Case Study, Video

How Snapchat Replaced a Leading Bot Mitigation Solution to Dramatically Reduce Fake Accounts on the Web

How Snapchat Replaced a Leading Bot Mitigation Solution to Dramatically Reduce Fake Accounts on the Web

Transcript:

[00:00:35.250] - Speaker 1
Hi, and welcome to the show. I'm your host, Richard Dufty, chief revenue and commercial officer here at Arkose Labs. I'm really excited about today's show. I've been looking forward to recording this for quite some time with a special guest. Joining me today is Nick Reaver, who is part of the team at Snap or Snapchat. Nick has helped build technology with some of the world's best known brands. You may have heard firms such as Wrigley, Mars, PwC, most recently SpaceX, and now over at Snap, Nick also advises various technology startups and sits on several advisory boards. So with that, welcome, Nick, and thanks for joining me on what I'm feeling is a very cold Southern Californian day as we lead up to the holidays here.

[00:01:23.050] - Speaker 2
Absolutely. Richard. Thanks. Such a pleasure to be here. Coming to you live from Santa Monica, 50 degrees in Santa Monica is an unseasonable numbers, but I'm really happy to be here with you this evening.

[00:01:35.470] - Speaker 1
Well, I would normally be in the Australian summer where that would feel maybe a little bit hot, but it's the wrong version. But that's fahrenheit for anyone listening around the world. A little bit colder here, 1 hour further down the coast. But look, I mean, everyone's heard of all of those companies, Nick, but Snapchat, obviously. I think, as you know, I was introduced to Snapchat quite some time ago, but now, thanks to you and Snap, I'm now a proud user as well. But, man, thanks for joining me today as I kind of was prepping for this, and it reminded me of how much you've done and the journey you've been on. It's been an incredible journey. So, first of all, kudos, man, congratulations. I know for you it is a journey and it's something that you're proud of. And I was reading here on LinkedIn your public profile describing you as fighting abuse at scale. I'm a tinkerer and builder that loves growing and leading security engineering teams for the world's most ambitious engineering organizations, and I thought that was just a phenomenal summary. I love the fighting abuse at scale, the tinkering, the builder.

[00:02:46.540] - Speaker 1
People always want to start learning and hearing a little bit more about our guests. What does that mean to you? I'm sure I would love to understand how you even got into this world of cybersecurity and engineering.

[00:03:00.090] - Speaker 2
Thank you so much, Richard, for sharing a little bit of my background. In fact, I've been in this industry for about 15 years now. I guess started at a really early age, actually. Back in high school, we used to have the Internet, and back at home, we also had the Internet. But the Internet at home was very slow. And the Internet in high school some 20 years ago I'm aging myself was a lot faster. But the Internet school was filtered. We had a web proxy, and 15 year old Nick Reeva figured out that you could change the host file on the windows computers that we were using to bypass the proxy and get to the free Internet so Nick can use Napster and Kazado, download music. And I did at school, because the school's Internet was 1.54 megabits per second, and at home, it was 56K. That's a lot slower.

[00:03:50.350] - Speaker 1
That's a big difference. All right.

[00:03:52.890] - Speaker 2
That's how I realized my calling. And that led me to get into security engineering at an early age. And then by about the age of 1718, I was working professionally in the industry at a local Catholic hospital. That was my first actual pay job. And then around 21, I moved to Chicago, started working with some of the confectionery brands that you've talked about that we've all enjoyed and bought in some products from. A little bit later, I realized I really want to be out west, where all the magic happens in the tech world. And my wife and I moved to Santa Monica about ten years ago. I had an opportunity to join SpaceX and be part of that journey. Was there when SpaceX landed the first Falcon. First stage. First stage is the lower part of the rocket that in the past, would just fall into the ocean and then to never be used again. And that $60 million just wasted. SpaceX figured out a way to land them elegantly on the water and on the land. And I was part of the security engineering team that protected that environment, the mission environment. That's something I'm incredibly proud of through having spent three years there.

[00:04:57.070] - Speaker 2
And then 2016, 2017, the little known company called Snapchat was coming on the scene, and I figured, it's time to join the Internet revolution and bring my passion and skill to a much larger user base where I could affect the security of millions of people instead of a couple dozen rockets a year. And that's really what brought me to Snap. And I've been at Snap for about five and a half years now in various engineering security roles. Most recently had opportunity to work with Richard on bringing Arkoses into Snapchat. So I'd be happy to share more about some of that.

[00:05:30.170] - Speaker 1
Well, great. Now, I appreciate that background, Nick, and we'll touch on those topics and more, I know, from getting to know you, Nick. It is about the journey, and we work with a lot of different companies and prospects out there, and a lot of the time when we meet folks, it's very much trying to solve a tactical problem. But every time we met with you very early on, it was really clear that you and the team at Snap were connecting more than just a tactical problem that you were really trying to solve for the end user in mind, and a lot of the kind of competing priorities for end users and the stakeholders, including your customers as well. Can you touch on that for us?

