Thank you. My name is Ashish Jane. I'm the Chief Technology Officer at Arcos Labs. We do bot detection, account management, and and and fraud management and account security. Prior to joining arcos, I used to lead identity, risk and trust at eBay and the charter of my team included global registration, authentication, account management, KYC payment and account fraud, cancellation dispute and a number of things. So that gave me a good idea of kind of going deep into a merchant stack. And now at arcos I get to work with a variety of enterprise customers and learn from their perspectives.
The topic I wanna talk today about is that you know, the good user and the bad user silos and how we should not be treating them in, in two separate mindset and how we should have a very kind of cohesive and a collective way of addressing the registration authentication account onboarding journey.
Very similar on the lines of what we were discussing just in the previous session. Now before, we've been talking about passwordless as industry for a long time, and before I kind of dig deep little bit more into what does that mean, how do you go about it?
I'm gonna touch a little bit upon why should you be implementing Passwordless in today's kind of timeframe. Now, if you look into that, in the last 12 months or so, the attacks on our online systems have continued to increase at a rapid pace.
Now, part of this can be attributed to the because of, you know, covid and pandemic, the number of users and the number of online services that are now digital has continues to increase, which definitely gives a lot more incentives for frauds to, to be able to attack. And the second thing is that the cost to compute the sophistication and the barrier to entry for the attacks continue to change.
And hence you see a lot more fraud starts kind of entering the space from a stats standpoint.
Just think about that for a second, that, you know, on an average across the industry, one in five at login attempts to your CI actually account takeover attempts. So 20% of your traffic is just trying to, to have some kind of negative purpose of while they're there. The second big stats that we have seen is just the amount of increase in the fake accounts that we have seen. What that means is that, you know, many times you have seen that the websites allow you to create an account and they give you some incentive.
Sometime, you know, it is $5 off on your first purchase, you know, 20% off if you make a transaction in the first seven days and you know, free compute and resources and for the first 30 days and so forth.
And fraud's gonna try to find a way to monetize it.
You know, if it is, you know, 10% off, I'm only gonna buy the first item and I never come back again. You know, in sometimes in the social and gaming apps, frauders create fake accounts so that they can spam the other users or create fake reviews. So there are multiple ways to monetize it and we have seen a significant increase in the fake account registration. The other interesting number to note, adjusted, malicious sort of bot traffic that you get on your site.
And of course this is this seasonality into this one, you know, e-commerce site, you know, Thanksgiving and Christmas Day and you know, concert or, or gaming sites whenever they launch a new game. But there are times when this traffic on your site, which is just a bot traffic not trying to do business, can be as I had 75% and on average that number goes somewhere around 40%.
So that's the amount of traffic on your site. Even if they're not able to do damage to your site by doing account takeovers, they are still able to, they still end up impacting your site speed.
They still end up taking your computer resources because they are on your site. So that is a kind of the environment that today we look in and which is why you should be kind of, you know, spending time in building the right authentication, fraud and onboarding strategy. Now the topic I was I wanna touch upon is that, you know, the good user and the bad user silos, if you think about it, the very first time a new user interacts with your site, the the primary endpoints or pages they interact with would be registration and login.
The bad users, when they're, or the bad actors when they're trying to attack to your website to get access, the very first few endpoints they attack are also registration and login.
And the other one is a account recovery.
Now, the metrics that you may have for your good users would be something like the, you know, for registration, it can be the conversion rate, the number of users who shows up to your registration page, and the number of users who are able to complete the registration. Similarly for login, the sign-in completion rate is, are very good metrics that people measure and they wanna see how many people are able to pass it, how many people forget their password, or if you have MFA options involved.
And your focus as a team is that what can I do to lower the friction so that I can improve the conversion rate? So more people who show up on my registration and login, how can I convert them into a successful login attempt or a successful registration attempt?
Now, when it comes down to the bad actors, the same registration in the login page, but your focus is very different, which is, how can I raise the defenses so that my account takeover, my chargeback rate or bad users trying to do cancellations and disputes?
