The Brisbane-born founder of one of the world’s fastest-growing cybersecurity scale-ups has urged companies’ marketing and cybersecurity teams to work closer together, in the face of a new “industrialisation” of online fraud.
Kevin Gosschalk, 34, runs Arkose Labs, whose software aims to identify fraudsters using bots and stolen credentials to hack into online accounts, then seeks to frustrate their progress enough to destroy their return on investment.
“The things a company does for growth can also be the things that make you attractive for fraud,” he said.
“The balance between attracting lots of good accounts, without lots of fake accounts, is a fine one. It requires the marketing, identity and security teams to be on the same page, and in my experience they almost never are.”
Gosschalk ranked 41st in this year’s Financial Review Young Rich List with an estimated fortune of $173 million, after Arkose raised $180 million from investors who are also among its clients – Softbank, Microsoft, Wells Fargo, Sony and PayPal – and grew revenue by 1005 per cent over the past three years, according to Deloitte’s Fast Technology 500 list published this week.
The Queensland University Of Technology design graduate is wary of celebrating Arkose’s growth, as Gosschalk said it resulted from his customers being “under siege” from cybercrime which is more organised than ever before.
“About 80 per cent of the attack traffic we see now comes from what I call cybercrime-as-a-service businesses, which are purpose-built to make attacks,” he said.
Hardly heard from 18 months ago, Gosschalk said cybercrime-as-a-service enterprises had dramatically lowered the barriers to entry for would-be online fraudsters.
In Australia this week to visit the 200-plus staff at Arkose’s Brisbane engineering hub, Gosschalk noted how quickly fraudsters had been able to mass-email Optus customers with a false promise of financial compensation for Wednesday’s outage, and a malicious link aimed at accessing their bank account.
“Anyone off the street can now subscribe to these one-stop shops of cybercrime, where they’re buying the stolen credentials, and the bots or ransomware to exploit them. It’s immediate and it’s way up-to-date with what we are doing to fight against it.”
Fraudulent requests against Arkose’s customers had risen 121 per cent in the June quarter over the March quarter this year, and Gosschalk said new threats were emerging all the time. OpenAI, the provider of ChatGPT, has just started using Arkose to stop bots “scraping” its data, which criminals have discovered has significant resale value for use in training all sorts of machine learning models.
A major cybercrime-as-a-service which Gosschalk has seen emerge on the dark web in the past year is EvilProxy. It appears to be based in Turkey and sells “phishing kits” that allow hackers to circumvent two-factor authentication, by intercepting the codes sent to their victims’ phones.
Arkose can shut down such attacks by requiring a proprietary token to be submitted alongside a texted code. However, Gosschalk admitted it was becoming harder to detect whether a login attempt was coming from a bot, or perhaps a human in an overseas fraud farm.
“It used to be that if a bot made a million requests, there’d be something pretty obvious about those million requests – they’d have a very similar device fingerprint, or they’d all be coming from the same region or in the same language,” he said.
“Now, these cybercrime platforms will sell the bad actors things like geographic proxies, so the target still sees a huge increase in traffic but those extra million requests are blended to look almost perfectly human.”
As a result, Arkose must broaden its defences, which Gosschalk said was where the tension between marketing and cybersecurity imperatives can emerge.
The evidence is in Arkose’s work for X, formerly known as Twitter. Implemented shortly before Elon Musk bought the social media platform in 2022, Arkose is one of the few service providers to have since survived the mercurial owner’s cost-cutting.
Musk presumably views Arkose as integral to his self-proclaimed “war on bots”. Yet a search for the name of Gosschalk’s company on X brings up hundreds of tweets from users complaining about having to regain access to their accounts by completing an “Arkose challenge” – an alternative to Google’s reCAPTCHA puzzles which the Young Rich Lister claims are more bot-resistant.
“The marketing team is always going to be like ‘hey. come on in!’, the cybersecurity guys will always want to lock things down, so the executive really need to get them together to figure out a compromise,” Gosschalk said.
Arkose shares data with its customers to help them work out at what point the benefits of a more seamless experience for “good” users is outweighed by the cost of frauds perpetuated by “bad” ones.
“It’s a question that companies need to ask themselves before the bad guys answer it for them,” Gosschalk said.