[00:06:17.450] - Speaker 2
Yeah, absolutely. Snap is a very empathetic and kind company. Our core company values are kind, creative, and smart. And that really extends beyond the glossy wall that those words are written on, but that actually extends into how we operate the company. We have some of the largest demographic of younger users on the public Internet right now. Snapchat reaches more than 75% of 13 to 34 year olds in over 20 countries. And we think it's our responsibility to be allies to our user base, to really protect them on Internet and to really create a thoughtful experience where they don't feel bothered by bad actors and the threats that are present on the large Internet. And we do that by being very thoughtful and very intentional. So when we started working on the evaluation with Arkoses, we took our time, actually. We had a very lengthy POV because we knew what we were looking for. We were looking to prove value in the detection of critical and high risk and also the reduction in the number of fake accounts that are created and subsequently locked. And we're actually able to achieve both of those. And we can talk a little bit more about that.

[00:07:25.950] - Speaker 2
But our company ethos is put ourselves in the shoes of the user and be focal to the user experience, our Snapchatters, as we call them internally. And I think to do that the best way, we need to be very methodical about what good looks like and knowing how to measure it from an engineering perspective. So we don't reason by whims or guts. We reason through the data. And through our POV, we're able to reason about the effectiveness of Arkoses being far more effective, and hence, we move forward with the implementation.

[00:08:01.130] - Speaker 1
And even before you obviously started chatting with Arkoses, what were you trying to solve for that wasn't being solved for?

[00:08:10.750] - Speaker 2
Yeah, initially, our big focus was reducing bad actor account creation on the Web. So Snapchat is an app experience primarily. However, we do have a Web portal where users can log in to download their data for GDPR, where folks unlock their accounts if they've been locked. If they're good actors. It's the same place bad actors attempt to log in to unlock their account if they're bad actors. It's also the place where a lot of our revenue happens, where our customers are logging into our Ads portal and creating Ads. And really, our whole revenue funnel runs through our Web experience. And what we noticed was we had a much more difficult time detecting and preventing the creation of bad accounts and account takeover on the Web than on the app. The app has been a hardened surface. We put a lot of effort into it. And so we thought there could be a better way. We actually evaluated building. We evaluated hCaptcha, which is an open source product, and we evaluated Arkoses as a high bar engineering company. We built a lot of defenses in house. We did evaluate building a product like Arkoses, but we thought the level of effort it would take and the operational burdens that it would create for our team to monitor and observe traffic and tune rules.

[00:09:28.370] - Speaker 2
And once we got to know the Arkoses team, especially the security operations.org, they're phenomenal. These are some of the best people that I've interacted with in my career. I've been doing this for a couple of years, so I've seen many versions of vendor relationships, particularly the security operations team article. They're most impressive to me and to our team. And that was really part of our decision making process to move forward.

[00:09:51.870] - Speaker 1
That's great, Nick. Definitely appreciate that. I think when you touched on very metric driven, are there any specific metrics you're able to talk to or at a high level in kind of before and after state?

[00:10:05.890] - Speaker 2
Yeah, during the POV, we actually designed a very interesting POV, a B test. Arkose's Labs was able to detect more critical risk login attempts on the Web by allowing us to outright block them. That's for critical risk. For high risk, we were challenging them. That was also a very large number, very compelling metric to us. And that's what we observed just from the three and a half week evaluation.

[00:10:34.410] - Speaker 1
What does that mean for Snapchat? Critical risk stopped then previously? Sometimes I hear folks say, okay, so what?

[00:10:44.300] - Speaker 2
Yeah, that's a great question, Richard. What it means is that the worst of the worst, the bad actors that we don't want logging in were stopped. These are folks who are creating campaigns on platform, who are creating salacious content. These are organized crime units. We don't want these on platform. They're not good users. They are terms of service. Violators. And it is my team's goal to find and suppress them. And with Arkoses, we were able to find them, which is a really compelling metric. Yeah.

[00:11:18.990] - Speaker 1
And you touched on some of the adversaries. Snap is obviously a household brand name, global in nature, whatever the latest public stats are from a user count, but definitely over 300 million users. That makes you guys a high value target. Are you able to share how Arkoses Labs was able to help Snap reduce your security costs by implementing Arkoses?

[00:11:43.890] - Speaker 2
Yeah, absolutely. In fact, we are afforded a lot of flexibility with how we design for our authentication funnels because we build almost everything in house. Arkoses is one of the only vendors that we work with, period, in this space. And because we build a lot in house, we're able to control the cost basis for how we build. Where Arkoses was able to help us is as we reduced fake account sign in and sign up, basically registration and login, we reduced the volume of SMS messages sent for account verification and also account. So if an account is created and the phone number is used and an SMS is sent, we pay for that SMS. Sometimes bad actors use premium numbers that are really expensive dozens of cents per SMS. We have ways of stopping those, for example. But more oftentimes, bad actors are coming from countries where they have very high SMS costs. Countries like Vietnam, countries like Iran, countries like Russia as a result of sanctions and other reasons, those countries are very expensive from SMS perspective. So if we can stop the bad going into the funnel and stop them from creating accounts, we don't need to send an SMS to verify those accounts.

