Protecting Telcos in the Digital Age

Posted January 31, 2019

In this episode Frank is joined by Jason Lane-Sellers, Director of Solution Consulting for ThreatMetrix. They explore threats to the telco industry, and the unique position of telcos in the new digital landscape.

Transcript

Frank:   Hey everybody. Welcome to another edition of Digital Identity 360. We’re privileged to have Jason Lane-Sellers with us today. Jason is a Director in the Consulting Group, here at the ThreatMetix Global Services team. Very interesting today, because Jason’s particular expertise is around mobile and telco. So, Jason, welcome.

Jason:   Thank you, Frank. Nice to be here.

Frank:   Yeah, thanks for taking the time. It’s interesting, Jason; I wanted to get to know you at the Summit last week, and spend some time together talking about the mobile risks. You know, I thought that would be interesting to expound on that today, in our conversation. You know, one of things that I look at in our network that’s so fascinating, is the pace at which transactions are moving to the mobile channel. I think, this year, we’re close to 60%, of transactions in 2018 were mobile. I anticipate, probably in 2019, we could tickle as high as 70 or 75%, in terms of total volume. Maybe speak just a little bit as to your background in telco, and then some of the things that you think are going to be manifest this year, as it relates to threats for the telco industry.

Jason:   Yeah. I’ve been in the industry 20, 25 years now, covering a range of technologies. Started in the old fixed-line world, moved through the IP world, and into the wireless space. Worked with one the largest providers of wireless services around the world; designing and building fraud teams, strategy teams, and directions to prevent fraud and attacks on the network. But, that manner and that nature of fraud has significantly changed over the recent years. And the past, as you mentioned, the past five, six years particularly has been a prevalent growth of mobile utilization in the marketplace. By other industries, other companies. And that effects the telcos in so many ways. Some of the telcos are struggling to keep up with that. I see it form two perspectives as well. I am also the President of the international fraud association, the CFCA. In that realm, I get to see the impacts of telco, and telco fraud around the world. The growth of digital interaction across the world is dramatic, in every region.

Frank:   It’s so interesting. If you look at some of our customers, I know we’ve got a number of large mobile companies that are customers. And obviously a number of prospects that we’re working with. You begin to see how quickly they’ve realized the emergence of mobile as a dominant channel for eCommerce, and for FI. Most of us do our banking now through our mobile phone. Suddenly, there’s a focal point for that risk, as it relates to fraud. One of the interesting things I was reading about; we’re starting to see, as a real challenge to some of our customers, is the idea of things like SIM swapping. Maybe speak a little bit to some of the ways that those attacks are used. Or those devices are used, once they’re swapped and perpetuating attacks.

Jason:   Yeah, as you mentioned, with the FIs and the tech companies using the mobile number, is the identifier. The mobile number, your phone number has become your identity. And companies are using that to qualify and quantify transactions. Which, really, in the telco perspective, it was never designed to be. It was never designed to be that way. So the telcos are having to deal with now, how they manage access to people’s accounts. Because it’s not only for their own service, their own utilization, it can … Access to your mobile account accesses your whole life now. As you say, things like sim swap; which were standard transactions in the old days, where you know, people would lose a phone, drop their phone in the bath et cetera. Therefore need replacement for the SIM. They wanted to make that simple and easy for customers to do, because they didn’t see a risk element in that kind of transaction. But, of course, now, if I am a fraudster, and I manage to get hold of a SIM that is related to your account that allows me to access your financial services, approve transactions, approve validations, any step up authentications, one-time passwords. I can take full control of your personal life. So, that has been an attack on many of the fraudsters. Not attacking the telco, per se, in terms of revenue lost to the telco. But, it’s attacking the consumer and finding a way to steal the consumer’s identity. That’s been the big shift in the telco world, the mobile world. How do we protect the customer? It used to be about the telco, to protect their own revenue. Now, they need to look at how they protect their actual customer from other risks.

