Hi everyone, my name is Ashish Jane. I'm the Chief Product Officer for ARCOS Labs. We do board detection and account security. Prior to joining arcos, I used to work at eBay where I led identity, risk and trust teams. And the charter of my team included all registration, authentication, KYC account and payment fraud, cancellation disputes in a number of things. And I've been part of this community for over 20 years and glad to be here today to share some of those learnings.
Now, the topic I wanna discuss today is that as this group and this community is working very hard to put together a great experience for the end users, there is an equally committed alternative set of identity professionals who are working equally hard to be able to beat those defenses. We got together as this community, you know, in 2000 timeframe with Liberty Alliance and the last 20 years we have some major milestone successes, including saml, OAuth, open ID connect, and now with PAs keys and, and verifiable credentials in the future.
The other side continue to work equally hard.
Started with some simple call scripts in 2000, eventually put together some phishing toolkits and then you know, proxy services and now having browser automation applications to be able topo the fingerprints. We thought that instead of offering single sign-on and multifactor authentication and provisioning adapters as independent services, why don't we stitch them together and offer that as a service?
Well, they had a very similar idea that instead of offering the proxy services and the capture solvers and spoofing applications as independent offerings, why don't we offer them as a service in a subscription model? And evil proxy and Genesis marketplace are an example of that.
Now, we got together under various consortiums and groups to exchange ideas to build together protocols.
Open ID Foundation, Fido Alliance, ITF are some great examples of that.
Well, they had similar ideas that if they got together into a community to share best practices and tips and tricks. And as you can see from some of those subscriber numbers, these are fairly active communities.
Now, why do we think that there is such an active community of people trying to attack the websites and why do we think that the number of attacks continue to grow year over year? There are three primary drivers for this to happen. The first one is the barrier to entry for a newcomer to enter the space and being able to attack is becoming lower and lower. The second point is that over the last few years, fraud has become a business. There are more sophisticated and mature tools and applications, which makes it very easy and there's a lot of money to be had.
The third point is that the sophistication of the tools available to be able to attack is becoming higher and higher and hence it's more competitive to be able to beat or protect against those attacks. Let's touch upon that a little bit into the next few slides. Now this is an example.
If you know what sneaker botting is, when you have a limited number of high demand shoes and you buy them and send them into a secondary market, this is an example to get started where you know it's a paid service, but they claim that a very reliable place, 400,000 pair of shoes have been bought using this platform where you can essentially get into the market. If you're looking to get into phishing as an example, this is an open source tool you can download and get it running in less than 10 minutes where you provide a URL.
And if you see all the applications on the right hand side, you pick them and the tool take care of putting the right style sheet and the CSS file so that it looks like a real site. Once you run your campaign and then you know you have a list of username and a password, you can use this another open source tool to run a credential staffing attack. You give the URL, you upload your combo list and there is plenty of people to help out if you get stuck.
Now, once you run a credential stuffing attacks, you know, some sites try to put a capture, well, you don't have to worry because there are capture solvers available where they can find people in low wage countries. And as you can see, you can actually get as little as a dollar for a thousand capture solves. And if you're looking for options for each of the categories I mentioned, there are a number of other applications that you can choose from.
The bottom line is that the, the, the community has put together a lot of applications so that this is becoming a commodity for anybody to enter an attack. The second primary driver is that how this is becoming a business, if you look around, you will find number of statistics, which is 40% of the application traffic that you see is actually not alleged traffic. One in five login attempts on your site is actually an account takeover attempts, and I know this is a US stats that 29% of the adults have actually experienced a TO.
If I put all of that into even more numbers, phishing alone resulted into $52 billion losses within an year. E-commerce losses across the globe were over 200 billion. And bank scams, and I'll touch upon some of the specific ones in a second, resulted into $400 billion in an year. So this is how much money is there to be had.
If you get into that market, there's a specific type of attack which has become very popular in the last few years.
I wanna spend a few seconds on, it's called SMS toll fraud, also known as SMS pumping or International Revenue Share Fraud, where the scammers partner with the telco providers to send a large amount of SMS messages to premium rate numbers. And of course in that case, they take the cut and decide owner end up footing the bill. And if you're wondering, how come, you know, how do you and I can get into some of this money?
There are now intermediary set up where they take care of colluding with the telcos and you can buy a great set of, you know, a bulk in numbers and then you get to attack it yourself. So this is how easy is it becoming for you to be able to get into this business.
The third point I wanna talk about is just the rising complexity and the increasing sophistication of the tools available to us. Now at a very high level, there are two types of attacks. There is a volumetric attack where the focus is on scale and conversion.
So the credential staffing attack I mentioned earlier is an example of that. So for instance, if you get access to, let's just say a 10 million username and a password list because of a breach, you apply that across a number of sites. Even if you get one person conversion rate, there's a hundred thousand accounts. If you get one to $5 per account, that's enough ROI for you to essentially get your money's worth.
The second type of attack, which is the low and slow social engineering attacks, they take a lot more effort, but at the same time the reward is much higher because they're very targeted.
To give you some kind of ideas and examples of the volumetric attacks in the last few years, this is an example we are drafting, which is a betting site, an 18-year-old from Madison, Wisconsin in us.
You know, he got access to a username and a password list. He ran an attack, got hacked into 60,000 accounts, resulted into half a million dollar in his bank account. And when he was caught his, his statement was, this is so easy and fraud is fun, and it just tells you kind of the barrier to entry point. The second example I'm gonna talk about is the PayPal and they shared that in their earnings report, which is they had to shut down 4.5 million accounts because they were fake accounts. So PayPal ran a campaign that if you sign up for an account, we'll give you $10.
