7 June 2023: What Is an Identity?

Sarah Delphey, Vice President of Trust Solutions at Numeracle and formerly the Director of Abuse and Risk Operations at Bandwidth, discusses the problems created when associating the identity of a person or an organization with a phone number and ​how ​the telecoms industry could restore trust in identity.

Andrew Wong, COO of Japanese fintech business SORAMITSU, tells us about the use of distributed ledger technology to exchange information about scams.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hi, I'm Eric Priezkalns and this is the Communications Risk Show, the live streaming conversation show produced by Commsrisk in collaboration with the Risk and Assurance Group, RAG.
Now, every Wednesday, I tell you how we chat to risk experts from around the communications world every Wednesday.
But not next Wednesday, because this is the final episode in the current season, though we will be back later on this year.
If you join them, then you'll have all those details out of your diary without needing to worry about missing the season when it starts again on August 23rd.
To subscribe, just click on the menu item called subscribe to the live stream calendar at tv.commsrisk.commsrisk.com.
Then enter your name and email address before selecting which kind of diary that you use.
The service supports all the most popular choices of calendar from Apple, Google, Microsoft.
Now, most of our viewers actually play the show on demand in the days immediately following each live broadcast, but we do value interaction with our audience.
And once again, I will be reading out as many of your questions and comments today as time permits.
You can message us during the show by typing into the window immediately beneath the live stream at tv.commsrisk.commsrisk.com.
If you're watching on LinkedIn, feel free to leave a comment over there and a member of our team will forward them to me.
Today, we're asking ourselves, what is an identity?
That might seem like a question only a philosopher would previously have contemplated,
but the practical aspects of this question have become critical as fewer of society's interactions and commercial transactions occur face to face.
Fraud is reaching epidemic levels as a result of criminals impersonating others and creating new identities.
Criminals can clone voices and deep fake faces, throw up a phony business run to the matter minutes, street phone numbers, construct phishing websites that look identical to the real thing.
In other words, it's very hard these days to tell the real thing from an imposter.
There are no live interviews today, but we are going to pack in not one but two recorded interviews about verifying identities and preventing scams with Sarah Delphey,
Vice President of Trust Solutions at Numerical and formerly Director of Abuse and Risk Operations at Bandwidth,
and with Andrew Wong, COO at Fintech Business, SORAMITSU, and sometime lecturer about technology innovation at the University of Mannheim in Germany,
Meiji University in Japan, and the Harvard Business School in the USA.
And of course, there'll be plenty of live chat again today with my co-presenters, Ed Finegold and Lee Scargall.
Ed joins us from Chicago. He's an author, analyst, and strategic advisor to tech and telecoms businesses.
Lee comes to us from Bahrain. His career seems switching between executive management and freelance consulting for a wide variety of commerce providers around the Middle East, Europe, Caribbean, and Asia.
Hello, Ed. Hello, Lee. Today's topical subject.
Now, normally, guys, normally I abuse my position as the host by opening with a long and very obviously leading question that blatantly signals my opinionated point of view.
In a change from a regular approach, let's open by asking you both to answer a question that is the theme of today's show.
Ed, starting with you, in the context of electronic communications, what is an identity?
So this is actually a much more nebulous question than it sounds like.
But no, fortunately, I've had, you know, folks who work in that space, you know, so experts on that subject follow up with me after previous shows that we've done to talk about just the subject.
And one of the rough analogies that came back was that talking about identity is a little bit like talking about medicine.
It's a very, very broad thing with a lot of specific deep domains within it.
So it can be a little bit hard to sum up in that way. So no, it's just a very broad field that's not one thing and that's probably part of the problem.
And what I mean by that is like, if I think about the evolution of my own digital identity, and this probably applies to a lot, I think a lot of us.
Sometimes it reminds me of how Voldemort slices off pieces of his soul into different objects, right, in the sense that like every time you create an account with your personal information in it, you're expanding your digital identity and breaking into more pieces.
Maybe you're even expanding your own personal attack surface in that sense.
And so right now that really seems like it's increasingly difficult to defend right and that the offense is outpacing the defense. And so far as, you know, understanding what an identity is and how to use it for good or evil.
Right. So, maybe that's a sideways answer but I don't think there's one answer it's a lot of different things and they're all being attacked.
Multiple identities and multiple identities under attack. Lee, the same question for you. What is an identity and do telcos have a satisfactory answer to that question?
I don't really think I can add much more to what Ed just said there to be honest about what is an identity but for me it's, it's really like who and what a person is really but, you know, our telcos...
I'm not asking you to be philosophical, you're running a business, Lee. Who are your customers? How do you tell one customer from another? I don't think we're very good at knowing one customer from another in telcos are we?
Well, I think some way depends where you are in the world, Eric, right, because in some countries, right, you don't need to provide any identification to take out a SIM card.
In other countries, you do need identification as part of the regulation but it's not enforced, right. Now, I can talk about here in Bahrain, we've actually got very stringent KYC checks, right, and these are enforced by the regulator so if anybody wants to take
out a SIM card here, what they need to provide is the government identification card. And then what we do is we actually take the fingerprint of that person and we cross check it back with the government's national database, right.
So, you know, here, we've got, and this applies to all the operators by the way, it's not just us, right, so we've actually got very good KYC plans in place in, in Bahrain, but to be honest, to go back to the question,
it all depends on where you are in the world.
Yeah, but now you have answered the question because you're saying, as far as a telco in Bahrain is concerned, the identity of a person is they're mapping to a database that the government runs.
That's what an identity is. If there's an entry, if there's an entry, there's a person, there's not an entry, you're persona non grata, you're not part of society, you're not included in it.
We tend to rely sometimes on other sources of data to fill the gap. Seems a bit strange sometimes though because we seem to perhaps not always know very much about our own customers, even though mobile phone wandering around Bahrain, you think you'd know a lot about person
as a result of being able to monitor them. Should we be doing more in terms of monitoring people to build up a profile, or would that be an invasion of their privacy?
Well in Bahrain, it is everybody has to have a government identity card so over here it's very easily enforced but I'll just go back to my time in Myanmar.
And we were looking at huge problems with bypass and we were looking at, you know, who's actually doing this right so we were looking at some of the dealers were all the cards were being sent.
And actually in Myanmar, it's actually a regulations government regulation that you have to present them with an ID photograph and they take it take a copy of that, of that image.
Now, so what we did there was one customer that taken out 10,000 SIM cards right so so we thought okay let's have a look at who this person is. And then when we actually looked at the picture wasn't a picture of a person.