[00:13:03.930] - Speaker 2
And so Arkoses is our mechanism to stop that during the registration process. Similarly, for sign in, we can help reduce account takeover by detecting the bad actor attempts for password stuffing, where they're basically taking lists of credentials and attempting to sign into those lists of credentials, just hoping that one of them is an actual Snapchat valid account. We can challenge them and create sufficient friction where their automation is inefficient and they don't have the sophistication to solve complex puzzles, then strictly speaking, we are in a better place and that's what Arkoses has provided us.

[00:13:41.990] - Speaker 1
That's great. Obviously, especially, I think, going in the world we're living in and going to 2023 with potential downturns, and I think more than potential downturns and recessionary markets, obviously cost savings is going to be critical. So being able to combine improving the security posture for your end users and for you as an organization, removing and heavily reducing those really undesirable bad actors, as you mentioned, but at the same time, being able to show a direct cost saving for the organization, it sounds like a triple threat. Sounds like a great outcome for you guys.

[00:14:19.730] - Speaker 2
It's a trifecta of good is what I call it.

[00:14:22.800] - Speaker 1
Trifecta of good.

[00:14:24.850] - Speaker 2
It's a trifecta of good, right?

[00:14:26.870] - Speaker 1
Trifecta of good, I love that. Hey, you touched on a couple of other things that I'd like to expand upon, the other kind of experience that you had with Arkoses, especially with our security operations team that are spread all around the world now.

[00:14:39.600] - Speaker 2
Let's look at Arkoses. Arkoses, the metadata and richness of the response is just extremely useful. We're just scratching the surface for using Arkoses. We've been with Arkoses for about six, seven months now. And even in this time, we've created a lot of traction and excitement around the organization about how to use those 80 fields to risk score the attempt. Whatever it is, whether it's a sign in, a sign up, a communication channel change on platform, that's unprecedented depth, things like is it a VPN node, is it a Tor, is it a residential proxy, is it a high risk IP? Does it appear to be a tampered with user agent? These are all really useful attributes that, from an engineering perspective, you can start to risk score and then do what's called Challenge orchestration, where we say, okay, if these N attributes are present with these values, we can treat that transaction, that session attempt in a different way. That's unparalleled now, that's just the first part. The second part of this is with Arkoses, we have telltales. Telltales are risk signals that the Arkose stock and the Snap Security engineering team can co create and co approve to profile the traffic and know this traffic coming from Nigeria with these user agents and this behavior, this is with high confidence that traffic we can profile that traffic, create a telltale, and then create an enforcement.

[00:16:05.660] - Speaker 2
And the enforcement can be a difficult puzzle to solve, that you can solve using simple automation and you advanced computer vision. And these bad actors are not that sophisticated. They don't have computer vision. ML engineers, they're taking stuff off the Internet and trying to scrape it together and glue it together using Selenium. They can't do advanced things like this. And we could iterate with the Arkoses team, we can directly see we've deployed a telltale, we've applied the pressure, we can see the direct results. We're in constant contact with a person from the security operations center assigned to us. And above all, these people really care. They're really interested in our success. I feel like it's just an extension of my team. I have an operational team. We don't really have an operational team of this type, but we have an operational team with Arkoses that really cares and is paying attention to our you.

[00:16:57.590] - Speaker 1
Know, we call that the Arkoses Managed Security Services Team, our SoC. It sounds like you didn't have that level of engagement before. Can you share a bit more specifically about maybe walk listeners through your initial experience, how you're onboarded through the POV, through to in the early days, what an average day might look like engaging with that team?

[00:17:21.730] - Speaker 2
Yeah, it's complete night and day with what we had before with well, I'll talk about the specific experience. So we were assigned an account management team to work with us on our specific needs. We were assigned a dedicated security analyst that understood our environment. We were also assigned a solution architect that focused on security to help us with the implementation, technical details around the various teams of Snap we need to work with. And more importantly, we have access to a 24 x seven security operations center run by Arkoses that are constantly paying attention to our traffic. Because Arkoses is a younger and nimble company, we also had a lot of flexibility with how we wanted to implement the solution. So we had certain change management approval processes that we needed to enforce as a company to make sure that the telltales and security signals are correctly calibrated. Arquis is very willing to customize the playbook. I even was afforded the opportunity to co write the playbook that Arkoses uses within the SoC that the SoC director runs for our account. I directly just wrote into it what needed to happen, the way I see it, and most of it was accepted, most of it was operationalized, which is huge.

