in the UK, it costs several cents to send a text message. The problem with that is you can't really block these. Maybe some merchants are okay blocking some of these regions, but you're not going to block the UK.

[00:54:21.370] - Speaker 2
You still going to want people. Maybe Jordan will block the UK, but probably not. So again, you need to go back to what are the techniques to stop adversaries using automation on top of the MFA? So it's not just you can't just use MFA to stop cred stuffing because you're going to get hammered with this fraud instead. So you need to still use antibot techniques in front of your MFA now to stop this type of fraud from happening. It doesn't end.

[00:54:51.230] - Speaker 1
For two years, I've been up on all those stages, just ranting like a crazy person about you're losing more money on abuse attacks than you ever are on fraud. Like, you worry about your two basis points on your fraud losses. Meanwhile, someone's ripping you for $30 million on SMS fraud for us. People try and create fake accounts and they hit us with bots on upvoting reviews. We got privy to that, but even that, nobody's immune to these things. We were aware it was happening, but we needed to throw technology at it. And that takes a little while to throw the technology at it.

[00:55:25.400] - Speaker 2
Yeah, they do require technology solutions. And again, it's hard to keep this stuff in house. You can, you can play whacka mole if you've got the resource. You're going to need quite a lot of people. You're going to need engineers, which are really hard to get. As we all know, engineering resources are probably the hardest to get because they're all being used to grow the business. Right? Not protect the business. That's just the reality.

[00:55:44.180] - Speaker 1
Yeah, the growth. Like what they have when they put up their little project sheets. The ones that have the biggest dollars attached to it are the ones that go first. And I'm sorry, what's something that's worth $15? Even if it's a $5 million problem, the $15 million profit, one's going to go first. But at the end of the day, I feel like so much the knee jerk response to these things is like, just turn it off. Just stop it. That's always the first thing when it could be something that's useful or something that's liked when you really need to just solve the problem instead of just breaking it to make it go away. Does that make sense?

[00:56:17.350] - Speaker 2
Yes. You can't really turn off MFA so easily. That's a tricky one. You'll have problems if you do that. So, yeah, they're definitely all about boxing in. Again, it's good job security. We're not going anywhere. Security teams are pretty important. Security and fraud is a critical component. Well, justifies the cost of those orgs. So that's toll fraud. And then the last one I wanted to talk about is this new technique called actually, Microsoft released a blog yesterday. They call it adversary in the middle. We've been calling it man in the middle. Reverse proxy. I guess they came up with a new term because why not? So either it's adversary in the middle or man in the middle. But it's a new type of reverse proxy technique. So basically what the fraudster does is they set up a phishing site that looks like your site. They send out a bunch of emails claiming to be you. Your customers click the links, they go to the fake site and they input their username and password because unfortunately, that's what happens. This particular technique is focused on accounts that are protected by multifactor. So typically with multifactor, if you have username password, that's not enough to get into the account.

[00:57:22.580] - Speaker 2
So that's good. That's why we use multifactor. This new technique, when they put in the username and password, what it does is in real time, it sends those credentials to you as the merchant's real authentication server, right? So they've sent up the real username password to your real server from their fake site. And that makes your real server say, okay, you've got the correct username and password, now give me the multifactor. So I'll trigger OTP back to the user's real phone. So now your customer who's at the phishing site just got a text message from you or an OTP pin or a push notification or whatever, asking you to confirm that this is you, and type in this code to verify that you're trying to log in. And what the phishing site does is it updates the UI to say, now please input your authentication code, and then you type in your authentication code into the phishing site. And then it sends that again to your real merchant back end authentication server, which says, yes, you've given me the real authentication code. Here's the login cookie. Go about your business. And then the attacker just stores the login cookie.

[00:58:26.380] - Speaker 2
And now they can access your account anytime they want. They've got a validated cookie.

[00:58:30.300] - Speaker 1
That'd work even for Google Authenticator too, wouldn't it?