It was a picture of about 10,000 SIM cards on a table, right. So obviously they have a requirement to upload a photo but nobody's actually checking. Right. Is this a genuine picture.
This is what I mean. So, an identity is like some data in a database.
So we're not even looking at the data in the database in any useful meaningful way to verify whether this is something that we'd expect to see in the days of it's called comment coming in now just read it out, Carl camera says in the digital space,
is there a similar concept to the physical identity description as a legal identity. For example, is there a digital legal entity definition from a legal perspective, I have this one to you Lee, not just thinking about human beings but legal persons companies,
in other words, what's the identity of a company.
I want to, I want to defer this question actually to add because Ed is he's the digital identity guru on the show so over to you add on this one.
Yeah, so I haven't ever kind of had conversations about this before. And I'd be interested to hear from, you know, someone that maybe, you know, works in the legal field about whether I not necessarily whether there's a specific definition in the law
of what a digital identity is but what aspects of the of existing law, kind of carve out the space. Right, that's the piece I probably don't understand that well.
But one thing I we've talked about is that concern of what we're seeing is this rising possibility that I visit your physical self could be separated from your digital self.
And I would say now it adds that not just that you can be separated from your digital self but that it's becoming increasingly easy to create something that is effectively a clone of your digital self that maybe can go out on its own, you know, and behave
out in the world and I don't know that there's any kind of law to even contemplate anything like that right that's not usually how the law works. And that's I think that's really strange like when we get into a case where, you know, I maybe there's plenty
of identity theft law around it but can you reclaim yours if you lost yourself could you reclaim yourself is there a path to do that as our process. It's those kinds of issues I think that no one knows right that you can contemplate happening but no one
knows how they would be dealt with or whether you'd be content compensated or you would be responsible right like I don't think you can be reactionary better and I think you have to be preventative about it.
Let me go off on that rabbit hole because we have lots of other things like that to discuss on the show. So, I think this is a perfect opportunity for me to sum up in my opinionated way by giving the answer that I wanted to hear all along.
There's no identity. We don't know. We don't have a good eye, we don't have a good handle on this, whether you're talking about a company, or whether you're talking about a human being, we don't have a good handle on this so we wanted to do a lot of business
and we wanted people to interact, wherever they are in the world, but our concept of identity is still very much driven by do I know the person who's standing in front of me.
And if you know the person who's standing in front of you. Okay, now you've got a good handle on a person's identity. As soon as we start abstracting away from it we're very poor.
As a society we've never come to solutions to these problems. It's not the phone number of somebody because somebody else can pick up the phone, but now we treat phone numbers because that's why we send SMS messages to people, as if only one person can
send an SMS message, as if it can't be intercepted. It's not an IP address, it's not a handle that you attach to an online account. As Ed said, we piece ourselves into little pieces and put ourselves around an illegal entity, a company, which could have thousands,
tens of thousands, hundreds of thousands employees, they can act on behalf of the company. We haven't got a handle on how to tie those actions of those people back to whether the company's done something or not.
It's digital identity. Right, Eric, like arguably you have a separate digital identity in your corporate world than you do in your personal world. Also, right, there's a lot of
sort of folds and wrinkles and layers to this that get very complicated fast as soon as you dig into it, you start looking at, you know, how people behave and how they behave differently in different areas and most of that has been studied for the purpose
of selling people things.
And personalization, right, to address these other problems that we're talking about.
So who's going to solve this problem? The telecoms industry is going to sit idly by with its thumb up, its ass doing nothing, when do you know who's going to solve this problem? The financial services sector.
They're going to solve this problem because they don't want money being wasted going to the wrong people and stolen. And they do want to know who authorized which transaction from one place to another place.
So they're going to put their stamp on all of us. And unfortunately, I think the telecoms industry is going to miss a trick here. The telecoms industry is going to just become the network that provides the services being used by the financial services
company, and they'll be doing the all the identifiers and fair play to them because someone needs to. But enough of my opinions, apologies, guys, I always get the last word I know I'm cheeky.
Now it's time for a little ad break. Here's a message from our serious sponsors, Blue Gem. Blue Gem provides an array of innovative test solutions tailored to your requirements.
The experienced test team and advanced systems will provide you with independent assurance that reduces risk, improves compliance and protects your revenues and brand reputation.
Communication providers are always improving networks by launching new products and services, and Blue Gem provides short and long term test audits with full test plans to ensure your services are ready to go live.
These services may include 5G deployments, eSIM, and new roaming zone tariffs. Blue Gem can help by utilizing their automated system and roaming services to measure both the accuracy of the services and the customer's network experience.
They also work with service providers to support law enforcement requests via Blue Gem's IP address resolution IPAR service to validate telecom IPAR systems for tracking both internal and external IP addresses of devices, which helps trace vulnerable users,
suspicious activity, and malicious users on mobile networks in real time. So if you want assurance when launching any new products or services or need support for law enforcement requests to track IP addresses,
you should call upon the experienced team of specialists at Blue Gem. Learn more from Blue Gem at blugem.com.
Now, back to the chat and I'd love to hear the audience's opinion about the following topic of conversation, because this is an oldie, but a goodie.
WANGIRI. Oh, yes. Haven't chatted about Wangiri for a long time. Some people claim it doesn't exist anymore. Well, if you listen to the regulator in Kenya, the Communications Authority of Kenya,
the big news in Kenya is that they've issued a public warning saying there has been a resurgence of WANGIRI in the country. Now, for those of you who forget what WANGIRI is, this is the scam where the curiosity of victims is exploited because a missed call is left on the phone,
maybe a call that only lasted milliseconds in duration, so no possibility of picking up. Someone gets curious about the phone number.
They dial back to find out who called them. They don't realize they've been allowed in to make an expensive phone call.
The profits are frauds. They control the destination number or who's engaged in short stopping the call before it reaches that destination.
Now, it's not unusual still, even these days, to see regulators issuing warnings to the public about WANGIRI. There's also plenty of examples of magazines, newspapers running articles designed to increase consumer awareness of WANGIRI in a wide range of different countries.
In fact, the last few weeks, I've been noticing plenty of warnings being issued in Italy and Poland. Lee, the question for you, for some telco fraud professionals, they seem to think that they've cracked the problem.
They know how to solve the problem. They know how to prevent WANGIRI.
Nevertheless, we are seeing regulator after regulator in country after country continuing to say the public needs to be suspicious about calls received from foreign destinations.
Are the regulators passing the book to the public because they're refusing to impose necessary controls that will protect subscribers?
Or are anti-fraud professionals sometimes guilty of exaggerating how well they're tackling WANGIRI, perhaps because they're not measuring it properly?