Can I, how can I reduce that? And many times we don't realize it because there are different teams within accompany with different MBOs and different metrics, but they are very, very connected or should be very connected because it's the same endpoint.
And sometimes when I increase the defenses for the bad user, I may end up increasing the friction for the good user too. An example of that would be, look, if I mandate, for instance, MFA and to my entire population and just think about a B2C website and an if I mandate it across my entire population, my account takeover ratio would definitely go down, but then my completion successful completion rate would also go up. And just to kind of give you some stats, you know, overall across the industry the password completion rate is somewhere in the range of about 85, 90 5%.
So if your site offers only username and a password as an authentication mechanism, if you, you know, remove the bot factors, the people who come in, the logic, users who come in and they're able to complete is in that range.
The moment you introduce, you say MFA across the site, debt rates gonna convert today across the industry around, you know, 60 to 70%.
So there is, there's certainly a drop in the conversion rate the moment you do mfa and I think that's the balance you have to do based on what market you play in as a company, what is the maturity and of your, of your, you know, tech stack to be able to detect bad actors behind the scene and also to know your audience because the, the, depending on your audience, they may or may not be comfortable with different types of challenges or authentication that you may have in place.
So the other part to know, and I'm not gonna touch on all of them, but is just to kind of cover some of the primary type of attack vectors that we see. You know, credential stuffing is when you know I have a username and a password list and I simply kind of go attack your website. I'm sure you have heard of the phishing wishing and, and same sorting and all that. What has changed?
Look, these have been there for a long time. What has changed in the last, I wanna say, you know, one to two years has been just the automation available to be able to do that.
Now for, for instance like, you know, credential stuffing, I can write a script to try to log in if I have a combo or a username and a password list. But now there are tools available, free open source tools, you know, there is in a century MBA open bullet or the two ones to kind of name where you give them a list.
You know, they have pre-configured templates, they have YouTube tutorials, they have very established user telegram communities to help out where, you know, you come in, you enter the URL of the site you would like to attack, give them a username password list and it'll do the work for you. So all of that has become more and more automated.
Similarly, on, on the, you know, wishing site, I'm, I'm sure you heard of a common scam if fraudster already have access to your password, but the site has implemented SMS per se so many times what the fraudsters do is that you know, they enter the password on the website and then they call you by pretending to be from the company support or IT and ask you to tell them their SMS code on the phone and then they enter it. Now this process takes, you know, five, 10 minutes for a fraudster, you get success rate of, you know, one in 10, but now you can completely automate that process.
There's a bot which came to light called SMS Ranger about two years ago, which can automate this whole process of calling you, getting your SMS and then entering on the site and that gonna talk about success rate of about 80 plus percent. So by automating this type of attacks, you can now have volumetric attacks or mass attacks. So instead of trying to, you know, get five to 10 people in a day, you can now have thousands and millions and millions of these attacks happening in a single day on a single website.
The other two part, which I must say that in the last six months we are hearing a lot more is the first one is called cybercrime disservice. So in the past you have many tools I mentioned for instance century and open MB open bullet and then you have to still figure out, you know, if you wanna run that at scale, how do you go find cheaper compute resources?
How do I find proxy IP services so that I can bypass the IP checks? Now what fraudsters are doing is that as they continue to evolve in their journey is that they stitch these two each together and they offer you as a service.
There is a one very popular marketplace which was recently shut down by fbi, it's called Genesis Marketplace. It'll combine all the things, have a built-in browser and help you attack the new ones, which we have, you know, seen very popular is called Evil Proxy. You can get a subscription for about $400 per month and it essentially provides you everything into a box where you simply tell the website it has templates for the major websites and then you can just simply go try to do account takeovers.
The other topic, which I'm sure all of you have heard in the last three months or so is generative ai.