[00:18:34.450] - Speaker 2
This is so custom. You don't get this kind of interaction with a security vendor usually. And then on an ongoing basis, every single day, we have interactions with the team. The team is really interested in our account. There seems to be a high judgment bar that the team possesses to evaluate traffic pattern shifts. And when it's time to say, okay, Snap team, we see a traffic pattern shift here, we may want to introduce a new telltale to pressure this traffic. Our approval processes are followed, and even as an app that we bill ourselves as the fastest way to communicate. We've even worked with Arkoses to substantially reduce latency, which is really important for us, and continue to reduce it and continue to interact with the mean look.

[00:19:19.780] - Speaker 1
That's definitely something know we pride ourselves on, is being agile and nimble, and we work really closely with several of our key customers. And Nick, thank you for investing a bunch of time in terms of giving us feedback, helping us be better. We're a very humble organization that wants to continue to work with our customers, and it's great to have folks like yourself and others on our customer advisory board to help us continue to build the product and the platform so that it's actually going to give folks like yourselves the best value in return. And that's how we moved from one single risk score to having over 80 attributes. We believe that a paradigm where a black box, it just doesn't work anymore. We want to give you the data so that even if maybe we don't stop a bad actor in a given flow, you can have that data and then be able to do something with that later on, which we think is incredibly important as well. So what's next for Snap? Obviously, bad actors are pivoting and changing every single day. It's something that we relish in the opportunity and stopping them and preventing them.

[00:20:28.960] - Speaker 1
But what about for Snap? What's next?

[00:20:31.790] - Speaker 2
Well, we've implemented Arkoses on the web, and now we're evaluating, working through an A B test for mobile. Again, the team has been exceptional to work with. When the latency question comes up, we ask ourselves, can we make the call to Arkoses while the customer is going through the sign up screens, while the customer is going in, picking their username, putting in their birthday? Can we make the call in the background, evaluate it so when it comes time for the customer to put in their phone number, and if the customer is a good customer, we can allow the customer to go through. But if it's a bad intent, bad actor, we'll stop them from putting in the phone number, which would save us. We believe this is our hypothesis. We haven't fully vetted this yet, but we believe this can have a substantive SMS savings on that funnel if we can prevent the bad actor abusers from getting to the screen, where they input the phone number and just stopping them with a really difficult challenge that they can't solve or a very short session and where they just can't humanly solve it fast enough.

[00:21:33.870] - Speaker 2
That's really exciting to us. I think this is a big bet for us for this coming year. In these recessionary times, we have to really be thoughtful about cost. And it's my hypothesis that the organization can significantly reduce sign up, verification related SMS abuse by putting articles on that funnel for our flagship product, Snapchat, which is enjoyed by over 350,000,000 people in the world every single day.

[00:21:58.150] - Speaker 1
Yeah, look, we're very excited to do so. We love the challenge. I'll say you guys challenge us each and every single day, and we thrive in that. We appreciate it because the challenge comes with working with yourself and a team of domain experts that are really passionate about what you do and protecting the end user. But I think it's in the way that you and the team at Snap do it that make it a joy to work with. And we're fortunate to work with many great companies. But Sparky from Adobe, on one of the previous podcasts said something very similar to what you just said. It's about partnerships, and it's about having trusted partnerships that you continue to validate and push. And as you said, we're going to continue to always be striving to improve. But it's working together to do that. And I think in these difficult times, having very open and transparent partnerships are going to be the key to success between third parties.

[00:22:54.150] - Speaker 2
Absolutely. No doubt. Richard, I've worked with probably 30 vendors in the security space in my career, outspanning all aspects of security engineering as I've had a chance to work in the majority of the disciplines. I'll say, hands down, this has been the best partnership that I've been afforded the privilege of having to work with your team. And that says a lot, because it's been a lot of other ones that weren't so great.

[00:23:20.830] - Speaker 1
Well, I know on behalf of the entire team that works tirelessly around the know, rob and all the security analysts that you referred to, everyone's very passionate about protecting Snap. I read a piece from your bio earlier I want to wrap up with this piece. It's a quote that I'm going to use. It could be a company quote, and I think this sums you up, Nick, to a T, and why it's been such a pleasure to work with you. Nick says, I wake up in the morning and go to work to make the secure path, the fluid path for our stakeholders and customers with humility, empathy, kindness, and compassion. I focus on being a value creator versus a value extractor. A life and career well lived is one that leaves a legacy. I couldn't have put it better myself. Nick, thank you for spending the time with us. Thanks for being a great partner and best of luck with everything at Snap. Thanks for joining.

[00:24:14.440] - Speaker 2
Thank you so much, Richard. My pleasure.

Snapchat detects high-risk logins, reduces fake accounts, and drives down SMS Toll Fraud charges while maximizing its return on investment with Arkose Labs

When Snapchat was looking for a new approach to bot management and account security, it turned to Arkose Labs to help protect its more than 300 million users from bad actors.  Since starting, Arkose Labs has made a major impact compared to other vendors. It has been able to detect more critical risk log-in attempts on the web by allowing Snapchat to outright block them. 

