Exclusive Q&A with Kevin Gosschalk, CEO of Arkose Labs

Arkose Labs has carved a niche for itself in the online fraud-fighting front by launching something that nobody has done before: by offering financial guarantee against credential stuffing attacks for the users of its security system.

Kevin Gosschalk, CEO of Arkose Labs, talks here about this confident initiative. He says this move stems from his belief that “security vendors should stand behind their products and services in a real, tangible way.”

He also offers his insights about the impact of credential stuffing in general and specifically in gambling and gaming industry.

Read on for his forthright and succinct views on fighting online frauds and a host of related topics.

Q. Let’s start with a quick introduction of yourself. Could you tell us about your education, career and interests?

A. I am a native of Brisbane, Australia — born and raised –and graduated from the Queensland University of Technology (QUT) with a degree in Interactive Entertainment. Prior to founding Arkose Labs, I worked in biomedical research where I used machine vision technology for the early detection of diabetes. I later developed technology that assisted adults with intellectual differences in social settings. I believe my unique background brings a bit of a unique mindset to fighting fraud.

Q. How do you look back to the days of founding Arkose Labs? What was the vision when founding Arkose Labs?

A. The original vision was an ambitious one, but one I believe we can achieve: to make the internet safe for all good users. Online fraud is the biggest issue facing businesses and consumers today. I didn’t have a background in the fraud industry prior to starting Arkose Labs, but experienced these issues as a user of the internet. We want to be aggressive in fighting fraud and eliminate it rather than mitigate it. In the 5 years since the company started, we have made great strides in achieving our goal. We grew from a two-person startup in Brisbane to a company that now employs hundreds with offices in multiple continents. We also just closed our biggest quarter ever. The company has been on a great growth trajectory.

Q. Do you think credential stuffing is going to become one of the biggest financial threats for online businesses? Do share the reasons if you think so?

A. We believe it already is one of the biggest threats to online businesses today. This is because they are simple attacks to carry out, but the potential financial motivation is very high. There is an organised, underground cybercrime ecosystem that provides cheap and easy access to freshly stolen data and the latest automated tools, allowing fraudsters to attack enterprises at scale.

The low barrier to entry means that only a small percentage of these attempts have to be successful to turn a profit. Once they have compromised an account, attackers have many different ways to monetize it. They can steal money directly from the account, resell accounts or personal information, use the account to launder money, and much more.

Q. Are gambling and gaming industry particularly vulnerable to credential stuffing? Our readers would be eager to hear your insights into this.

A. Yes, the gambling and online gaming industry is a high target for credential stuffing attacks. One reason for this is that they are usually linked with a bank account or payment mechanism, so fraudsters look to compromise these accounts to gain access to that information. A compromised account can also be used to launder stolen money. Unlike bank accounts, these accounts are generally less protected; users may not have two-factor authentication enabled as they would on a financial account, for example. Online gambling is becoming more popular by the day, which means there is an ever-increasing amount of accounts for fraudsters to target.

Q. Arkose Labs is the first and perhaps the only company that offers a financial guarantee against credential stuffing attacks? Could you tell us the thought process behind such an unprecedented offer?

A. We believe security vendors should stand behind their products and services in a real, tangible way. Companies count on us to protect their most valuable data and keep their platforms safe from account compromises. We launched this warranty to show we are a true partner with our clients and we are putting our money where our mouth is. We feel offering such a warranty gives clients peace of mind that 24/7, we are there to help them defend against evolving attacks. This warranty provides commercial assurance that Arkose Labs will deliver the most robust protection against credential stuffing attacks available on the market today. It includes up to $1 million recoverable for covered losses and a 48-hour remediation SLA (service level guarantee). We do this in a user-centric way, without impacting good consumers’ experience.

Q. From the outside, the credential stuffing guarantee appears an incredibly brave move. How confident are you in your technology and processes?

A. We are incredibly confident. We would not have launched this warranty if we did not believe we could back what we say. We have years of experience protecting some of the largest, global enterprises from credential stuffing attacks.

Q. Have the credential stuffing attacks intensified on your systems after the warranty? How was the response from the hackers and ransomware attackers towards the announcement?

A. We have not seen any noticeable increase in attack intensity due to the warranty announcement. There is always a constant stream of attacks that we protect clients from. We do see a seasonality increase in attack intensity during Q4 and we anticipate heightened attacks during the holiday season.

Q. What are the systems and technologies Arkose Labs has developed to prevent the credential stuffing attacks? Could you talk about the journey through the technology development?

A. The Arkose Labs platform performs sophisticated real-time analysis of traffic to look for even the most subtle indicators of fraud. However, this is done without collecting large sets of personal information, as they can cause a privacy and compliance headache. Instead, the platform focuses on behavior, device, and network characteristics and how they are connected

Arkose Labs classifies and segments traffic based on the risk profile. Triaging traffic, based on whether it is likely to be legitimate, a bot, or human fraudster, provides actionable intelligence that can inform the system of any secondary screening required.

So the platform combines risk assessments with challenges, by leveraging a continuous feedback loop to improve fraud detection rates, while decreasing challenge rates for good users. Embedded machine learning will provide advanced anomaly detection and evolving protection, taking the burden away from in-house teams.

Q. Let’s shift the focus to the effect of the pandemic, lockdown and work-from-home on ransomware and credential stuffing attacks? What were the trends of online frauds during the Covid-19 days?

A. Not surprisingly, online fraud spiked during the height of the pandemic and related lockdowns.  Since so many more people were online, to buy everything from toilet paper to cars and everything in between, there were many more targets for fraudsters to take advantage of. Furthermore, with massively increased traffic levels, it was easier for fraudsters to “blend in” with food traffic. Even as we are slowly moving past the pandemic, consumer digital habits acquired during the time have become permanent, and as such we are seeing permanently higher levels of digital traffic as well as fraud attacks targeting digital accounts.

Q. Arkose Labs has been growing tremendously and winning laurels along the way. What are the developments and expansions in the pipeline for the near future for Arkose Labs?

A. At Arkose Labs we are always innovating. We take feedback from our clients and use that to continually improve the product. We plan to continue to grow our team, expand into new geographies, and innovate to defend against the latest evolving fraud trends.

Q. Finally, what are your advises and suggestions to businesses, especially those in the gaming and gambling sector, on how to tackle online frauds and threats like credential stuffing?

A. The key is to really understand how fraudsters attack you and how they make money. You almost have to think like a fraudster.  The way a fraudster will attack a gambling platform, and how they monetize such attacks, will differ from attacks against an online banking service, social media site, or streaming service. Work backward to figure out how they get money out of your platform and how to make that more difficult. It could be by making it more costly to buy proxies by utilizing robust IP intelligence. Or device fingerprint forcing them to invest in more software. You can trigger additional step-up measures for suspicious traffic. It’s important to not just rely on passive signals, as fraudsters can not only get around those, but it also can lead to false positives.

By making the ratio unbalanced on how much time and money fraudsters have to spend on attacks versus what they get out of them, ultimately they will move on and do something else. That’s the most effective way to stop fraud.