I'm not gonna spend too much time into it in this session, but just think about it that everything that we know in terms of, you know, content-based verification is, has changed and is about to change today, I can take a three second video voice clip from you and create a, a voice based authentication on your behalf. There's an example, you know, in the news about two weeks ago where somebody impersonated a daughter called their mom by saying, I'm in problem, can you share me some money?
There are a bunch of tools now available where I can collect pictures from the internet, create an image of you and try to beat the facial authentication system. So definitely a lot more what we are gonna see. Phishing attempts can become more polished because I can now write little bit more better susceptible or or where good be susceptible type of script.
So definitely a different type of attack patterns that I expect to emerge as we go forward. Now I'm gonna talk, talk a little bit about, you know, what password message are available, how do I think about picking them up?
And I know we touched upon that little bit in the previous session too. There's definitely a lot of options and more options continue to emerge as we speak. You should keep in mind that you know that there are three kind of the pillars that you should think about. The first one is security. Of course you wanna make sure that whatever authentication password led method that you choose, this is, you know, giving access to your sites and resources. So it should be the security should be a number one concern. It can be even a higher depending upon your company.
Sometime we focus more on growth com compared to focus on the risk and loss metrics.
So you may play around with that little bit, but security overall is a major pillar as I, as you can imagine, you need to take into account usability for the users depending upon how your user's behavior population is. Little bit on the younger side or more on the mature side, depending upon that, you may may think about the importance of usability, but a key pillar, the third key pillar you should think about is just a maintainability. Especially if you're a B2 web C website.
Once you have rolled out a solution, it's very hard to pull back. So you should be very careful doing the initial analysis and due diligence of how do you pick a solution and maintainability the effort to roll out a solution and in case you have to pull it back, also be taken into consideration whenever you roll out a solution in your mind, the usability, security and maintainability, you should think about the three flows because you can end up touching that for onboarding.
What is the experience of a new user when he's trying to come to your site in terms of onboarding and registration with this, with this new password, less authentication experience. Same thing with login and account recovery. There are a number of tools that you have access to, a number of applications that we have seen in the while.
You know, I'm not gonna touch upon all of them, I'm sure you have seen them both as a site owner, as and as a user in in your day-to-day usage. But just to touch upon a little bit, each of these options have pros and cons. Email verification for that matter is probably the cheapest option to implement where you enter your password but then you know, you, you go back and get a link into your email or get a code that you have to enter so it's cheapest to implement.
But sometimes what we, you know, we have seen is a correlation in the password that people end up using on your site and also end up using for their email journey. So it is from that standpoint it doesn't come across as the most strongest solution. At the same time there is an impact because the user has to do a contact switch from your website to an email to get the code or the link and generally that results in about 15% of the user drop.
SMS is the most common that you find today, especially in the banking sector for authentication, either as a primary authentication or to augment the passwords. It is definitely the users have adopted it, accepted it, so the experience is a little bit familiar. At the same time it is a pretty expensive solution in US it's about a penny for s m s in Europe, it's a, you know, goes between three to five.
Asia is even more expensive and then it's also susceptible to what is you may have heard of called SMS toll fraud or international revenue share fraud where the fraudsters collude with the bad guy telcos and then charge more money for the phone numbers, push notification, another popular one, but you have to have an app on your device, web hand and Paki, which is definitely very popular these days. Google just announced it two weeks ago. The only thing I will add is still a little bit early. You still need to the, the experiences across browsers, across os, it's still being discovered.
Account dis account recovery is not completely mature. And then the other thing that you see is that the controls that you have as a relying party are still not where you would want to be.
You know, whether or not you wanna allow a user to share through airdrop or sync through iCloud, some of those controls are still being developed.
Now I wanna talk about how do you implement it, but I wanna touch a little bit on the passive authentication and then define passive authentication as something where you don't have to have an active user interaction.
So ip, email and phone. When somebody access your site, you are able to see the ip. And from the IP then you can decide whether it's coming from a proxy, it's coming from a botnet, it's coming from A V P N and that should give you a signal whether this is a good or a bad actor. Same thing when a user enter enters their email address, you're able to see whether this email was created two days ago. What is the reputation of this email? Are there email tumbling involved?