[00:58:32.690] - Speaker 2
It works for everything. Yeah, it's super scary. And there's tools that you can get the SAS cybercrime as a service tools. There's one called Evil Proxy, which will perfectly clone your website, perfectly clone the Google authentication flow, perfectly clone the Facebook flow. It looks like it's the legit thing, but it also works for push notifications. It works for, as you say, the OTP from a Google auth. It works for SMS, it works for everything. So this is the new phishing technique which can be infinitely scaled. There is no human involvement for the fraudster. It's just I'm setting up a website and I'm mass collecting login cookies. All these accounts are protected by multifactor and I'm still getting in them. Some companies we work with will require multifactor, not just on login, but also on changing account details or something like a high value item or whatever it may be, like a fintech might do on a transfer. You need to also do a multi factor. So what the phishing site does, it's pretty funny actually, is obviously when you give them the MFA, you've given the correct one and they've logged in as you, but they'll say, oh wait, we're having some Internet difficulties.

[00:59:43.310] - Speaker 2
Just wait a moment. And they'll do like a spinning wheel and then they'll say, oh we're sending you a new pin. Type that one in. When in reality what they've done is they've gone to the high value thing that triggers the second OTP. And now that's getting sent to the real customer and then they're putting it in again.

[00:59:56.590] - Speaker 1
And you could disable or you could change the device that the MFA is on by doing that, couldn't you?

[01:00:03.220] - Speaker 2
You can do everything. It's very creative. So this is where you need to do things. And you might think, well I can have a continuous authentication. Well the IP address that logged in is the IP address that's being used because they're proxying everything. So this is where things start getting quite complicated. So this is where you need to work with your authentication provider because it's really hard to protect against these kind of attacks. Again, you're basically saying hey, it's on the customer to figure it out. That's not quite true. There is technology that can solve this. There are a number of techniques. We're launching a product around this phishing technique. We actually have about six or seven customers using it today. Some really big merchants that are using our technology to stop this. But it's a really sophisticated and we've only seen it at the high end of town. But this is coming for the masses soon. Everyone should be very mindful that if you've got MFA, that's great as a great baseline. But that ain't enough anymore. You need to start thinking about how do I now protect my MFA itself? Like MFA is just not the silver bullet.

[01:01:06.280] - Speaker 1
That's crazy what it was. I'm starting to sweat over here right now. I'm not going to lie. I got MFA on a lot of things. And my Google authenticator, I got a scroll on these days.

[01:01:18.390] - Speaker 2
This is just the arms race, right? As we build technology to combat them, they build technology to combat those tools and it will continue forever. This is not stopping. Which is why again you need to focus on as long as they're not making you're winning long term, but just using tech to stop a single kind of point of failure. You need to have a bigger strategy, a more broader strategy than that. But yeah, these are the joys of what we get to kind of figure out. This is the puzzles of being in the security space, which again is a bit different to fraud.

[01:01:48.090] - Speaker 1
It is.

[01:01:48.870] - Speaker 2
Stopping the money movement is the ultimate goal of a product like Ircoast. But we don't do that. We sit top a funnel and we try and make it as expensive as possible. And if we can't stop them at login, we give all of our data to the merchant so they have a chance to stop them before they commit the fraud. But yeah, it's a team effort and it's hard. It's grueling work. There's a lot to do.

[01:02:09.390] - Speaker 1
It's weird because like you said, it's different than fraud. But at the same time, the solutions, they're not similar technologies, but they're similar approaches where you have to have different things at different touch points on the site. That's just how it is, and it's going to go. And I'm sorry, folks, for my fraud listeners at that number. Listen, we've been talking about how you interface with your security team. It's time to get cozy. It's time to maybe even sit in the same room and really start talking about it.

[01:02:38.530] - Speaker 2
Yeah, we find most don't, so most fraud teams don't really talk that closely. And it's a true shame because the security folks have top of funnel data, really good data upstream, and they typically don't really share it with each other. You can fine tune the security systems because you say, hey, these are the ones that got in. Could you like, next time try and find things similar for doing it again? So that's great. And then the reverse is true. Any data they had, make sure that's passed down to your payment tool or whatever you're using. So in there you can write rules based on that kind of data as well. So it's a really important partnership between security maybe identity as a team in there as well. And then the fraud team, all three of those super important pillars to protecting a company.