Watch this engaging video case study and learn the details behind Snapchat’s approach to dealing with stopping bad actors fake account creation on the web as well as reduce SMS-related abuse for fake account verification.

How Snapchat Replaced a Leading Bot Mitigation Solution to Dramatically Reduce Fake Accounts on the Web

Transcript:

[00:00:35.250] - Speaker 1
Hi, and welcome to the show. I'm your host, Richard Dufty, chief revenue and commercial officer here at Arkose Labs. I'm really excited about today's show. I've been looking forward to recording this for quite some time with a special guest. Joining me today is Nick Reaver, who is part of the team at Snap or Snapchat. Nick has helped build technology with some of the world's best known brands. You may have heard firms such as Wrigley, Mars, PwC, most recently SpaceX, and now over at Snap, Nick also advises various technology startups and sits on several advisory boards. So with that, welcome, Nick, and thanks for joining me on what I'm feeling is a very cold Southern Californian day as we lead up to the holidays here.

[00:01:23.050] - Speaker 2
Absolutely. Richard. Thanks. Such a pleasure to be here. Coming to you live from Santa Monica, 50 degrees in Santa Monica is an unseasonable numbers, but I'm really happy to be here with you this evening.

[00:01:35.470] - Speaker 1
Well, I would normally be in the Australian summer where that would feel maybe a little bit hot, but it's the wrong version. But that's fahrenheit for anyone listening around the world. A little bit colder here, 1 hour further down the coast. But look, I mean, everyone's heard of all of those companies, Nick, but Snapchat, obviously. I think, as you know, I was introduced to Snapchat quite some time ago, but now, thanks to you and Snap, I'm now a proud user as well. But, man, thanks for joining me today as I kind of was prepping for this, and it reminded me of how much you've done and the journey you've been on. It's been an incredible journey. So, first of all, kudos, man, congratulations. I know for you it is a journey and it's something that you're proud of. And I was reading here on LinkedIn your public profile describing you as fighting abuse at scale. I'm a tinkerer and builder that loves growing and leading security engineering teams for the world's most ambitious engineering organizations, and I thought that was just a phenomenal summary. I love the fighting abuse at scale, the tinkering, the builder.

[00:02:46.540] - Speaker 1
People always want to start learning and hearing a little bit more about our guests. What does that mean to you? I'm sure I would love to understand how you even got into this world of cybersecurity and engineering.

[00:03:00.090] - Speaker 2
Thank you so much, Richard, for sharing a little bit of my background. In fact, I've been in this industry for about 15 years now. I guess started at a really early age, actually. Back in high school, we used to have the Internet, and back at home, we also had the Internet. But the Internet at home was very slow. And the Internet in high school some 20 years ago I'm aging myself was a lot faster. But the Internet school was filtered. We had a web proxy, and 15 year old Nick Reeva figured out that you could change the host file on the windows computers that we were using to bypass the proxy and get to the free Internet so Nick can use Napster and Kazado, download music. And I did at school, because the school's Internet was 1.54 megabits per second, and at home, it was 56K. That's a lot slower.

[00:03:50.350] - Speaker 1
That's a big difference. All right.

[00:03:52.890] - Speaker 2
That's how I realized my calling. And that led me to get into security engineering at an early age. And then by about the age of 1718, I was working professionally in the industry at a local Catholic hospital. That was my first actual pay job. And then around 21, I moved to Chicago, started working with some of the confectionery brands that you've talked about that we've all enjoyed and bought in some products from. A little bit later, I realized I really want to be out west, where all the magic happens in the tech world. And my wife and I moved to Santa Monica about ten years ago. I had an opportunity to join SpaceX and be part of that journey. Was there when SpaceX landed the first Falcon. First stage. First stage is the lower part of the rocket that in the past, would just fall into the ocean and then to never be used again. And that $60 million just wasted. SpaceX figured out a way to land them elegantly on the water and on the land. And I was part of the security engineering team that protected that environment, the mission environment. That's something I'm incredibly proud of through having spent three years there.

[00:04:57.070] - Speaker 2
And then 2016, 2017, the little known company called Snapchat was coming on the scene, and I figured, it's time to join the Internet revolution and bring my passion and skill to a much larger user base where I could affect the security of millions of people instead of a couple dozen rockets a year. And that's really what brought me to Snap. And I've been at Snap for about five and a half years now in various engineering security roles. Most recently had opportunity to work with Richard on bringing Arkoses into Snapchat. So I'd be happy to share more about some of that.

[00:05:30.170] - Speaker 1
Well, great. Now, I appreciate that background, Nick, and we'll touch on those topics and more, I know, from getting to know you, Nick. It is about the journey, and we work with a lot of different companies and prospects out there, and a lot of the time when we meet folks, it's very much trying to solve a tactical problem. But every time we met with you very early on, it was really clear that you and the team at Snap were connecting more than just a tactical problem that you were really trying to solve for the end user in mind, and a lot of the kind of competing priorities for end users and the stakeholders, including your customers as well. Can you touch on that for us?