Where sometimes, you know, Google alias is an example and or there enumeration involved which is, you know, Ashish Oneish two and three.
So you know that's a script or a bot. Same thing goes for phone that I can find out whether or not this is a voice or IP number. This is a prepaid or a post phone, it is a brand new phone, it is a subscriber matched to the address of the name and, and where the phone is is located. There are a bunch of signals, I call them passive signals which you can use to do a better assessment and augment the authentication and also detract the fraud and the bad users.
And if you just continue that kind of thought process, I can get so much device fingerprinting data which will help me find out whether there is some randomization of device fingerprinting involved to spoof my systems. I can also figure out whether or not this is coming from the same or a different device.
So there's a bunch of things I can do from a device standpoint without having any impact on the end user. The behavior biometrics of how you interact with my site, it can tell me whether you are real versus human.
It can also tell me whether or not you are the same user because I can detect repeat behavior. When it comes down to rolling out, there is a sequence of steps that you should think about in your mind. The very first thing I would recommend would be to just think about decoupling your username and password screens into two separate screens on the first screen you can collect the identifier, the second screen, then you can figure out what's the right challenge or authentication method to you.
The, it'll allow you to do discovery and then you can decide, you know, depending upon the user on the device, what's the right authentication method.
Second thing I will strongly recommend is just implement some kind of a passive authentication IP device fingerprinting a user behavior email or phone address simply because it'll help you strengthen your overall passwordless or authentication strategy without having any impact for the end user and it'll raise your defenses for the back user.
And then re, regardless of what authentication method you choose, I do not believe that even today there is a one method Vince all. So you have to implement a multiple of them and then then you can use the same one for account recovery and it comes down to rolling out. Just keep in mind that give the options to your end user, have multiple options and then do a slow rollout. If you simply mandate it, it becomes a little bit tricky. You ha because you are changing the behavior of the end users.
So you have to kind of give them little bit time to be able to accept it.
If I kind summarize that in a little bit that a, you know, this is the right time to implement passwordless, definitely the number of attacks that we have seen have increased significantly. There's bunch of options that you have at your disposal. You should do pros and cons analysis and based on your market, your audience, your site and, and then I gonna walk you through a little bit some of the flows of how you should think about it.
Some prerequisite and I would say that even if the perfect solution for your site and your users is not available, you have to get started because it's a long journey and then we are gonna continue to do it, but you will not learn and you will not improve unless you have it in production and, and you know, some of the experiments that you have to do either through AB test or by other means but, but launching and doing it now is something that you should all be aware of. I wanna thank you for your time.
I think we only have 30 seconds or a minute for questions but appreciate joining me today and I look forward to continuing the conversation. Thank you.
Thank you very much. Thank you very much.
Yeah, maybe we could take a question if, if there is one. Alright, but we have to be quick.
Yeah,
Yeah. I ask same question in the internet as well. How to overcome the problem that platforms like Google and Apple, they are fighting against tracking user by device fingerprint.
Yeah so I think that's a very interesting point. There is definitely the device fingerprinting is a very tricky topic because in many cases the same tool can be used to track the users eventually invading your privacy and in third party cookies and selling it to advertising company. But the same tokens can also be used to be able to detect the good users.
There are some very great developments by the same manufacturers where there can be a concrete deterministic evidence. For instance, you may have heard of the account integrity o Options by Google or app attestation by Apple is also something called privacy access token, which is again industry-wide initiative. These are not probabilistic where you get a bunch of signals, but a deterministic token attested by the os, which are becoming more and more popular.
So my expectation would be that the fraud companies are able to rely on them and then you are able to protect your privacy by not exposing all of those signals to the sites.
Yep. Thank you very much Ashish. Yeah. And thank you for your time and in great presentation Greetings from Berlin.
Yeah,
Thank you. Appreciate it.