Frank:   Sure, and it’s interesting, because you said, most of us use the phone as some kind of secondary factor. “Hey, if I’m locked out of my e-mail account, send me a text.” If I want to authenticate a transaction, I may call your mobile phone to make sure it’s you. This idea of being able to get a hold of the SIM, and effectively, clone the phone is amazing. Now, what happens is these social engineers, which is what fraudsters are, fantastic social engineers, find a way to say “Fine, if I can just get hold of the phone, I now have access”, as you said “to that person’s entire life.” Because, as we all know, in these new smart phones, and our new devices here, we carry everything. Our wallets, our information, our boarding pass, for goodness sakes are sitting in our wallets, and concert tickets, and so forth. I find it such an interesting threat vector. And, once again, Jason, emblematic of how astute fraudsters are at understanding behavior and really finding those soft points. One of the things that was interesting last time you and I talked was, we were listening to a case of call center vulnerability. How a call center was exploited to allow someone to actually import a number over to another phone. Maybe talk a little bit about what you’re seeing as it relates to the nexus between the physical world: the call center, and the digital world: the mobile device.

Jason:   Yeah, that’s probably the biggest growth area for fraud. That kind of, should we say omnichannel experience. The fraudsters are using the omnichannel better than any customer.

Frank:   That’s right.

Jason:   So, they realize that they can go … you know, order online, collect in store. They can process transactions over the phone to allow things to happen online. They utilize these different entry points in order to commit their fraud dramatically. telcos really haven’t got a grips to that. In terms of, telcos are driven by customer service.

Frank:   Right

Jason:   And facilitating the customer need. Facilitating the capability of the customer. Because if a customer can’t do those kind of actions quickly and simply. They will go to a different provider. The market is so competitive, there’s so many providers out there. Those that give the best customer service are the ones that are targeted, and driven customers will go to. Therefore, does this dichotomy that they have at the moment … in terms of how do they make their services secure? And access to the services secure? And understand the complexity that a customer can have in their journey? In terms of using the phone channel, using the online channel, using the in-store rep, or service agent, as well. Combining those channels to access accounts, protect accounts, order services, order goods, et cetera. That is the real complexity now, for this marketplace. A telco is no longer a telco. A telco is a provider of your e-mail services, your wallet, your financial services. It controls your access to your social media, your life. Therefore, it is the foundation point, but also there is that one point of compromise. If a fraudster can target via account takeover, social engineering. It gives them access to everything. That is something that we never had before. These things used to be compartmentalized, where your bank used to be separate from your phone used to be separate from your personal information. That’s all, now consolidated. And, more often, than not consolidated for an access point of the telco.

Frank:   That’s interesting, because that becomes a single point. That focal point, itself becomes vulnerable. It’s interesting. You said, the telcos are so focused on customer service. I’ll give you a very quick anecdote. That I think is rather hilarious. A few years ago here, in the U.S., one of the major mobile companies used to advertise fewer dropped calls than any other network. I found it fascinating that the call to action was “We suck, but not as bad as the other guy.” You can see how they pivoted to a reaction of customer service at all costs. To your point, what I think then begins to happen is that becomes that one single focal point and vulnerability point, and as we know, fraudsters are very opportunistic. They’re gonna challenge that one point where they get the most benefit. In a way, to think about it those fraudsters are elegant problem solvers. Right? “How do I solve the problem with the least amount of effort that gives me the most benefit?” It turns out, the mobile phone is, in fact, the least amount of effort that gives you the most benefit.

Frank:   Very fascinating. The other thing that’s interesting, though –

Jason:   Sorry. That’s what we’re seeing from the stats as well. The information out there across the industry, the growth in account take-over with social engineering against telcos is dramatic. Traditional things like you say, calls and service access. That’s dropping off and the revenue being lost from there is not as much for the telco. But, the focus is on that customer access point, and that has become the point of concern for the telcos.

Frank:   Sure, and it’s interesting because we would never put our bank account number online, but people have their mobile phones online. Some social media profiles have connection points, like mobile phone and e-mail, that are visible to everybody. So, you begin to expose these critical transactional elements that fraudsters use as a means to exploit their attacks, and the perpetrate their attacks. It’s absolutely fascinating. On the other hand, Jason, it’s so interesting, there are these tremendous risks associated with it, and obviously, I think the use of a digital identity network with real-time intelligence helps us solve that. But, the mobile channel is exciting. It’s exciting in the sense that, if you’re a consumer, and you’re looking for a customer experience that’s frictionless, that allows you to touch your customers frequently, he mobile phone is it. We’ve got this juxtaposition of a tremendously vulnerable focal point in the mobile phone in the telco. And, at the same time, a force multiplier for commerce, and for connection to the customer, because if my own behavior is indicative, I probably check my account daily. Whereas, how often do you actually walk into a branch? Maybe speak a little bit as to why the mobile companies are moving so aggressively to solve this, and to continue to tout the phone as the primary point of contact in the digital world.