I completely agree with you, Eric. I think regulators are passing the book, right? So in the UK, I actually had a look and on the Ofcom's website, their recommendation is just to notify action fraud, right?
So they're completely passing the responsibility to another organization. Anyway, I did a bit more research on this just to see what regulators around the world were doing.
And the only regulator as far as what I can see was doing anything is actually India, right?
They actually forced the operators there to automatically disable customers being able to make outbound ID decals.
But apart from that, you know, there seems to be a complete void out there by the regulators around the world on how to deal with WANGIRI.
So maybe one of the audience members, if they've got some good advice, maybe they can correct me wrong if anybody's doing anything good out there, write in and give us a bit of some good regulatory advice.
Yeah, I've been trying to provoke the audience here. Some people always saying they've got WANGIRI under control.
Well, if you've got it under control, send your messages in. We'd love to hear from you.
Now, Ed, I've heard it said that the USA does not have a WANGIRI problem because Americans simply don't return calls from foreign numbers.
I find that a bit odd. After all, last week we had Satvik Prasad on the show and he was telling us about his research proves beyond the shadow of doubt,
the significant portion of scam calls are made to people who live in America but are speaking Mandarin, Chinese or Spanish.
Such scams may explicitly claim to come from a foreign entity such as a Chinese tax office or law enforcement body.
So there are people in the USA who don't find it strange to speak to somebody in a foreign country and may consequently fall victim to cross-border scams.
Would you care to speculate, Ed, I know this is a tricky one, but would you care to speculate as the reasons why the US authorities are so very laid back about scams like WANGIRI
compared to their peers, their regulators in other countries, when the US regulator, the FCC, the FTC, they tend to be so intense about other kinds of scams.
Oh yeah, it's completely plausible that not one of the 300 million people in the US that has a phone would answer a call from a foreign number.
So don't call me, Eric, because I'm, you know, forget it. I'm just not going to answer. Only use the WhatsApp. Otherwise, no chance.
I mean, that's just such an absurd statement to make a generalization like that. But I mean, to answer the question as far as, you know, why doesn't WANGIRI get more attention? I'm sure it's happening.
It's probably a little bit hard for the average person, myself included, to discern a WANGIRI scam call from any number of other types of scam calls where some number shows up, you don't recognize, you just don't answer it.
So that, I mean, there's that aspect happening. That doesn't mean WANGIRI is not happening. I think maybe it's, is it too technical or too nerdy a scam?
Right? It's one of those things, oh yeah, someone calls you and you call them back and then they get paid and it's just not as sexy as, oh, I got my identity and my stolen and my bank account emptied, you know, so it doesn't get as much attention.
If I put that in a less cheeky context, I'd say I have seen, consistently I see news in the US, like at the local level, like local papers reporting on like arrests of identity thieves and things like that.
And that seems to me like that formula is starting to be figured out in terms of if they see a pattern and then they can identify it, they find the individuals, they know how to prosecute them and go after identity thieves.
And I think that probably, in a sense, gets a lot more attention than something like WANGIRI, especially when you're talking about the telephony aspects that are related to identity theft, right?
Those two connections, which is where then something like robocalling and then stir-shaking gets a pile of money dumped on it, but WANGIRI is like, wow.
So I think it's that kind of thing. It's just not the shiny bauble and other more obvious things get prioritized.
But I thought on a deeper level, maybe there's some provincialism going on here as well, in the sense that we're just not thinking in an international context in the way that our European friends do.
And I think as an American politically, that can be really, really frustrating, especially if you're debating with someone who kind of dismisses the international perspective on the types of ills the US may end up even like inadvertently exporting
because of, like we've talked about, the rest of the world following certain regulations or certain models for addressing things that may not be effective.
So I think there's that aspect of it too, where it's just like, international calling and this is America, what's going on in America?
There's always a little bit of that as well.
I've got a theory I've got to share with you guys. I'm happy for you to shoot it down. And again, I'm happy for the audience to shoot it down too. So I'll preface the theory a little bit by observing that actually, WANGIRI was the subject of some legislative action in the United States of America.
And I use the word legislative specifically because we're talking about a law was passed that specifically referenced the threat of WANGIRI, although being America, they couldn't just use WANGIRI, they had to call it the one dial scam or whatever.
The one ring scam, yes, because you couldn't have a funny foreign name in the piece of American legislation. So they had to call it the one ring scam, even though you don't actually have to have one ring for it to be the one ring scam.
But anyway, so the TRACED Act, everyone's familiar with the word TRACED Act these days because people love to quote chunks of the TRACED Act these days.
They don't love to quote the trunk of the TRACED Act that was about the one ring scam. There's a specific segment in that act that's just about one ring scam, i.e. WANGIRI.
And it stipulated what the USA was going to do about WANGIRI. WANGIRI was going to be handled by forming essentially a special committee of people in the FCC who would sit down
and have a think about what they were going to do about WANGIRI and then report back to Congress what they were going to do about WANGIRI.
And what resulted was that there was a committee formed and they had to sit down and they had to think and they reported back and they reported back that they didn't need to do anything about WANGIRI, problem solved.
That was what happened. That's what happened with the TRACED Act. So I always find it amusing that we're supposed to do this, that and the other for the TRACED Act. Whole segment there on WANGIRI and all that happened was literally nothing got done as a result.
But here's my thoughts on WANGIRI about why I think possibly the problem is not being handled appropriately.
Let's assume there's a grain of truth to the theory that somebody who doesn't know anybody from abroad wouldn't return a call from a foreign number.
Let's assume there's a grain of truth to that. Who then is the person who is likely to return that call? Is somebody who's likely to be an immigrant? Somebody who's likely to have been from a different ancestry?
Maybe somebody who doesn't speak English so well. Maybe somebody who has got poorer access to information services.
Maybe somebody who's less likely to communicate when they have been cheated, stolen from, when some criminal act has occurred that's exploited them.
If you look at a lot of the regulatory agenda, the FTC and the FCC, they're always going on about what causes them complaints.
Complaints is not the same as actually an accurate measure of the size of a problem, because who doesn't complain about things?
It's people like immigrants. It's people who don't speak English as a first language. It's people who've got poor access to resources.
So the people who are most likely to suffer from a WANGIRI scam are the people who are least likely to be complaining about it.
So I suspect that what's really going on is that you've got an extent to which the problem is not dealt with because we don't see it. We don't see it.
We don't hear it. But actually, it's affecting some of the most vulnerable people in the country.
And I'll reference that. I'll take the heat off the Americans, my American cousins, just a little bit by pointing out the absurdity of a conversation I've heard in public involving the Canadian regulator.
