Fighting Frictionless Fraud

Just about every breathless venture capital pitch for an online business includes the phrase, “It’s frictionless!” or some variant, thereof. With self-service account creation and automated customer service, the old constraints of the brick and mortar world melt away. Without friction, there are no impediments to explosive growth. Sounds good, and it’s true, except, for one big unintended consequence: frictionless commerce is an invitation to frictionless fraud.

Fraudsters and abusers, apparently taking their cue from Bladerunner’s Tyrell Corporation, whose motto was “More human than human,” mimic human users at scale. With headless browsers using JavaScript to impersonate actual human beings, they face little friction in their ability to conduct vast ripoffs. The “hockey stick” growth charts that are boasted about in Silicon Valley equate to hockey stick growth in thievery in less savory places.

The “hockey stick” growth charts that are boasted about in Silicon Valley equate to hockey stick growth in thievery in less savory places.

According to Kevin Gosschalk, CEO of Arkose Labs, common large-scale fraud activities include things like account takeovers, spam, fake users, denial of inventory (like with games), auction house abuse, ticket scalping and fake ratings. With ticket scalping, for example, fraudsters use bots to buy tickets ahead of actual people who want to attend an event.

Kevin Gosschalk, CEO of Arkose Labs

The difficulty comes from innovative attackers designing increasingly sophisticated ways to get around standard anti-fraud controls. “Most online businesses have basic defenses to detect and block bots,” Gosschalk explained. “The problem is that these defenses cannot keep up with advances in fraud technology. In a single request attack, the attacker can create literally millions of automated ‘users’ who look remarkably human to the site.”

A single request attack usually involves creating a fake user who seems to be connecting with the target from a random IP address and a device that looks as if it belongs to a real person. With these techniques, the attackers can bypass bot mitigation services. “The bot mitigation service is looking for multiple log ins from the same IP address. That’s no longer an effective way to protect your business.”

The Arkose approach is to make it sufficiently expensive for the fraudster to succeed with single request attacks that he or she will conclude that it’s not worth it. To work, the Arkose solution looks at traffic behavior and device characteristics. They look at telemetry. When the nature of activity is suspicious or unrecognizable, it is punctuated by Arkose Labs’ proprietary challenge–response mechanism, Enforcement, to classify the authenticity of the activity with evidenced certainty.

The Arkose approach is to make it sufficiently expensive for the fraudster to succeed with single request attacks that he or she will conclude that it’s not worth it.

They also have a 3D Enforcement challenge that presents users with a question to confirm authenticity. For example, users will be asked to use arrows to correctly orientate an image. To a human it is an easy task. To a machine, at least today, will have a hard time completing this challenge. The result is frictionless commerce that injects a bit of friction into the fraud process.

Photo Credit: DPP Business and Tax Flickr via Compfight cc