At Invest West yesterday, Arkose Labs gave a compelling presentation highlighting how easy it is to obtain enough data on the dark web to commit serious financial cyber crime. There are websites where lists of usernames and passwords can be obtained and free software that will enable to you quickly test these against certain sites to understand which one’s work.
The ramifications of this were terrifying, especially when dealing with the kind of data that financial advisers do. In the last few years, many sites have adopted two factor authentication which is a vast move forward and Arkose Labs have built another approach which could also be deployed using their risk based adaptive authentication process.
When deployed to a secure site, the Arkose Labs software uses telemetry to recognise and siphon out potentially unauthorised login attempts. Where a login is deemed as potentially unauthorised the system will present the user with a challenge question. In reality this is very similar to Captcha security processes, however Arkose explain that hackers can use low-cost image processing tools to categorize third-party visual data, providing responses that can dupe visual challenge-response authentication technologies.
The Arkose Labs approach is to provide the user with proprietary visual data that has no residual benefit to computer vision for training machine learning models. The example provided was an image that was represented on screen and could be moved by touch or the mouse. To authenticate, the user was required to move the image so that it was the right way up, something that a computer program will find very difficult. What’s more the image and its positioning will change on each authentication request making extremely hard for a computer program to follow.
The Arkose Labs approach seems unobtrusive and simple for users to follow. Not all logins will require this further level of automation however the telemetric approach should weed out any malicious attacks. Its worth noting that whilst this will stop scale attacks it will not stop single attacks where a person is falsely using login information. This aside, any security measure that can be put in place to better protect clients and that is not overly cumbersome is positive for me.