1. Analysis
December 9, 2021

Trying to do business with your customers, securely, online? This metaverse security CEO might know something

It's been a big year for Arkose Labs, the account security brand of choice for metaverse leaders such as Minecraft and Roblox, as its CEO explains.

By Giacomo Lee

It’s been a big year for the metaverse. The metaverse may revolutionise sectors ranging from power to retail through digital twins and virtual customer experience: all things which need the strongest cyber security.

That’s why it’s also been a big year for Arkose Labs, the account security brand of choice for game giants such as Minecraft and Roblox, who were aboard the metaverse trend long before Facebook rebranded as Meta.

Valued at $447.6 m, the San Francisco-based startup has recently been singled out by analytics firm GlobalData as a future unicorn in the cybersecurity space. Its last funding round was a Series C investment at $70m, led by Japan’s SoftBank Vision Fund.

Arkose Labs, or Arkose for short, counts heavy hitters Microsoft and PayPal amongst the clients making use of its AI-powered fraud detection. Other customers include health firms, airlines like HK Express and fintechs including Venmo, showing a company that has grown beyond its roots protecting gaming and social media brands such as Entertainment Arts (EA) and Kik.

There have been other kinds of growth too, as Arkose Labs CEO Kevin Gosschalk told Verdict in a recent video interview. The potential future unicorn has expanded into countries such as the UK and Japan this past year, along with becoming the first cybersecurity vendor to provide a guarantee against credential stuffing attacks – the kind which have recently dogged power companies and vaccine supply chainswith a bountiful $1m warranty.

Find out more from the CEO native on Arkose’s growth, along with Gosschalk’s cybersecurity predictions for 2022 and where metaverse security fits into the future picture. A little background: Born and raised in Brisbane, Australia, Gosschalk graduated from the Queensland University of Technology (QUT) with a degree in Interactive Entertainment. Later he worked in biomedical research where he used machine vision technology for early detection of diabetes. Gosschalk would go on to found Arkose Labs in 2016, with an AI-powered approach that gamifies fraud prevention.

Giacomo Lee: What kind of a year has it been for Arkose Labs?

Kevin Gosschalk: There’s been a lot of hiring. We more than doubled our headcount from just under 100 to 200, so there’s a lot of interesting challenges that come with that internally. A lot of executive hires, too: our chief product officer, Ashish Jain, who was the head of identity at eBay previously, plus a new CTO, and a new chief revenue officer.

Then, from a customer standpoint we just keep getting bigger and bigger companies. Recently Venmo was a client, and a number of other massive ecommerce and financial platforms with a lot of growth in the fintech segment.

Protection for gaming platforms was once your niche. Have you found a new one, or does Arkose feel much more universal now?

We’re very strong in the video game segment. We work with PlayStation, Roblox, EA and a number of others. Any big gaming brand, we’ve probably worked with them in some fashion. And that’s really because of how we started the company. I’m a gamer, you know; it was always something near and dear to me, something I understood very well. So we naturally kind of went down the path of finding them as customers because our technology aligned with their problems. But they have the same old problems: people trying to compromise accounts, steal virtual goods to resell.

In the last probably two, three years we’ve really broken out of that and we protect the largest social media platforms, we protect the largest ecommerce stores in the world, we protect the largest banks in the world now, so it’s quite diverse.

But the kind of companies we work with really follows with who the fraudsters are going for. That is, who they are going after to profit from the most, and it’s those companies that need us.

And the fintech industry has been growing explosively, too. There are so many new ways of doing finances online. So that’s been very big for us the last 12, 24 months.

In that case, would you say open banking is risky by nature?

There’s so much growth in the fintech segment. There are a lot of startups and other earlier stage companies who don’t have the maturity of the older standing banks. Some of the more mature fintechs are very good at security, and they’re very good at what they do. But the nature of trying to grow as quickly as you possibly can means you want to have the lowest friction in your onboarding process, you want to have the lowest checks that are necessary.

Unfortunately, that’s also a haven for fraudsters because they quite literally like to go after companies that are spending VC money. So we see a lot of early stage fintechs struggling and you know, they’re in the business of creating a brand new financial instrument. They’re not in the business of combating fraud, so it’s a very different mindset and it’s a muscle a lot of them have to learn.

You expanded into the UK and Japan this year. What have you noticed working across territories when it comes to cybersecurity?

You know, according to Deloitte we’re the 25th fastest growing company in the Bay Area. But we really started the company with an Australian mindset. Like, it was very difficult to raise funding. We were more looking towards profitability in the early years, things like that. And then that mindset had to change; we kind of entered the market. So how do we become the leading company in this statement? How do we grow as fast as we can?

So it’s been kind of interesting. We’ve learned that shift, versus a lot of companies here (in the Bay Area) that really are very inefficient with capital spend. They do silly things. They raise their company at ludicrous valuations and they can’t match up their numbers and like, a lot of these businesses you see fail and vanish after three to five years, right?

So we’re really building a long-term standing company at Arkose. I would say thanks to our more humble roots in Australia that we have a different perspective on doing that here than the typical Bay Area company does.

With regards to entering the European market, absolutely I think we have a much better mindset of doing that. We’re more open-minded about different languages, things like that, than the Americans are. Nothing against Americans, of course, but America is Number One in their mind.

We’re from Australia, you know. We don’t consider ourselves ‘number one.’ Even though we may be up there, we wouldn’t actually think that.

So with that different perspective, you’re a little bit more humble on some of these things and people appreciate that attitude more. We’re more liked by the Europeans than the Americans, and that’ll help it all add up. Ironically, Americans like the Aussies more than Americans as well!