[00:06:17.450] - Speaker 2
Yeah, absolutely. Snap is a very empathetic and kind company. Our core company values are kind, creative, and smart. And that really extends beyond the glossy wall that those words are written on, but that actually extends into how we operate the company. We have some of the largest demographic of younger users on the public Internet right now. Snapchat reaches more than 75% of 13 to 34 year olds in over 20 countries. And we think it's our responsibility to be allies to our user base, to really protect them on Internet and to really create a thoughtful experience where they don't feel bothered by bad actors and the threats that are present on the large Internet. And we do that by being very thoughtful and very intentional. So when we started working on the evaluation with Arkoses, we took our time, actually. We had a very lengthy POV because we knew what we were looking for. We were looking to prove value in the detection of critical and high risk and also the reduction in the number of fake accounts that are created and subsequently locked. And we're actually able to achieve both of those. And we can talk a little bit more about that.

[00:07:25.950] - Speaker 2
But our company ethos is put ourselves in the shoes of the user and be focal to the user experience, our Snapchatters, as we call them internally. And I think to do that the best way, we need to be very methodical about what good looks like and knowing how to measure it from an engineering perspective. So we don't reason by whims or guts. We reason through the data. And through our POV, we're able to reason about the effectiveness of Arkoses being far more effective, and hence, we move forward with the implementation.

[00:08:01.130] - Speaker 1
And even before you obviously started chatting with Arkoses, what were you trying to solve for that wasn't being solved for?

[00:08:10.750] - Speaker 2
Yeah, initially, our big focus was reducing bad actor account creation on the Web. So Snapchat is an app experience primarily. However, we do have a Web portal where users can log in to download their data for GDPR, where folks unlock their accounts if they've been locked. If they're good actors. It's the same place bad actors attempt to log in to unlock their account if they're bad actors. It's also the place where a lot of our revenue happens, where our customers are logging into our Ads portal and creating Ads. And really, our whole revenue funnel runs through our Web experience. And what we noticed was we had a much more difficult time detecting and preventing the creation of bad accounts and account takeover on the Web than on the app. The app has been a hardened surface. We put a lot of effort into it. And so we thought there could be a better way. We actually evaluated building. We evaluated hCaptcha, which is an open source product, and we evaluated Arkoses as a high bar engineering company. We built a lot of defenses in house. We did evaluate building a product like Arkoses, but we thought the level of effort it would take and the operational burdens that it would create for our team to monitor and observe traffic and tune rules.

[00:09:28.370] - Speaker 2
And once we got to know the Arkoses team, especially the security operations.org, they're phenomenal. These are some of the best people that I've interacted with in my career. I've been doing this for a couple of years, so I've seen many versions of vendor relationships, particularly the security operations team article. They're most impressive to me and to our team. And that was really part of our decision making process to move forward.

[00:09:51.870] - Speaker 1
That's great, Nick. Definitely appreciate that. I think when you touched on very metric driven, are there any specific metrics you're able to talk to or at a high level in kind of before and after state?

[00:10:05.890] - Speaker 2
Yeah, during the POV, we actually designed a very interesting POV, a B test. Arkose's Labs was able to detect more critical risk login attempts on the Web by allowing us to outright block them. That's for critical risk. For high risk, we were challenging them. That was also a very large number, very compelling metric to us. And that's what we observed just from the three and a half week evaluation.

[00:10:34.410] - Speaker 1
What does that mean for Snapchat? Critical risk stopped then previously? Sometimes I hear folks say, okay, so what?

[00:10:44.300] - Speaker 2
Yeah, that's a great question, Richard. What it means is that the worst of the worst, the bad actors that we don't want logging in were stopped. These are folks who are creating campaigns on platform, who are creating salacious content. These are organized crime units. We don't want these on platform. They're not good users. They are terms of service. Violators. And it is my team's goal to find and suppress them. And with Arkoses, we were able to find them, which is a really compelling metric. Yeah.

[00:11:18.990] - Speaker 1
And you touched on some of the adversaries. Snap is obviously a household brand name, global in nature, whatever the latest public stats are from a user count, but definitely over 300 million users. That makes you guys a high value target. Are you able to share how Arkoses Labs was able to help Snap reduce your security costs by implementing Arkoses?

[00:11:43.890] - Speaker 2
Yeah, absolutely. In fact, we are afforded a lot of flexibility with how we design for our authentication funnels because we build almost everything in house. Arkoses is one of the only vendors that we work with, period, in this space. And because we build a lot in house, we're able to control the cost basis for how we build. Where Arkoses was able to help us is as we reduced fake account sign in and sign up, basically registration and login, we reduced the volume of SMS messages sent for account verification and also account. So if an account is created and the phone number is used and an SMS is sent, we pay for that SMS. Sometimes bad actors use premium numbers that are really expensive dozens of cents per SMS. We have ways of stopping those, for example. But more oftentimes, bad actors are coming from countries where they have very high SMS costs. Countries like Vietnam, countries like Iran, countries like Russia as a result of sanctions and other reasons, those countries are very expensive from SMS perspective. So if we can stop the bad going into the funnel and stop them from creating accounts, we don't need to send an SMS to verify those accounts.