Jason:   Yeah. Really, telcos are really following the lead. The lead has been taken by the financial industry, the banking industry, the e-commerce industry. Where everything’s app-based. One click, two click, access capability. telcos are now trying to provide that customer service experience, sophistic capability to their customers. Via apps, et cetera. But, they’re coming form a historical background where everything is being physical. Slower process of transactions, and need to verify. Have the customer wait for service access, or service validation. That’s something that they cannot do any more to keep up with the modern marketplace. Again, the dichotomy of that is they’re providing that technology that provides that marketplace; but they haven’t actually changed their own systems, internally, to deal with that marketplace.

Frank:   That’s right.

Jason:   I think that they’re starting to change this. They’re looking for self-service. App-based self-service. Online sales functionality capability. But, often, it can be done from a physical mentality of “I need to validate X, I need to validate Y.” Which, is not practical in the real world. What they need to do, is be able to understand who that customer is, where their touch-points are, and to validate the quickly, simply, real-time.

Frank:   Yeah

Jason:   That’s where things like the Digital Identity Network provides and absolute value. It’s not just based on the telco transactions, it’s based on every transaction within the digital network.

Frank:   Yeah, it’s interesting. It’s such an interesting challenge. I was reading and article, for some research I was doing on another publication, and it basically said that you’ve got almost four trillion dollars in total eComm that’s flowing through these devices, but billions of dollars in abandoned transactions that happen if friction is introduced, and if that friction lasts more than nine or ten seconds. So, I think, on the mobile phone, you have this, as I said, force multiplier where if I get the customer experience side of it right, and see ex if it works. I can reduce friction. I get the benefit of, none of those abandonment, much more touch-points, and very, very happy customers with their experience. At the same time, as we discussed earlier, if I haven’t got the right kind of identification/authentication posture on these things, I’m expose myself to very opportunistic hackers. Jason, top two predictions for 2019, as it relates to telco and mobile?

Jason:   I guess, the simple one. Mobile growth and mobile dominance is going to escalate even more. I know, you were talking across our network is 50%-60% of transactions. That’s gonna grow even more. But, what I do see is, actually, from the telco side, is getting engagement about what is happening in this digital space. More readily starting to understand that actually they don’t just own the device and the handset; they own the customer journey not only for themselves as a telco, but in every other industry. Therefore, they’ve got to better at protecting the consumer. Protecting the consumer will be a real focus, and I think they’ll start to follow the trend of the eCommerce and banking industries.

Frank:   Yeah.

Jason:   Let me use one example, Frank. The would be, we see banking, In Europe, we see banking advertising security protocol as part of their adverts, now. Their advertising fraud protection, fraud prevention for the accounts and banking. I expect to see that from the telco side. That they will protect their digital identity, which their phone is becoming.

Frank:   Yeah. I think that’s interesting, a very good point to end on. That is the reality. That some degree of friction at the right touch-points is absolutely necessary. And, to some degree, can be a differentiator because you can say “Hey, bank with me, use me, shop with me. Have a great customer experience, at the same time, be protected.” I think that’s true. To follow on your points, my two predictions. I agree. I think mobile traffic in our network will continue to grow exponentially. We’re at the point, now where 70, 75% could be mobile this year. And, I do think your second point, that the telcos are in a scramble to catch up. They own, effectively, that individual who’s interacting with the digital world. And they’re late to the game, a little bit. So, I think there is a tremendous amount of acceleration around getting their mobile applications ready and available to consumers. So, folks, there it is Jason Lane-Sellers, our expert in the field. Many of you have seen him, as he travels around and speaks to telcos and speaks of the risk. We’re delighted to have you on board, Jason. It’s a fantastic addition to our services team, and we’re super proud of the work you’re doing. Thank you very much for taking the time today.

Jason:   Thank you very much for the kind words. Thank you.

Frank:   Alright, take care.

Jason:   Thank you, bye.

To learn more about these threats and how to counteract them download a copy of our latest eBook,“Understanding the Unique Telco Role in the Evolving Cybercrime Landscape”

Tags:
close btn