So the Canadian regulator asked in public about the bilingual nature of scams in Canada.
Can scams occur in French as well as English? Well, of course. And they're very worried about scams in French as well as English.
French, English, English, French. Well, those are the two official languages in Canada. Hell of a lot of Canadians speak Chinese in their home.
And all the data that Sattvic showed was that Chinese language scams is an enormous problem. And yet they have the Canadian regulator not even thinking for one second to talk about the importance of protecting people who don't speak English or French as their first language.
Lack of imagination. So apologies, guys. I'm going to read out. I've got so many quotes coming in.
I've got so many comments coming in from so many people. I haven't had a chance to read it.
So I'm not going to blitz you both with all these comments coming out of here. Sergei Strasko, team leader.
Whoa, I hope I'm pronouncing that correctly. Unique person is that's it. I'm not sure I understand that comment.
If you cannot purchase a phone without being identified and telecom shares like send intro about current owner of the number regulation.
I actually don't understand these comments. So if you guys understand it, apologies. I'm not reading out correctly.
Regulations of fighting with symptoms around the cause. I agree with that. And oh, yes. OK, now.
What else have we got here in terms of comments coming a whole bunch of comments coming in here and Trip T.
Christian, senior fraud analyst Vodafone works in Gujarat, India, says we also identify Wangari fraud and take appropriate actions to prevent such traffic.
We also advise our customers to making call back if they receive a miss call from our foreign from a foreign number. So.
There we go. There's a guy in India saying that he's doing something about it.
Bit disappointed that we're not hearing more people sticking up for themselves and defending themselves, saying that they're doing more to protect customers from Wangari.
And with that thought, apologies, guys. It's time for another ad break.
Right. This is our 13th and final fact of the week, an interesting fact supplied by the team at Symmetry Solutions.
Symmetry has an established track record as consultants who help communications products deal with specialized challenges that more general purpose consulting businesses have no history of tackling.
They've successfully delivered consulting engagements for clients in the Americas, Asia, Africa, Europe and the Middle East.
On such particular themes is reference data management, system migrations, customer migrations, revenue assurance, maturity assessments, fraud management, health checks,
end to end business process orders and requirements analysis, vendor selection and user acceptance testing for new risk management tools.
Their team has unrivaled experience, but that does not mean they just rely on what they know already.
They also include automated analysis of your data whenever it is appropriate for an engagement.
So the recommendation is not just based on theory or generalization about the communications sector as a whole,
but they will reflect the priorities that make your business unique.
So if ever you need assistance with managing risk, fraud and assurance, reach out to the Symmetry Solutions team at SymmetrySolutions.co.uk.
Guys, so many topics. I don't know what I'm going to do with myself these 11 weeks between the show, because every week there's something big,
there's something new, and I want to hear your opinions about them.
And we don't have enough time to pack them on. There's like five other topics I could have included in this show.
But for the third topic that we're going to discuss today before we do the interviews, I wanted to chat to you about.
Well, some people might be shocked and some people may just be saying, well, that's exactly what they expected.
Russia has claimed that the United States of America has been involved in hacking thousands of Apple phones and a plot against the Russian citizens and diplomats living in Russia.
So the Russian intelligence agency, the FSB, formerly known as the KGB, has publicly accused their U.S.
counterparts of hacking thousands of Apple phones belonging to Russians, also phones belonging to diplomats of other countries based in Russia, such as China, Israel, various NATO allied countries and various former Soviet Union countries too.
The alleged zero click installation of surveillance software on iPhones sounded a lot like the way the Pegasus spyware of Israel's NSO group was used to turn iPhones into spying machines.
Now, Russian cybersecurity business Kaspersky also wrote about an attack on iPhones, clearly referencing the same attack.
And they said it was belonging to the attack was focused on top and middle management on their corporate blog, although they didn't specify where the attack was coming from.
So they didn't name the Americans in this case. They used the phrase previously unknown malware, described a malicious code installed on their devices.
And they emphasized that whilst they were hit as a business, they don't believe they were the main targets of this attack.
Lee, do you believe U.S. surveillance agencies were behind this alleged hack by the claims that the FSB has made?
Is it significant that in March 2022 Kaspersky was added to the FCC's covered list of vendors considered a national security threat in the USA?
Well, I can only speculate, Eric, because I don't actually have any evidence.
But what I do know is that the NSA, they actually have a history of hacking their own citizens' phones.
So yes, this is well within their capabilities. Apple will deny it, of course.
But I'm confident the NSA, they wouldn't need their assistance to get a backdoor into the iPhone.
The Israelis didn't need Apple's assistance for Pegasus. So I'm pretty sure the NSA didn't either.
Look, I know there's a lot of tit for tat going on right now, but even so, I would say on the balance of things, that it's probably true.
The NSA did hack the phones, but who knows? I certainly don't know for sure.
Oh, is the diplomat. Ed, do you have an opinion on who was likely to do this?
And more generally, some people say it's a mistake to attack another country's cybersecurity vulnerabilities.
Would you agree it would be a mistake, or are there good reasons why countries like the USA should sometimes go on the offensive?
So that's kind of two questions. So first one, just on the opinion side, I believe you said the source of the claim was the FSB.
So no, I don't believe it. Do I think it's plausible that such things happen?
Yes. Do I believe any single thing the FSB is going to put out in the public like that?
No. So I'm going to move on to the second part of your question immediately.
So let me answer your question about whether there is a situation where an attack is justified.
Let's say it makes sense or not. I'm going to answer that question with a hypothetical.
Would it be a mistake to direct artillery fire on an advancing enemy to defend a field hospital that you knew they were going to roll over?
I don't think so. I think that's what happens when you're in a combat situation, you're in a war.
And so that's the thing is that this whole thing really depends on perspective.
You know, in a vacuum, am I a fan of unprovoked attacks? Absolutely not.
But I think that we're in the midst of a few wars right now. Cyber, currency.
You're seeing more elements of an economic war happening, which is what this segment actually is kind of about.
And then there's, you know, additionally, obviously, kinetic war actually happening in Ukraine and other places.
And so when I think about it from that perspective, you know, as a U.S. citizen, I expect the U.S. military and our intelligence community to be highly proficient at protecting Americans against cyber attacks.
Whether they are not, I expect them at this point, I expect that to be a capability they have, like looking at the threats in the world going forward.
And I think that if you want to be good at something, you need to do it. But I also think none of this is new.
It's not like we're just starting with, you know, cyber operations between, you know, intelligence organizations.
That's been happening for a while. And so, you know, it's just kind of like if you I think if you think of this in terms of defense strategy,
it's just sort of logical that you need to have offensive cyber capabilities.