[00:13:03.930] - Speaker 2
And so Arkoses is our mechanism to stop that during the registration process. Similarly, for sign in, we can help reduce account takeover by detecting the bad actor attempts for password stuffing, where they're basically taking lists of credentials and attempting to sign into those lists of credentials, just hoping that one of them is an actual Snapchat valid account. We can challenge them and create sufficient friction where their automation is inefficient and they don't have the sophistication to solve complex puzzles, then strictly speaking, we are in a better place and that's what Arkoses has provided us.

[00:13:41.990] - Speaker 1
That's great. Obviously, especially, I think, going in the world we're living in and going to 2023 with potential downturns, and I think more than potential downturns and recessionary markets, obviously cost savings is going to be critical. So being able to combine improving the security posture for your end users and for you as an organization, removing and heavily reducing those really undesirable bad actors, as you mentioned, but at the same time, being able to show a direct cost saving for the organization, it sounds like a triple threat. Sounds like a great outcome for you guys.

[00:14:19.730] - Speaker 2
It's a trifecta of good is what I call it.

[00:14:22.800] - Speaker 1
Trifecta of good.

[00:14:24.850] - Speaker 2
It's a trifecta of good, right?

[00:14:26.870] - Speaker 1
Trifecta of good, I love that. Hey, you touched on a couple of other things that I'd like to expand upon, the other kind of experience that you had with Arkoses, especially with our security operations team that are spread all around the world now.

[00:14:39.600] - Speaker 2
Let's look at Arkoses. Arkoses, the metadata and richness of the response is just extremely useful. We're just scratching the surface for using Arkoses. We've been with Arkoses for about six, seven months now. And even in this time, we've created a lot of traction and excitement around the organization about how to use those 80 fields to risk score the attempt. Whatever it is, whether it's a sign in, a sign up, a communication channel change on platform, that's unprecedented depth, things like is it a VPN node, is it a Tor, is it a residential proxy, is it a high risk IP? Does it appear to be a tampered with user agent? These are all really useful attributes that, from an engineering perspective, you can start to risk score and then do what's called Challenge orchestration, where we say, okay, if these N attributes are present with these values, we can treat that transaction, that session attempt in a different way. That's unparalleled now, that's just the first part. The second part of this is with Arkoses, we have telltales. Telltales are risk signals that the Arkose stock and the Snap Security engineering team can co create and co approve to profile the traffic and know this traffic coming from Nigeria with these user agents and this behavior, this is with high confidence that traffic we can profile that traffic, create a telltale, and then create an enforcement.

[00:16:05.660] - Speaker 2
And the enforcement can be a difficult puzzle to solve, that you can solve using simple automation and you advanced computer vision. And these bad actors are not that sophisticated. They don't have computer vision. ML engineers, they're taking stuff off the Internet and trying to scrape it together and glue it together using Selenium. They can't do advanced things like this. And we could iterate with the Arkoses team, we can directly see we've deployed a telltale, we've applied the pressure, we can see the direct results. We're in constant contact with a person from the security operations center assigned to us. And above all, these people really care. They're really interested in our success. I feel like it's just an extension of my team. I have an operational team. We don't really have an operational team of this type, but we have an operational team with Arkoses that really cares and is paying attention to our you.

[00:16:57.590] - Speaker 1
Know, we call that the Arkoses Managed Security Services Team, our SoC. It sounds like you didn't have that level of engagement before. Can you share a bit more specifically about maybe walk listeners through your initial experience, how you're onboarded through the POV, through to in the early days, what an average day might look like engaging with that team?

[00:17:21.730] - Speaker 2
Yeah, it's complete night and day with what we had before with well, I'll talk about the specific experience. So we were assigned an account management team to work with us on our specific needs. We were assigned a dedicated security analyst that understood our environment. We were also assigned a solution architect that focused on security to help us with the implementation, technical details around the various teams of Snap we need to work with. And more importantly, we have access to a 24 x seven security operations center run by Arkoses that are constantly paying attention to our traffic. Because Arkoses is a younger and nimble company, we also had a lot of flexibility with how we wanted to implement the solution. So we had certain change management approval processes that we needed to enforce as a company to make sure that the telltales and security signals are correctly calibrated. Arquis is very willing to customize the playbook. I even was afforded the opportunity to co write the playbook that Arkoses uses within the SoC that the SoC director runs for our account. I directly just wrote into it what needed to happen, the way I see it, and most of it was accepted, most of it was operationalized, which is huge.

