Fighting against online fraud and abuse – Interview with Kevin Gosschalk, Arkose Labs

During MRC Vegas, The Paypers met Kevin Gosschalk, CEO and Founder, Arkose Labs, and discovered some incredibly interesting work done by this company in the sector of online fraud and abuse prevention. Arkose Labs are helping companies across industries such as online marketplaces, airlines, online gaming, travel, online gambling, and more to stop abuse before it occurs.

Hi Kevin, could you please tell us more about Arkose Labs: what are your main products and what sort of fraud do you deal with?

Arkose Labs is an authentication system with two key components: Telemetry and Enforcement. Telemetry refers to our decision platform that recognises the context, behaviour, and past reputation of a request using machine learning, while Enforcement refers to our proprietary challenge–response mechanism that classifies the authenticity of unrecognised requests, and provides real-time feedback to Telemetry.

The Arkose Labs system truly is an extension of an enterprise’s security and fraud team that does not require reverse proxies, daily rule setting, or third-party infrastructure. It operates with a single-minded focus to intercept inauthentic requests BEFORE they can commit fraud and scale. This unparalleled advantage is applicable to companies in almost every vertical – and we’ve already prevented more than USD 100 mln worth of fraud for enterprises like Roblox, Kik, Singapore Airlines, and Electronic Arts.

During your stage presentation, you mentioned that your company develops solutions that increase the cost of the criminal attacks. How exactly do you do that?

Great question – Arkose Labs’ Telemetry invisibly recognises the context, behaviour, and past reputation of a request to classify it as Authentic or Inauthentic. Requests that cannot be recognised are punctuated by our proprietary Enforcement to classify their authenticity with evidenced certainty. Authentic requests are passed to the enterprise, while Inauthentic requests are intercepted by an intermediate attack surface. Validating unrecognised requests in this way strengthens Telemetry decisioning in real-time, and incrementally minimises the number of false positives.

Enforcement is a challenge–response mechanism that protects the enterprise from attack, fraud, and abuse. When unrecognised requests are punctuated, Enforcement substitutes the enterprise attack surface with one that we control. Authentic requests are passed to the enterprise, while Inauthentic requests are remediated with dynamic defences that generate continuous losses. By controlling the attack surface, Enforcement can reactively adapt to neutralise attackers and their ability to retool.

Attackers automate other challenge–response mechanisms by exploiting image processing tools established by commercial applications, such as image classification and optical character recognition. These tools have a distinct vested interest in being able to perform the same computer vision tasks needed by attackers to make Inauthentic requests at scale. Presenting a task that commercial computer vision can already perform irreversibly fixes the cost per action of abuse below attackers’ return on investment.

Attackers rely on low operational costs afforded to them by professional image processing tools. These tools inadvertently provide a computer vision capability to correctly categorise third-party visual data, which other challenge–response mechanisms interpret as valid responses. In contrast, responses to Enforcement are generated from proprietary visual data that has no residual benefit to computer vision for training machine learning models. These secure responses divide decision points into compartmentalised functions that augment in real-time to prevent attackers from anticipating how Enforcement will behave. By removing the prospect of accurately classifying future responses, Enforcement prevents automation at-scale and greatly increases the operational costs incurred by attackers.

Lastly, it’s important to note that when requests cannot be recognised by Telemetry, they are challenged with Enforcement – and NEVER blocked. Secondary screening ensures that unrecognised requests of human-origin are always afforded the right to prove their authenticity. I’m also delighted to confirm that Enforcement has been statistically proven to achieve the same throughput as using no defence.

How do attackers’ toolkits look like? What are they doing and how do they bypass typical defences?

The most common and powerful approach used by attackers are Single Request Attacks, which refer to a family of protocols that synthetically manipulate each request they make for the explicit purpose of avoiding detection at scale. The true nature of these requests can only be determined when their source is independently challenged, and not controlled by attackers.

Attackers use Single Request Attacks to masquerade as legitimate sources by obfuscating IP addresses, consuming dynamic fingerprints, using headless browsers, and executing JavaScript as expected. Arkose Labs stop Single Request Attacks by reactively — and proactively — intercepting requests to prove their authenticity with Enforcement.

Now, Single Requests Attacks cannot be detected by artificial intelligence or stopped with bot mitigation because they blur inauthentic requests indiscernibly with authentic requests. Arkose Labs is the only system that intercepts Single Request Attacks with an intermediate attack surface that is not within the control of attackers. These attack protocols are operationalised with automation tools and/or digital sweatshops, and decisioning that relies only on observable tell-tales will undoubtedly misclassify humans too.

Congratulations for winning the MRC Technology Award 2019 of the Start-Up Category! What are the main elements that make Arkose Labs stand out from other fraud prevention services?

What makes Arkose Labs so unique compared to other fraud prevention services is that it is the only system in the sector using gamification concepts and technologies to both combat fraud and provide a great user experience. Our Enforcement challenge-response mechanisms are developed in a way where end users are not impacted and attackers have great difficulty in attacking, which means companies are not losing users as a result due to the care and attention of the Arkose Labs user experience.

While the Enforcement Arkose Labs presents is unique, it’s the Telemetry and machine learning side of the system users don’t see that separates us from the rest. Telemetry is our decision platform that recognises the context, behaviour and past reputation of a request, which is critical in protecting against Single Request Attacks that cannot be stopped by artificial intelligence and bot mitigation.

By combining the two components, Arkose Labs can decide not only when to present a challenge-response mechanism but also what challenge to present based on the type of attack. The combination of these components prevents different attacks without impacting user throughput, and is what makes our technology so effective and unlike anything else the industry has seen.

What projects and plans do you have in pipeline for 2019?

As a company, we’re very focused on what we’re building, the problems we’re solving and how we can stay ahead of what attackers are doing. Arkose Labs is continuously looking at how to break the economics of a cyber-attack at scale and how to sustainably solve this problem for the years to come.

Specifically, we’re particularly interested in what artificial intelligence tools that can be used against us so that when we present a challenge-response mechanism to prevent Inauthentic traffic, we need to also assure that machines are not becoming better at solving our Enforcement. Arkose Labs has always designed its mechanisms against the grain of commercial research you see today so that we are unlike anything else.

We’re always attending prominent industry events to network and educate others on how attackers are becoming more sophisticated in their attacks, as well as to get a sense of what’s to come in the industry as we continue to stay one step ahead. We’ll also be revealing to the public a few partnership, customer, and employee announcements as we continue to grow our footprint in the fraud prevention sector and we’re excited to share more info when the time comes.

About Kevin Gosschalk

Kevin Gosschalk is the CEO and Founder of Arkose Labs, where he leads a team focused on telling computers and humans apart on the Internet. Before Arkose Labs, Kevin developed gaming hardware for the intellectually disabled at the Endeavour Foundation and built a unique device incorporating Microsoft’s Kinect Camera technology.