That campaign was a bigger hit with fraudsters than it was with the alleged users.
So PayPal not only had to shut down the campaign, they lost of course their money, but they had to go and kill those accounts. The third example I'm sure you would've heard of is a Taylor Swift concert where they had issues in the tickets. Now in their defense, they only opened the ticket sale for verified fans, but prior to the day of opening, they had 3.5 million pre-registered users who went through the email verification process. All of them, or a large number of them were bots.
And the next day when the, the sale opened 14 million hits on the first five minutes, the site eventually crashed, and the next day you can buy those tickets up to $20,000.
Let me touch upon some of the social engineering attacks that we have seen. This is a very common one that you may have heard of. It's called the grandparent Scam. In this case, you get a call from your grandson or a daughter saying, I'm in trouble. I was driving a car, I hit a woman, she was pregnant, they're taking me to jail. Please don't tell dad because he's gonna be mad. Can you pay some money?
And they take enough effort to be able to mimic the voice. They know your family member's name. This resulted in two, $3.2 billion losses in last year. The second common one is called romance scam and a specific version is called Pig butchering.
And the, it starts with a text message or a WhatsApp message. The person on the other side get to know you a little bit better, build some trust, ask you to invest into a crypto fund. Initially you make some money, then you invest some more, and then eventually the person and the fund both disappears and you're out of pocket. That resulted into $1.2 billion losses last year. The third common one that you may have heard of, it's called business email scam.
The most common form is that when you receive an email from your boss or a coworker asking for a gift card, in other scenarios they ask you to transfer the money. And this is a common example which was heard in Toyota. The person got an email transferred to a supplier, eventually found out that the supplier was fake and the email was also a scam.
It was too late. By the time they found out this again was 3.2 $0.9 billion loss in 2023. These numbers are already huge, right? And now enter ai.
What AI does now, it allows you to, to have the volume and the scale of the volumetric attacks and the sophistication of the social engineering attacks into a single motion so that you can automate some of those things. An example of that, for instance, would be that I talked about romance scams, but now you have chat bots. So instead of you trying to figure out how do I integrate, how do I spend time with the other person, you can automate the whole process and to make it even more believable, now you have these AI generated personas so that you can build even more trust.
The other one which came is a site called only fake ware. For $15 you can get a synthetic identity. And now if you use that and you try to apply for a credit card, and even if you get a starter credit card with a thousand dollars limit or a $500 limit and you only get 10% conversion rate, that is still 10 x returns on your investment.
The third one, which became very popular, which is that when a person joined the Zoom call and he had other coworkers and the CFO ask to transfer their money to $25 million, only to find out that everybody on this call was deepfake.
If it is harder to suspect an email that you get from your coworker, imagine joining a Zoom call only to find out that everybody on this call is fake and you just have been scammed. Now, where do we go from here? There are three primary endpoints that you should think about when you build your site, which is registration, login, and account recovery. These are the primary points that your end user will first interact with your site. These are also the three endpoints where the fraudsters will attack the most. These are very highly interconnected endpoints and they should be treated as such.
Many times we see that, you know, you build a login, you ask them for MFA, but the account recovery process is still through an email reset.
So keep that in mind as you build an overall solution. In order to have a comprehensive account security system, you gonna need to keep into account these three major pillars, authentication ID verification, and fraud detection. On the authentication side, there are multiple strong author options available today.
SMS, push notification, pass keys. Having rolled out many of these solutions in the past, I can tell you there is not really a silver bullet. There is always pros and cons that you have to take into account in between security, usability and cost effectiveness. But at the same time, there are plenty of options available today. ID verification depends so much on the company profile, helps you with compliance, help you with fraud and help you with personalization. You start with a simple email and phone verification, name, address, matching proofing and all that.
This is one area where I feel like, and as you walk around this conference, there's a lot of innovation and work is being done.
So I fully expect 12 months from now this to be a very different scene. The third one is fraud detection. There's a lot of passive signals that you can collect based, you know, IP reputation, behavior biometrics, device fingerprinting, phone and email reputation. All of those signals help you provide a second layer of defense, which can keep running in the background without impacting your end user experience.
And it is important that you take into account all three into into consideration when you build an overall program. At the end, I only have two kind of high level recommendations or ask or suggestions. The first one is to have shared KPIs between your growth team and your risk team. Many times we see that the growth teams want to lower the friction because they want to increase the conversion rate to growth, and the risk team wants to raise defenses because they want to lower the chargeback and the account takeover.
Hence, the proposals between the two teams are not always in alignment. So keep that in mind. The second one I would make the argument would be to act. Now we have this tendency to wait for a perfect solution. There is no end game or a silver bullet here. Whatever we come up with, we'll end up having new attack vectors or we'll have additional adoption challenges. So the way to make progress is to get started a trade quicker and continue to evolve. On that note, I wanna thank you for your time and attention and hope you found this useful.
Well, thank you very much ish. It was really interesting. Presentation made me question my past career choices many times. So how do you solve it? It's so complicated. Is it something that you could delegate to a third party to solve for you?
Yeah, so I think, look, it is a combination. Anytime you build a solution that it's a combination of what you can do organically versus what you can do using third party solution.
There is, there is solutions available for authentication, for fraud management, for ID verification, but like I said, it, it is no silver bullet. You have to know your business. Many time you're focused more on growth, depending upon what the stock market is asking for. And if you have too many losses, then you may be focused a little bit more on the risk side. So you have to strike that balance.
Okay, great. Ish, do we have any further questions?
No, we don't have any questions yet. Okay, then let's, without further ado, well thank you Ashish. Thank you guys. Let's introduce our next speaker.