Right. I just I don't see that you have a way around that. And so the last thing I say is, like, if the attack.
Like if so, if you see an attack like the one we're talking about and it's actually by an intelligence agency or it looks like it was and that happens, then it actually makes the news.
My guess is that we're probably just getting a snapshot of like.
You know, fire and counter battery fire happening. There's volleys going back and forth.
And once in a while you're going to get a snapshot of that. And then it's easy to step back and say, oh, my gosh, this is happening.
Like, yeah, it's probably happening every single day, is my assumption. So, again, change of perspective.
And the last thing I'll say is this, just to put a slightly positive and whimsical spin on it.
You know, Daniel Craig is retiring as James Bond.
I hear that Karsten Knoll is up for the part to replace him because the whole spy game has changed.
Well, good luck to Karsten. It certainly needs to be updated, the spy game, because the idea of just walking into your enemy's lair, announcing that you're James Bond's super spy and that you intend to steal all these secrets, defeat him and run away with his woman.
I don't think that's plausible in the modern era anymore.
I fundamentally disagree with you, Ed. OK, I tell you, I fundamentally disagree with you.
Although in a weird way, by taking a completely different route, we end up at the same conclusion.
This is almost certainly was done by the USA, and if it wasn't done by the USA, the FSB knows about 100 other hacks they could have been releasing and talking about instead.
So whether this specific case was or wasn't done is immaterial. I think probably what's more interesting here is that Kaspersky, without laboring with the USA behind this attack, is basically saying, look, we're a cybersecurity business.
It's our job to report advanced persistent threats.
OK, they found something new. They found what they're calling is like a new zero date attack. OK, a zero click attack on iPhones. They're doing their job, even though they've been effectively blacklisted in the United States of America.
So whether you whether you kind of take them with association with the Russian authorities, part of the reason why they might turn around and say they've been blacklisted is,
well, I'm going to point out the stuff that you're doing, as well as the stuff that everybody else is doing. And do I believe the US is doing this stuff? I hope so.
I hope they're doing it. They will be daft not to do it. I know it's not the done thing among security professionals to say you've got to go out on the offensive.
But when Joe Biden said not long after he became president that they would effectively use words to the fact that they reserve the right to go out and do offensive cyber operations.
That's the right thing to do. You can't just create a perimeter. You can't just create a defensive barrier and try to keep all the bad stuff outside.
That's a policy that's destined to fail. It consumes enormous amounts of resources, and you don't deter the bad actors. Now, obviously, it's very difficult to do anything in terms of imprisoning or punishing somebody if they live in Russia,
and they're protected by the Russian authorities and you're an American prosecutor trying to do something about it. What are you going to do?
But at the same time, it would be naive to just immediately promise not to do anything in terms of retribution or tit for tat or like for like to undermine your enemy.
And as you say, Ed, you only get better by doing these things. So would it be wise, would it be sensible for a country like the USA to never go hack anybody else whilst they're being hacked?
It would be foolish. They would be letting down their public. They're letting down their citizens if they weren't being prepared to go on the offensive as well as defensive.
And finally, I'll make one other quick observation. Time and time again, we see debate in the USA, which is about whether laws designed to protect US citizens' privacy are being abused by law enforcement agencies, intelligence agencies and the like.
A lot of fuss about the NSA gathering data that maybe they shouldn't have been gathering. Well, I would say they shouldn't have been gathering on US citizens because it infringes law.
The debate is always about whether the law was infringed because there is a law to protect US citizens from this kind of thing.
No law to protect anybody else from these American agencies doing this kind of thing.
So wouldn't it be a bit strange if all the US intelligence gathering and law enforcement agencies were only seeking to gather data on American citizens and never bothered to ever do it about anybody else when they have complete free reign to do it as much as they like with no repercussions whatsoever?
It'd be a very peculiar kind of world. So they will be doing operations like this. We can cast doubt about this specific operation, but this is the reality of the world we live in, and we're going to have to learn to live with it whether we like it or not.
No more comments from the audience, so I'll keep on moving on with our favourite American. After you, Ed.
After you, Ed. It's our favourite American.
I guess everybody is afraid to put something in type that's politically sensitive, so I guess I'll give everybody a cry. Hold on to your jobs, it's cool. We just want to have a nice conversation here.
We say the things that nobody else can say, although Leo has to be careful because he's got a proper job, unlike me and Ed.
I think you're right, we're kind of circling around to some level of agreement in the sense that I fully agree that the purpose of having offensive capabilities is exactly what you said, that you can't hope to simply defend a massive perimeter all the time
without having some means to reach out and stop, you know, somebody from doing something and I mean that, look, I'm not an expert on Klausewitz, but it's my understanding, having had some conversations and taken some history courses in university,
the basic idea is you want to stop your enemy from being able to make war on you. And in a cyber theatre, you want to be able to reach out and stop their cyber operations, you know, offensive operations.
So I agree with you completely, you know, as far as that goes, I think maybe we're, actually, let me back up, I thought that we were disagreeing, but then you mentioned that you hoped that it was the US that had done this hack, you know, on the iPhones that the FSB was claiming
and I realized I was dismissing it, you know, the just sort of dismissing the FSB's credibility there.
But I did think that such an attack would be plausible, and I agree with you.
It's interesting when you say, I hope that it was the US, I take that two different ways. One is, I hope it was the US, as opposed to someone who's even less trustworthy, right, versus as an American citizen saying,
I hope it was the US, because I hope that we're out doing things like that to defend our country if you believe such a thing. So I'm not sure which way you meant it.
I think the former and not the latter, but you could kind of look at it anyway.
We'll come back to this later in the show, and I'll also leave this, don't answer this question but one for you to think about both of you. George Woodworth comments on LinkedIn, very interesting and insightful show today on the identity aspect.
How do you create a digital identity for a telecoms customer? So I'll leave it with those thoughts. As I now run, as I now ask our team to run our next adverts, Jeffrey Ross of Call Authentication, Fraud Prevention and Geolocation Specialist,
1Route is taking us on the final instalment of our world in our phone series, at least the final instalment for this season. This week's Jeffrey's destination is the diverse and wonderful Philippines. Producer James, roll VT.
Hey everyone from 1Route. I'm Jeffrey Ross and this is the world in your phone. Let's talk about the Philippines. The Philippines is a popular tourist destination for backpackers and travelers due to its pristine beaches, crystal clear waters and teeming marine life.
Whether you want to snorkel with whale sharks, sip coconuts on the beach or try your hand at some adventurous activities, this country has it all.
