InfoSec People Profile: Arkose Labs’ Ashish Jain
Updated: Feb 24
Chief Technology Officer Seeks Security/User Experience Balance
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
Ashish Jain, chief technology officer for Arkose Labs, the San Francisco-based fraud deterrence and account security firm, revealed malicious bots, human attacks and the online marketing of fraud packages such as phishing-as-a service (PhaaS) have created a disruptive and vulnerable environment, making online fraud deterrence even more critical for businesses.
Arkose Labs, which covers industries such as financial services, fintech, gaming, retail, technology and social media, said it represents more than one billion social media users, 60% of online video gamers and 40% of all retail volume.
The San Mateo, Calif.-based fraud deterrence and account security firm, revealed malicious bots, human attacks and the online marketing of fraud bundles such as phishing-as-a service (PhaaS) have created a disruptive and vulnerable environment, making online fraud deterrence even more critical for organizations.
Arkose Labs, which covers industries such as financial services, fintech, gaming, retail, technology and social media, said its mission is to create an online environment where all consumers are protected from malicious activity. Its artificial intelligence (AI)-based platform combines what it describes as powerful risk assessments with dynamic attack response.
An Important Lesson
Jain grew up — and did his early schooling — in India. With both parents high school teachers, he learned an important lesson about applying “discipline and focus” when it comes to academics. He went on to graduate from one of the top engineering colleges in India, the Birla Institute of Technology and Science, and later received a Master of Business Administration (MBA) from the University of Denver.
From a career standpoint, Jain worked for a time in India after college graduation and then France and the United Kingdom before moving to the U.S. in 1997. He said, “That kind of diversity of the people that you get to work with, their thought process, has stayed with me.”
Jain started his tech career during the dotcom boom era. From 2000-2004, he worked as a principal consultant for BEA Systems in Denver, and co-authored books on Java and (Java Enterprise Edition (J2EE).
A Cybersecurity Calling
While working for BEA Systems, Jain led a project that required managing intranet security and access control for all Sony employees. This was the first time Jain said he took on the challenges of “rightful versus wrongful access” and what that can mean for product security.
That post led to Jain seeking a new career path in information security. From 2005 to 2008, he served as director of technology at Ping Identity Corporation in Denver, where he helped create SAML (security assertion markup language), which enables multiple web applications to use one set of login credentials.
Since then, Jain has worked for PayPal, VMware, eBay, and now Arkose Labs. “My role for all of those organizations has always been around cybersecurity and identity fraud,” noted Jain. “Enterprise side, you're still trying to protect the workforce resources and are more concerned about insider threat, and you have a little bit more control over the network, the user and the endpoint.” However, on the consumer site, such as PayPal and eBay, it becomes more challenging just because the surface area of attack becomes so much bigger.” For example, eBay operates in about 190 markets with about 180 million users.
At the Intersection of Identity and Fraud
Jain explained that he joined Arkose Labs in 2021 because it places him “at the intersection of identity and fraud, where you need to increase the friction for a bad actor without impacting the experience of a good user. That is a very fine balance to achieve.”
As Arkose Labs’ chief technology officer (CTO), Jain oversees all products, engineering, tech operations and research in the space of bot detection, management and account security. “We primarily focus on registration and login pages at a number of customers including Microsoft, PayPal, Adobe, Snap, Dropbox, and Expedia," he said. "A number of big market customers where we see a lot of attacks happening.”
Arkose Labs sits at registration and login points in the digital process, Jain said. “We look at a variety of signals including user behavior, device fingerprinting, IP reputation. We take that information, process it and detect whether or not this is a “good” versus a “bad” actor. And based on that we take certain kind of action.”
Avoiding Sleepless Nights
When asked “what threats keep you up at night?” Jain responded, “I put them into three buckets.”
1. The barrier to entry.
“There's a lot more people entering the space able to attack,” Jain pointed out. If you want to figure out how to attack a website, there are a number of open source tools like Sentry MBA, a credential stuffing attack tool, which has become the most popular cracking tool among threat actors; and OpenBullet, a testing suite that allows users to perform requests on a target web application. “The barrier to entry has really gone low, which means in a weekend, if you are not doing anything and you are semi-tech savvy it is easy for you to enter the (threat actor) space.”