Does that Australian mindset mean an IPO is coming later rather than sooner?

That is in our future. It’s something we’re building towards. The team we’re building here at Arkose isn’t one that’s here for the next 12 months, it’s one that’s here for the next four, five years. And whether we IPO then or IPO before that, they’re people that I believe can take us far into the future from a product standpoint, from an execution standpoint, from hiring in other very talented people in the business.

At the end of the day, it’s the people right? We have all the ingredients, we have fantastic technology, but we need to keep evolving it, and at the end we have fantastic customers today, so they can help us build what we’re building.

It’s really kind of an unfair advantage to have these amazing companies that we work with, really the biggest companies in the world. They shape what we should be doing, what kind of problems we can help solve.

I spend about 70% of my time with customers every week, either new ones or existing ones. That really shapes our products, that shapes how we work with them, all kinds of things. I think it’s a very important job for a CEO to spend their time with their customers, not just entirely investors or anything like that.

How do you see your products evolving in the near future?

Passwordless is a trend in the industry and I think it’s a fantastic trend. The adoption though isn’t very good.

The adoption of extra security measures isn’t very high if the consumer has to opt into it. If you force it on the consumers, then you have the user friction issue to deal with. They might not use your product anymore, as there’s too much effort to use your product. That’s the current issue in the industry.

Then, the more data you have, the better you can use it. It’s easier to use things like AI than having humans manually sift through it. A big component of SoftBank’s investment is getting better with that kind of technology. Part of that investment thesis is: how do we get better with the more customers we have?

Do you see metaverse security guiding your products in future?

We already work with Minecraft and Roblox, two big examples of metaverse companies.

So you could pitch yourselves as a brand in metaverse security?

‘We are a metaverse security company.’ That’s a good line!

For us we’re doing our best to think about how do we authenticate the world when it becomes like that. How we how do we improve trust, the relationship between users in that world?

There’s a lot of abusive scenarios that I can see occurring. As we move down that path, I can already see some examples, like in VR there are horrible things people can do.

The internet is wonderful and terrible at the same time. When you’re in the security industry you see creativity from how people make money, but you also see like horrible things that people do to abuse others and stuff like that too. So we’re always thinking how do we prevent both of those things occurring by ensuring that you’re doing what you should be doing on these platforms?

Metaverse security is a fantastic problem space, just because the opportunity is quite large. I’m an engineer first, an artist, I love building stuff. I love solving problems like this.

One of the things I like most about this metaverse security space is the creativity of the adversary. I’m guessing if I worked at one of the companies that we protect. I probably wouldn’t like it as much, but we love the game. We’re fighting fraud, that’s what we do, that’s what we built this company to do, so it’s fun for us and our team and that’s a big part of it. We enjoy this.

Can you give any examples of that creativity?

One we saw was what’s called inventory denial attacks. So you’re an airline, you sell airline seats, that’s your business. What the attackers are doing is they’re going through their websites, booking a seat on a plane. They’re on the payment page and they use a payment redirection option like PayPal. That takes you off the website to complete the transaction. Any airline holds that seat, waiting for the payment for ten minutes and after ten minutes they release it, and what the attacker does is reserve every single seat on every single flight and they hold them in this ten minute redirection queue. That makes the airline drop off the list of all the aggregate data sites that show inventory that’s currently available, so now you book from a competitor instead.

This is like businesses doing this, basically blocking out their competition from so many inventories.

Speaking of airlines, you work with a couple. Was 2020 a relatively quiet year on that front, considering the pandemic?

We work with quite a number of travel platforms, airplanes, other travel stores. They obviously had a pretty interesting challenge last year where everyone refunded everything all at once.

But the only thing that was constant was fraud numbers. It does differ a little bit because if there’s no demand to purchase inventory from the fraudsters, then it’s not that lucrative of a thing to do.

However compromising accounts isn’t necessarily a transient thing. Once you’ve compromised the account, you’re in the account. So we still saw people sitting on the inventory until it kind of goes away and people go back traveling. So it’s been an opportunity for attackers to amass inventory over time. They didn’t just stop because they weren’t able to sell it today. They know they can sell it at some point in the future.

Aside from metaverse security, what are your cybersecurity predictions for 2022?

I think there are two trends that are a little troubling as a security provider. The first is increasing privacy.

Privacy is a really good thing for individuals on the internet, absolutely. Privacy is a difficult thing for companies that are trying to secure people on the internet. Let’s say you can’t do device fingerprinting anymore because browsers no longer allow you to do on certain devices. That would make detecting repetitive good usage much more difficult.

If you can’t identify an associated good user to being a good user and everyone just looks the same, it actually makes it harder to authenticate good users with lower friction. You don’t have to lower the bar for all users if all users start looking the same online which is what they start trending to do as more privacy checks come into play.

Another interesting trend is we’re seeing really interesting ways of scaling attacks that previously took a lot of human effort from the fraudster’s side. Thing like intercepting one-time pins or one-time passwords (OTPs). They’ve now built tools that automate that process. Fraudsters use auto diallers where you type in the bank that you’re trying to pretend to be, and it will automatically call that person and say “this isn’t automated”. So you have an 85% hit rate of people actually giving over OTPs to bots.

That tech removes the human element necessary to commit these kind of attacks. OTP interception is now trivial compared to what it’s been historically, and that innovation fundamentally shifts the economics in the favor of the attackers and we’re going to see a whole bunch of pain.