Now the Philippines is viewed as a promising market in the telecom industry. The main drivers include an ever increasing population and smartphone services for remote work and streaming purposes.
The Philippines continue to strategize on making products and services more affordable while expanding its network. In fact, in 2022 financing was secured by Tiger Infrastructure Partners to build 380 new towers in the southern Philippines.
The funded initiative will allow for common tower sharing, meaning multiple mobile network operators can lease the exact same location. Be sure to read our blog about this at oneroutegroup.com to learn more.
I found it interesting that the Philippines is the second largest archipelago in the world with over 7,000 islands and 2,000 of them inhabited.
There are over 100 languages spoken in the Philippines. It's home to the world's longest underground river and it's home to Asia's first basketball league.
The Philippines also supply more nurses globally than anywhere else. And for our beer connoisseurs out there, the ever popular San Miguel beer that some assume is a Spanish beer is actually from the Philippines.
Be sure to tune in and subscribe to our YouTube channel where you can watch the 1Route Roundup, a show that spotlights individuals and companies making a positive difference in the telecom industry.
One more fun fact that I found out about the Philippines, you can actually have and find banana flavored ketchup in the Philippines. Now on that note, Eric, back to you and some more of this great communications risk show. Cheers.
Thanks, Jeffrey. I will remember my surprise when I was backpacking around the Philippines over 25 years ago and discovered that McDonald's restaurants gave banana ketchup with each order.
Now here's the first of our recorded interviews for today's show. So ADelphey joined Numerical in 2022 after spending seven years at Bandwidth, where she had responsibility for tackling fraud and other abuses of communication services as the director of abuse and risk operations.
She's done the industry a great favor by publishing a guide for how telco should conduct their Know Your Customer checks. It's available free of charge.
It's even given as a Word document so you can simply copy and paste the contents into your own company's KYC policy.
But first, let's hear about it from Sarah herself. Producer James, please roll V2.
Hello, Sarah. Thanks for joining us from North Carolina. You moved to Numerical in August 2022 to become the vice president of Trust Solutions, having previously been responsible for fraud and risk as a director of use and risk operations at Bandwidth.
You're also somebody who's really passionate about their work. Can I ask you to begin the interview? What do you consider to be the most serious obstacle to consumers being able to trust the communications they now receive?
Yeah, it's a great question. Thanks for having me, Eric.
I think it's you think about the experience for a consumer. Fundamentally, consumers don't know almost all of the time who it is that's calling them, despite the tools that we have today. Phone number, caller ID.
My experiences, you know, my phone, I hear a chime, I hear a ring.
It doesn't give me any feedback. Audio-wise, it's who's calling me. And then even when I look at the display, it doesn't do much to help.
Most of the time it's a phone number. It might be a caller ID, but frequently I don't know who that is.
In that situation, of course, consumers don't trust the communications network and don't want to pick up the phone because they've been given so much feedback.
They've been trained to believe that the feedback that's given to them is inherently untrustworthy when it comes to truly knowing before they pick up the phone who it is that's on the other line.
So it's a frustrating experience, isn't it, these days for users in terms of not knowing?
And as you said, they're increasingly told, they're increasingly warned not to pick up the telephone.
And that's because we've got a lot of bad actors basically misbehaving and using the communication services that are available for purposes that wasn't really in mind when we set up all these networks in the first place.
Now, Numerical recently published a guide for voice providers explaining how to accomplish the goal of knowing your customer, often abbreviated KYC.
What's in your KYC guide and why was it needed?
Yeah, I wrote the bulk of the content of that guide thinking of myself when I first started in this industry and I was trying to figure out, OK, what are the standards?
Where's the playbook for how I should be reviewing customers of the carrier that I work for?
And there was one I went far and wide trying to find such a thing and it simply didn't exist.
There were some pieces I could gather from from this document or that document, but nothing laid it out completely.
And so what we run into is as a service provider is fundamentally defending yourself constantly against allegations that you're doing it differently.
You're being more restrictive, you're being less restrictive than your peers, but you really don't know because nobody shows their cards.
So having left the carrier environment and going to numerical, it was really important to me to make sure that there could be that resource and say, you know,
rightly or wrongly, here you go. And there's some stuff in there that I think folks may disagree with.
There's some things that are kind of practical truths about how these things are done and reasonably done in the environment that maybe some folks may not want to do.
But it is what it is, right? This is how, in my experience and having worked with others to the extent I know about others processes, this is how it's done.
And so the guide is really it's a templated policy designed for service providers to be able to simply insert their name and insert their specific versions of suggested processes,
policies, actions they should be taking throughout that customer lifecycle to really jumpstart everyone past this sort of discussion of, OK, what's reasonable?
Know your customer. And we only see the FCC in the US digging in further. And they've now in the latest proposed rulemaking and related rulemaking said, you know,
every service provider, not just gateway providers, every service provider must take steps to know their upstream provider, which is essentially their customer.
It's just a different version of the same thing. And so it's more important than ever that we start taking what is this sort of complex,
ephemeral concepts and putting words to paper to say, here you go, here's something that, well, you know, is a universal starting point.
For service providers to be able to take in and have somewhere where they can feel like, OK, I'm on the right track, I'm doing the standard of what what may be reasonable.
I have to say, I really commend you for doing this. There's a degree to which I feel a sense of frustration that it falls onto the shoulders of someone like you, Sarah,
because we've seen organized that we've seen regulators like the FCC say you should do know your customer.
But then if you're not explaining how to do it or what you really expect them to do, it's just a it's just a three letter acronym with no great meaning behind it.
So thank you for taking the time and trouble to share your knowledge, the experience that you've gained whilst working with bandwidth and the customers you're working with.
Now, obviously, numerical is the guide available to everybody.
Do you have to be a numerical customer? What do people need to do to get a copy of this guide?
Yes, you can get the copy one of two ways. So we've published the the guy as an expert, say, with the FCC.
So if you just Google Numerical KYC guide or we can obviously provide a direct link if you want to go and view that directly,
that will get you to either the FCC publication or on Numerical's Web site.
Again, if you just search Numerical KYC guide or KYC template, you will get to to the document.
But in a little bit of information, there's two different versions. If you go to the FCC, there's a PDF.
But if you go to the Numerical Web site, we provided a Word document version.
So you really can just take the highlighted italicized text and just replace that with your name and your information a little bit more easily.
Save you the step of copying and pasting. You're very generous, Sarah. I know what's going to happen.
There's going to be 100 people who are going to write their own document in telcos all around the world as a result.
And poor old you, your name's not going to be in the document anymore.
So if you are watching this show and you're going to copy Sarah's document, do leave her name and do give her some credit.