Not only has the barrier to entry gotten low, “We are also seeing a lot more cybercrime-as-a-service offerings,” said a concerned Jain. He noted this trend includes Genesis Marketplace, which is available both on the dark web and the public internet, where attackers can purchase digital fingerprints; and Caffeine, a PhaaS, that makes it easy for threat actors to jump in and start their own phishing campaigns.
2. Sophisticated attacks and the gig economy.
Jain said what Arkose Labs observed is that computing, storage and networking is cheaper for all parties. “We all have access to infinite amounts of data and data processing; mining and modeling has become so much more efficient and accessible that it is becoming harder (to thwart) these types of attacks. In addition, detecting spoofing is more complicated and the combination of attacks now could deploy artificial intelligence and human factors as well as volumetric assaults.
The Arkose Labs CTO noted that independent contract work is also not just for Uber and DoorDash. “We see examples of a gig economy in the cybercrime world. The market is bigger, the tools are more accessible, available as a service at a lower cost than in the past and more complicated overall. That increased the number of people entering, and overall attacks, that we are seeing.”
Arkose Labs reported in 2022 that fake account creation skyrocketed in the second half of the year by 81% over the first half. Account takeover (ATO) attacks were equally severe in 2022 and comprised 11% of all attack attempt sessions.
3. The incentives are higher because of more online services and inexperienced users.
Jain explained, “We are seeing a lot more (digital) offerings from all the retailers, banking, e-commerce and government services. Plus, a lot more people accessing these (services) for the first time. These “newbies” may not have previously fully automated their banking, or applied for a loan, or bought something online.
“There is a little bit of naivety and novice users,” said Jain. As a result, they are more susceptible to social engineering attacks. Noted Jain, phishing, its voice counterpart vishing, and SMS relative smishing becomes a numbers game for attacker that seeks to lure as many online or mobile users as they can with bogus requests hoping for some bites. Jain described SMSRanger, a one-time password interception bot, which can deliver mass texts automatically.
Added Jain, “SMSRanger claimed 80% success rate. So increased surface area or increased target market with sophisticated tools is essentially a very dangerous combination that we are seeing in the industry.”
Fake Identities Versus Real Experience
A big threat for credit unions and other financial institutions, according to Arkose Labs, is identity theft. “We are seeing a lot more synthetic identity and fake account registration,” said Jain. In synthetic identity fraud attackers create false identities by patching together actual authentication elements with fake information to open fake accounts.
It is hard to create a secure but unique experience optimized for all types of audiences, suggested Jain. “The diversity of the user populations makes it harder.”
Providing blanket security for financial institutions is difficult but not impossible, noted Jain. “If you combine the omnichannel heterogeneity of what (financial institutions) have to support for their services, and diversity of the user.”
Jain also mentioned his time working with various standards bodies looking to create a safe but consistent user experience. Such as sitting on the board of the OpenID Foundation — a non-profit international standardization organization committed to enabling, promoting and protecting OpenID technologies — which developed FAPI (financial-grade API), to connect open banking and open data.
Uniting to Fight Attackers
Attackers operate without pressure and nimbly, noted Jain. “They do not need to attack all channels. They need to be successful only in one channel.”
Jain described an incident where Arkose Labs applied behavior biometrics to stop a bot attacker. “Literally 24 hours later we saw a human replace the bot to solve the challenge. So, they move with really faster speed.” Jain added, “Sometime it takes a little bit longer for the financial institutions to respond to those (type of) threats.”
Jain drew a contrast with the level of sharing, collaboration and segregation of duties he sees on the dark web versus those seeking cybersecurity protection. “I do not see the same level of collaboration and sharing, and creating of the standards, to jointly protect against fraudsters. You still see companies and organizations acting in isolation because it is a business advantage.”
He added, “I would like to see a little bit more progress for the good guys to kind of start to collaborate so that we are fighting (attackers) not as one against many, but all of us together, which can uplift all boats and help us collectively as an industry.”