Summary
A prominent rideshare and delivery giant faced the challenge of protecting a superior customer experience on their platform, built in part on Amazon Web Services (AWS), while stopping bad actors from exploiting their services. They had prioritized a streamlined customer acquisition process for online sign-ups, but this inadvertently opened the doors to SMS toll fraud. Bad actors were using bots to create fake accounts at scale, causing skyrocketing SMS bills. The company worked with Arkose Labs to identify, isolate, and eradicate these attacks, resulting in a substantial reduction in SMS toll fraud costs and an enhanced, secure experience for genuine consumers.
The Business Problem
To fortify their digital sign-up processes against fake account creation, the company adopted one-time passwords (OTPs) via SMS for verifying consumer identities during registration. But cyberattackers targeted the platform through SMS toll fraud, manipulating OTPs for financial gain. This fraudulent tactic involves bad actors obtaining phone numbers from premium-rate carriers, either through carrier collusion or the exploitation of weak telecom security protocols. By initiating SMS flows from compromised numbers, the business was billed millions in fraudulent charges while the attackers split the illegally gained proceeds.
At the same time, the company needed to be circumspect in how it applied verification tactics to new sign-up attempts, because their customer base was extremely sensitive to online friction. It was vital that good users could make it through the registration process without being unnecessarily hindered or blocked. This meant that any challenge-response mechanism implemented needed to operate seamlessly in the background, interrupting the user journey only when accurately detecting suspicious activity and minimally disrupting genuine user interactions.
In addition, the company lacked sufficient visibility into traffic during the customer acquisition user experience and wanted to gain a deeper understanding of other potential cyberthreats, including account takeover (ATO), promotion abuse, and website fare scraping.
The Arkose Labs Solution
The company sought a comprehensive solution that preserved the customer experience while also significantly curtailing SMS toll fraud. They deployed Arkose Bot Manager, the AI-powered bot detection and prevention platform that includes Arkose MatchKey, the strongest CAPTCHA suite ever made. Multi-layered detection aggregates real-time device, network, and behavioral signals on a customer workflow to spot hidden signs of bot and human-driven attacks, such as device and location spoofing. And it’s all backed by a 24/7/365 managed SOC monitoring and threat management service.
The company decided to focus its attention on sessions emanating from the 5 countries with the highest SMS costs. Arkose Labs took a tailored approach, working with the company to analyze and selectively choose a unique group of threat signatures as the basis for applying friction. When a suspicion session is detected, the solution presents Arkose MatchKey challenges. These challenges pose difficulties for bots, leading attackers to either abandon their attempts or, more commonly, pivot to human fraud farms, which are effectively thwarted as well.
Genuine users, however, encounter little disruption, because the Arkose Labs detection models enable legitimate users to pass through unchallenged. These detection models are built on passive authentication techniques like behavioral biometrics, IP reputation, device fingerprinting, and more to ensure that authentic users navigate the system smoothly, experiencing little to no interference during their interactions.
Demonstrated Results
By embedding Arkose Labs across every point of contact safeguarded by OTPs during account registration, the company now adeptly identifies and counteracts SMS toll fraud assaults while upholding a smooth user journey. Throughout the short integration and deployment period, the company didn’t encounter a single customer registration complaint. Additionally, it better understands good user and bot traffic profiles, with improved visibility into customer acquisition traffic data.
- Savings of approximately US$2.5M from SMS toll fraud spend for select high-risk countries on an annualized basis
- Seamless consumer experience
- 99.5% of low-risk traffic passed through unchallenged
- The .5% of low-risk traffic that experienced challenges solved them quickly and easily, exceeding industry completion standards
- 0 customer service complaints received
- Major improvements to data visibility at top of funnel, including
- IP intelligence
- Device intelligence and fingerprinting
- Real-time aggregation of IP addresses
- Offline analysis of page load IDs