She's done all the hard work for you already. Now, I think it's absolutely fantastic you're doing it.
But why hasn't, forgive me, maybe this is a stupid question, but why hasn't anybody else felt the need to do this before?
Why is it falling on your shoulders, Sarah?
Well, I can tell you and it's why nobody shows their cards unless they're forced to is part of, you know,
a disclosure requirement and some sort of civil or criminal investigation.
They because everyone is insecure about what they're doing versus what other people are doing.
There's an inherent reluctance and understandable reluctance to show your cards and say, as a service provider, here's what I'm doing.
Here's what needs to be done because you've you've shackled yourself to that.
Now, if you don't do that in any situation for any reason, and this is, you know, inherent to risk mitigation, you have a process for a reason.
But you also have time for you go outside of the process because and ideally your process accommodates for that.
So you're not just going far afield. But there are times where you're going to break the rule.
And it's reasonable that you should do so. And it's with the right levels of approval and documentation and review.
But there's just this fear because there's no clear standard.
So now I don't want to show my work because I don't want to be shackled to it.
And I'm aware that on this legacy product in the corner over here, I only get half the information.
And so I'm not doing it for that five percent of my customer base.
Right. And so service providers is just this paradox where service providers are the ones that that know the information.
We don't have in telecom outside academic consulting work that's really, you know, in the weeds on this topic.
But they they don't want to be the ones to release it. And then the second piece is it's inherently subjective.
Every telecom service provider has different products, different customer bases, different services, different systems and what they're capable of.
And it was a real challenge in coming up with the document to think about something that could apply to most everyone.
And there's going to be things that don't apply to people in the document where we've specifically said, just remove this.
It does not apply to you. So it's hard, right? It's hard to do something that applies to most everybody.
But I think that's why I wanted to do it and wanted to put this out there so that, you know, if I'm wrong, I'm wrong.
But let's start the conversation and let's let's improve.
Let's come together on a set of agreed upon principles and practices.
And that's, again, why I applaud your courage. Somebody has to go first. Not everybody's going to agree with everything you say.
But if everybody keeps quiet and says nothing, then we never make any progress.
So thank you so much for that. And we'll share a link to the documents at the end of this interview.
Don't you worry, Sarah. So let's ask another question now.
If I forced you to choose a strict order for how the telecom industry does things so there can be no muddle about everything being a step in the right direction.
Last, nothing is ever a silver bullet. You can see what I'm doing here in terms of the cliches that come up in all these conversations.
What should be what should the industry be doing first?
Should they strictly and consistently apply a high quality of know your customers through into all customers?
Or should they first implement the technology meant to determine where every code originates?
Or is that an unfair question? It's not an unfair question. It's an important question.
And I have a very simple answer. It's know your customer screening. One hundred percent final answer.
I think really what's evident in this is all the discussions about caller authentication, STIR/SHAKEN, both within the US and versions thereof internationally.
It's become apparent and clear that. Transferring information doesn't do a dang thing unless that information is good.
Right. If you don't have the information developing a large technical framework to transit that across the network or come up with other principles.
You know, it doesn't matter. Right. Unless the information is actionable, trustworthy, or at least somewhat actionable and trustworthy.
Right. It's not going to we're not seeking perfection, but at least there needs to be a more often than not versus today.
Frankly, I mean, we simply don't have much verified information that can be shared across networks.
Second part of the answer is really you think about the traceback process that we have in the US.
It does get you to the the originating service provider in the caller, assuming that everyone along the line is responsive,
which today, you know, most often if they get somebody who's entirely unresponsive,
that probably is the originating service provider, although we don't know for sure.
In those cases, we still can't if that originating service providers and responsive, we can't identify the caller.
And if they're untrustworthy and we don't trust anything they have to say about the caller, it's not really very useful to us either.
And so we've we first got to start getting our arms around who even is a voice service provider in the United States,
because we don't know the answer. We don't know how many there are.
We don't know how many could be operating. And that's that's our fundamental issue.
So we've got to start there with cleaning up our data before we can utilize that data to to launch ahead to solving the problem of legal calls.
It's another example of garbage in garbage out at root, isn't it?
It doesn't matter how much money you spend on sophisticated technology to pass data from one place to another place to another place.
If the original data is unreliable and which in this case means you don't really know who the customer is,
all you're doing is passing on what you believe you know about the customer.
And at the end of the day, the fraudsters, the criminals, the illegal robo callers,
the spammers, if they can find a route in because the poor KYC procedures,
well, they've got to keep on making the same calls. What does it matter that you now have like a trail, a record?
Somebody at the start at the source needs to do the weeding out.
And I think maybe that's something people have learned, but it's rather a shame the way they've gone about learning it.
Maybe if we had a few more people like you, Sarah, writing these KYC guides earlier, we'd have made a lot more progress by now.
Yeah, I think to be kind to those who've done it, I mean, I think it was something that was recognised,
but I just think the voices and the expertise, as I was talking about earlier, just weren't there.
Frankly, there was a long time where I was in the corner in operations and I wasn't talking to people about any of this stuff.
So I think it's great that it's become such a central piece of the conversation and better late than never.
Good. I like your optimistic look at things. I'm a bit of a negative Nelly sometimes. You're quite right.
But yeah, I mean, for me, the most positive is that people like yourself, people say used to working with fraud.
They need to be engaged and involved in the conversation because it's not all about, say, the expertise of a network engineer.
You work with great network engineers at Numerical, but a network engineer will solve problems with network engineering.
Network engineering is not the solution to every problem, though. It's not the complete solution to every problem.
As we say, garbage in, garbage out. You can have great engineering, but if the information is poor, you're just using great engineering to pass some information.
Now, talk about technology and the data that's currently available to carriers, to the regulator, to the ecosystem as a whole.
How confident would you be that automation can be used to increase the amount of bad traffic that is blocked without risking blocking legitimate traffic to?
I would say I'm zero percent confident. I think the filtering engines and analytics engines can sometimes get a bad rap.
And but I am incredibly sympathetic to the position that they're sitting in, which is they have very sitting on the terminating side.
They have so little reliable information about any phone call that comes their way.
And they know this, which is why the actual blocking of phone calls is still very, very limited in the U.S. today.
There really isn't much being blocked beyond calls that are invalid, unallocated, the specific categories that the FCC has identified and authorized providers to do blocking.
They've also authorized more reasonable analytics based blocking.
But frankly, a lot of that isn't happening because there's not the capability to do really good analytics with the level of data that we have today.
And so instead, we've just created this separate system of call labeling and call blocking where the blocking is very limited.