[00:18:34.450] - Speaker 2
This is so custom. You don't get this kind of interaction with a security vendor usually. And then on an ongoing basis, every single day, we have interactions with the team. The team is really interested in our account. There seems to be a high judgment bar that the team possesses to evaluate traffic pattern shifts. And when it's time to say, okay, Snap team, we see a traffic pattern shift here, we may want to introduce a new telltale to pressure this traffic. Our approval processes are followed, and even as an app that we bill ourselves as the fastest way to communicate. We've even worked with Arkoses to substantially reduce latency, which is really important for us, and continue to reduce it and continue to interact with the mean look.

[00:19:19.780] - Speaker 1
That's definitely something know we pride ourselves on, is being agile and nimble, and we work really closely with several of our key customers. And Nick, thank you for investing a bunch of time in terms of giving us feedback, helping us be better. We're a very humble organization that wants to continue to work with our customers, and it's great to have folks like yourself and others on our customer advisory board to help us continue to build the product and the platform so that it's actually going to give folks like yourselves the best value in return. And that's how we moved from one single risk score to having over 80 attributes. We believe that a paradigm where a black box, it just doesn't work anymore. We want to give you the data so that even if maybe we don't stop a bad actor in a given flow, you can have that data and then be able to do something with that later on, which we think is incredibly important as well. So what's next for Snap? Obviously, bad actors are pivoting and changing every single day. It's something that we relish in the opportunity and stopping them and preventing them.

[00:20:28.960] - Speaker 1
But what about for Snap? What's next?

[00:20:31.790] - Speaker 2
Well, we've implemented Arkoses on the web, and now we're evaluating, working through an A B test for mobile. Again, the team has been exceptional to work with. When the latency question comes up, we ask ourselves, can we make the call to Arkoses while the customer is going through the sign up screens, while the customer is going in, picking their username, putting in their birthday? Can we make the call in the background, evaluate it so when it comes time for the customer to put in their phone number, and if the customer is a good customer, we can allow the customer to go through. But if it's a bad intent, bad actor, we'll stop them from putting in the phone number, which would save us. We believe this is our hypothesis. We haven't fully vetted this yet, but we believe this can have a substantive SMS savings on that funnel if we can prevent the bad actor abusers from getting to the screen, where they input the phone number and just stopping them with a really difficult challenge that they can't solve or a very short session and where they just can't humanly solve it fast enough.

[00:21:33.870] - Speaker 2
That's really exciting to us. I think this is a big bet for us for this coming year. In these recessionary times, we have to really be thoughtful about cost. And it's my hypothesis that the organization can significantly reduce sign up, verification related SMS abuse by putting articles on that funnel for our flagship product, Snapchat, which is enjoyed by over 350,000,000 people in the world every single day.

[00:21:58.150] - Speaker 1
Yeah, look, we're very excited to do so. We love the challenge. I'll say you guys challenge us each and every single day, and we thrive in that. We appreciate it because the challenge comes with working with yourself and a team of domain experts that are really passionate about what you do and protecting the end user. But I think it's in the way that you and the team at Snap do it that make it a joy to work with. And we're fortunate to work with many great companies. But Sparky from Adobe, on one of the previous podcasts said something very similar to what you just said. It's about partnerships, and it's about having trusted partnerships that you continue to validate and push. And as you said, we're going to continue to always be striving to improve. But it's working together to do that. And I think in these difficult times, having very open and transparent partnerships are going to be the key to success between third parties.

[00:22:54.150] - Speaker 2
Absolutely. No doubt. Richard, I've worked with probably 30 vendors in the security space in my career, outspanning all aspects of security engineering as I've had a chance to work in the majority of the disciplines. I'll say, hands down, this has been the best partnership that I've been afforded the privilege of having to work with your team. And that says a lot, because it's been a lot of other ones that weren't so great.

[00:23:20.830] - Speaker 1
Well, I know on behalf of the entire team that works tirelessly around the know, rob and all the security analysts that you referred to, everyone's very passionate about protecting Snap. I read a piece from your bio earlier I want to wrap up with this piece. It's a quote that I'm going to use. It could be a company quote, and I think this sums you up, Nick, to a T, and why it's been such a pleasure to work with you. Nick says, I wake up in the morning and go to work to make the secure path, the fluid path for our stakeholders and customers with humility, empathy, kindness, and compassion. I focus on being a value creator versus a value extractor. A life and career well lived is one that leaves a legacy. I couldn't have put it better myself. Nick, thank you for spending the time with us. Thanks for being a great partner and best of luck with everything at Snap. Thanks for joining.

[00:24:14.440] - Speaker 2
Thank you so much, Richard. My pleasure.

Recommended Asset

Case Study

Snapchat Identifies Critical Risk & Shows Direct Savings with AWS & Arkose Labs

“We think it’s our responsibility to be allies to our user base to protect them on the internet and to create a thoughtful experience where they don’t feel bothered by bad actors.”

Nick Reva

Nick Reva

Engineering Manager, Security Engineering
Snapchat

Trusted by Global Brands

With 20% of customers being Fortune 500 companies, Arkose Labs protects the world’s leading enterprises in major industries such as financial services, e-commerce, travel, technology, and telecommunications.