[01:03:22.320] - Speaker 1
I think for so many years, the fraud team has just been like, security team light. And then you have the real technical folks that come in. But at Iherb here, we've been really good since I started. I say all the time, every other Thursday, I meet with that team, but we have a channel on our Gchat that we are constantly sharing. Here's some IPS, here's some accounts both ways. They say, hey, we just got 10,000 hits on the logs from this. Can you guys see anything? And then we go take a look. And the same thing is like, we just saw these 15 accounts that eight people called customer service, and they reached out to us. Can you take a look and see if there's something going on? It's a constant back and forth all day, every day. And I think the dialogue, like the communication that you need to have in your company. You're not sitting on fraud island anymore, folks. You're a larger player in your organization, so it's time to act like it.

[01:04:14.450] - Speaker 2
Yeah. And all these things, again, we don't want to sound too overwhelming. Like, this is sadly kind of the state of things, so this is all coming. But it's good to be aware of it and it's good to start thinking about what do we do about it. Either we strategize internally, build things internally, we find partners that can help us keep abreast and keep ahead of things. Obviously, at Arkose, this is what we do every day. This is just what we do. This is what we live this is what we live for. And we love it. It's kind of weird because people hate getting attacked, but we're like, bring it on. We love it.

[01:04:44.890] - Speaker 1
Every time we're attacked, bring on the challenge.

[01:04:47.090] - Speaker 2
What are they doing? We reverse engineer attacks. Every day as we speak, we're being attacked on some customer. I can see in slack, people are talking about new techniques, and it's just a life. And that's, again, you talk about fighting fraud, like this is the end game, is stop them from making money. So it all ends there, whether we stop it with bots or whatever, but end of the day is that stop them from making money.

[01:05:12.130] - Speaker 1
Well, thank you very much for coming on, everybody. I encourage you, I'm going to put all the Arkose information in the description, like I always do and in the post that I put up about this. But I encourage you, really, maybe if anything has sparked any interest, if it's happening, maybe talk to your security team about some of the things that we talked about here today. And I really encourage you guys to reach out and see a demo of the Arkose tool. It's really cool. I really think that just spending the time and looking at it and sharing it with your security teams, it might prompt some sort of something in your mind and you might discover something. So I really encourage it. Kevin, please send me all the information who you want me to have them all call.

[01:05:55.330] - Speaker 2
We're more than happy. Again, I appreciate the opportunity to come on and talk about this stuff. We love it. It scares people sometimes when we share what's coming. But again, it's important to be aware of what's coming down the line so you can figure out how to best prepare for it.

[01:06:10.520] - Speaker 1
Yeah, you need to be aware so you can spot it and you know what to do and you know who to call. So, again, thank you for lending me your time. I know you're a busy man. You got a company to run over here, and you got all these attacks that you're finding. But thank you for coming on here. I really appreciate it. Yeah. Any final thoughts?

[01:06:26.160] - Speaker 2
No, I think that's it. And again, just remember how important what we're doing is in this space. It's not just the day job of stopping fraud. It's ultimately changing people's lives. It may not sound like that, you may not pause to think, but it has a very positive impact on the world if we can divert people away from doing crime. So I think that's always worth keeping in the back of your mind as you work in this space.

[01:06:48.690] - Speaker 1
I love that. I love that. Well, I will be seeing you next month at RSA, so we'll have to get a drink.

[01:06:55.610] - Speaker 2
Sounds like a plan.

Recommended Resources

SMS Toll Fraud (IRSF) ROI Calculator

Calculator

Understanding the Latest Cybercrime Threats: A Conversation with Fraud Boxer and Arkose Labs

Phishing

Trusted by Global Brands

With 20% of customers being Fortune 500 companies, Arkose Labs protects the world’s leading enterprises in major industries such as financial services, e-commerce, travel, technology, and telecommunications.