Abuse and Fraud Prevention's Co-Created Future — Predictions for 2022 and Beyond
Happy 2022! It’s a great time to pick our heads up from daily operations and look over the horizon. We spend a lot of time at Akamai thinking about what all our data tells us about trends and where the current trends could lead in the future. While we don’t know for sure what will happen, we have some hypotheses. So, let’s talk about what we on the Akamai Abuse and Fraud Prevention team think will happen over the next 3 to 5 years, as well as the implications of those events.
Prediction one: The future of abuse and fraud protection is dynamically generated bespoke protections, co-created with security vendors and organizations
The best-protected companies participate actively in their security efforts and push vendors in new directions that they create together. We’ll see this pick up even more in the coming years because of bespoke protections; that is, mass customization of protection specific to each organization.
For example, the bot space evolves quickly and requires scalable defenses that leverage the asymmetric advantage of having more information than the attackers. However, companies are diverse, so a one-size-fits-all posture will be too tight for some and inadequately loose for others. By not tailoring defenses to fit diverse businesses, we may lose benefit from customer-specific data, such as traffic country origin and website workflows. Yet custom designs are themselves neither easily scalable nor maintainable. The solution to operationalize customization lies in applying machine learning and statistical algorithms to automate the generation of per-customer models and detection tunings.
The performance of detection algorithms also varies by organization. Bot defense hinges on the detection rate versus false positive (FP) trade-off, so to manage FP risk across diverse traffic characteristics and varied organizations’ appetites for risk, large safety margins are typically used. Here again, a one-size-fits-all approach reduces detection efficacy, but we can achieve detection tunings automatically across a large customer base by adaptively auto-tuning detections by algorithmically estimating their FP probabilities on a per-company per-detection basis using a combination of unsupervised clustering and multi-sample estimation.
Some providers have the basic components of bespoke protections already deployed and some have those components in development, but the abuse and fraud prevention that’s unique to your organization is years away. Today, “bespoke protection” typically means manually crafting rules or providing explicit allow/block parameters, and we believe the future must, and will, adaptively contextualize to your business and to your abuse and fraud patterns without static operator input
Implication: If abuse and fraud prevention detections become tuned uniquely to your organization and to the specific way consumers interact with your digital properties, you will be able to thwart attacks by changing your workflows, business rules, and user journey — not just your security tuning. Closing business logic loopholes will also be important here. This will be a massive shift from the current climate in which most organizations think of security and fraud as separate from the business. And it will be a huge burden for attackers who are always trying to reverse-engineer technology and security detections, and will now also need to reverse-engineer your user populations’ behavior patterns.
Prediction two: Consolidation in the underground economy leads to a security future that’s co-created by the clash between attacker cartels and security vendors
Every time new security detections are implemented, attackers look for new vectors and new vulnerabilities to replace the ones that were taken away. A good example is account takeover by human attackers. Most security and abuse attacks today are automated with bots to boost the attackers’ financial and operational efficiency. But as providers like Akamai became really good at detecting and stopping bots, often the only way attackers could get through was by being human! And that, in turn, led to significant investment in detecting human attacks.
Bot operations are businesses and all of the bot-operator businesses make up an industry. And like all industries, as the market grows and matures, it consolidates. The statement “You can rent a botnet for $50” is true but misleading because it only talks about the low end of this market. These low-end bots increase the number of “mom and pop shops,” but don't pose a significant extra threat to high-value target companies.
Akamai’s threat intelligence shows the percentage of bots that are considered highly sophisticated has been increasing every year. No one is going to launch a major attack on a sneaker or gaming company with a $50 rented botnet. Instead, the high end of the market is composed of a group of players who are and will be consolidating, reducing the number of operators but increasing the scale and money of each remaining player. The consolidation of the high end of the attacker market means that companies will face increasingly deep-pocketed adversaries who will use their resources to launch subtler, more sophisticated, and more damaging attacks.
Our corollary hypothesis is that many security and fraud management vendors will get priced out of the market because they won’t have the resources to continuously invest in upgrading sophisticated detections, nor will they develop new detections quickly enough to defend against these more powerful bot operators.
Implication: Companies looking for new security solutions will need to spend more time understanding product roadmaps from a resource perspective. Does the vendor have the financial resources (or the access to capital) needed to keep ahead of active adversaries? What’s the plan to stay effective in the long term given the changes in attackers?
Abuse and fraud prevention’s co-created future — an exciting opportunity
There will be implications we haven’t foreseen. To paraphrase the quote often attributed to Isaac Asimov, “For centuries man dreamed of going to the moon but no one predicted we’d be watching it on television.” And because the co-creators will take their own perspectives, this journey isn’t going to be a linear one.
But we’re excited for the future because we’re continuing our mission to help billions of people live, work, and play online every day. Reach out to us if you want to talk more about our ideas for the future, and stay tuned for our next post.