And the best guess analytics is really happening happening on the labeling side.
And unfortunately, what we see a lot of is, again, because the data is just not great is while there are a bunch of fraudulent calls being labeled,
there are a bunch of non fraudulent calls that are also being labeled as potential spam, scam, et cetera.
And so if I don't think that there's a goldmine of information or improved technology that just hasn't been discovered,
that I think it really is the underlying data and information that has to improve in order for us to really get better at doing call blocking or labeling.
You're doing a lot for the industry, so not just in the USA, but elsewhere, too.
But I might be pressing you, I might be begging you to write to the UK regulator because we've got a new consultation that will finish in a few weeks after we air this interview.
And I'd love for them to hear what you've just said about blocking because their consultation document is about raising the expectations on blocking sky high.
If we get STIR/SHAKEN in the UK, apparently it will be really good at blocking and I just don't think it stacks up.
I just don't think the argument stacks up.
I do think numerical does play the file comments in response and I'll certainly be a part of those.
So, yeah, we definitely I'm I'm happy to make a pain of myself wherever it is in order to say, hey, pay attention.
We we can do this better. We have some learnings. Please, please hear what we have to say.
Yeah. And and, you know, if you don't mind me saying, if you can advertise your business, say make everybody in the UK follow your KYC suggestions first and foremost.
Let's get that done first before we start worrying about the technology that really relies upon the KYC being right in the first place.
So now the United States obviously has laws that define if traffic is illegal and the rules that are designed to prevent and reduce illegal traffic.
That means it's really important to accurately determine if traffic is legal.
Does the United States also need laws or more laws about the labels attached to traffic?
You've touched upon the accuracy there of labeling there. How accurate are the current labels that customers see when they see traffic?
Yeah, not very is the issue that we've run into. One of the problems that we've dealt with is labeling, as I kind of touched on earlier.
It effectively amounts to a call block in the wild, right?
Consumers have been well trained that if something is showing up with a display of scam, likely likely fraud.
I saw one, somebody on our team saw one the other day that said probably fraud, which we all thought was interesting.
It's probably fraud. You know, there's a whole variety of labels.
You see those today and consumers don't answer the phone.
And we see that where when one of our clients has an improperly labeled phone number,
the answer rates just tank into oblivion. Right. And they should be on the consumer side because obviously you don't want to get defrauded.
And yes, the call still goes to voicemail. But who checks their voicemail and who calls people back?
It's just not a great situation for anybody. So the FCC previously declined to further regulate call labeling.
But in the latest report in order, they put out a notice of inquiry asking the industry to provide comments and feedback on the state of call labeling and whether further rules, regulations, guidelines need to be issued.
And my response to that is an emphatic yes. Right. We need to be thinking about those call labels.
Again, I am sympathetic to the plight of somebody trying to do this with very little information. And I am fully conceived that there are many fraudulent calls that are labeled and that that's had a positive outcome for consumers in those cases.
But we have to weigh the balance. Right. If there is a critical call that needs to go to somebody and it's labeled as a scam and they don't answer the phone.
That's huge. That's an enormous problem and potentially life threatening problem. Right. And so we shouldn't be dismissive of, oh, it goes to voicemail.
Yet there need to be rules and regulations in place on that side as well. I will say today, the other reason it's needed is, in my experience, call labeling is applied today not based on legality, but based on the principle of whether
the terminating service provider feels that the call is wanted by their subscribers. And it's largely driven by consumer complaints and reports, regardless of legality.
So sometimes we have gotten the feedback when requesting that a label be removed from a client number that, no, this has had, you know, there have been some number of complaints.
We may or may not know how many associated with this phone number or they've had a suspiciously high call volume coming from this number.
Not in saying anything about what the content was. Just there's a lot of calls. It previously wasn't calling.
Now we're seeing a lot of call activities. So we labeled as probable scam or possibly spam. Right.
That's not illegality. That's wantedness, which remains undefined as any kind of legal concept in the US.
And therefore, you know, we got to really dig it on this and have some better standards for how it should be applied.
Because right now we're all working off of different sets of music, different pieces of instruction.
And it's creating a lot of conflict in the industry for and bad feelings for enterprises, for service providers, for consumers who don't know it.
When their phone number gets labeled as a scam, you best believe they are very annoyed about that.
And it's happened. So, of course, it's affecting your company's reputation.
It's a form of defamation, if you like, because if you have done something legitimate, illegal and somebody else is saying don't trust these people.
This isn't a reliable source of information. You shouldn't be picking up the phone.
Just the very fact suspected or probable fraud, you're affecting people's perception of what you're doing as a business.
And if you get it wrong, well, the effect is almost the same as if blocking the call in practice because people are not going to pick up.
So and if I think about how things have changed over the last 10 years, we've seen a big change in thinking, but not a thinking through of the consequences.
If we go back 10 years, wouldn't matter which country I was in the world.
Generally, the legal environment is going to be if you're a communications provider and somebody is trying to use a communications service and what they're doing is legal.
Well, it's legal. You should you should permit that to happen.
You should not interfere with that because anything that looks like interference might be in some way,
skewing marketplaces, interfering with competition, preventing people going about their normal business.
Whereas now we want to regulators always want to have their cake and eat it.
They want us to be in a situation where there's a degree of screening where it isn't just everything is legal is allowed,
but they don't want to make anybody liable for anything going wrong.
Well, of course, there is going to be consequences, even if it is just a warning message that the user sees.
The consequence is it will affect the number of people who pick up and speak, as you say, if it was something like an emergency situation.
Maybe we're a bit blase because we we think about these things in the context of email and what's been used there in terms of screening out spam.
But nobody ever sent a really urgent, vital email, but they might be calling you in an emergency.
Right. Yeah. And I mean, we see this in text messaging as well.
The principle there, which is why I think we really need to be start paying attention more and voice is in messaging, blocking.
There is no labeling. There's only blocking and blocking has been happening for a long time based on the principle of whether something is likely wanted versus whether anybody thinks it's illegal.
And frankly, as a carrier, I'll tell you, that's because we almost never can we identify whether something is illegal.
Only in niche cases where it's, you know, this is the IRS contacting you about, you know, unpaid whatever the police are coming to your house.
Obviously, we know that's illegal from looking at the content of the message. But in most cases, we really don't know.
It's, you know, hey, click this link to save 20 percent on solar panels for your home.
I don't know what the prior relationship was between the person that sent that message and the recipient.
I don't know if they gave consent. I don't know.
You know, I don't have enough data to be able to make a determination.
But if I don't do anything and somebody just spent sends all of those messages out to consumers and none of them get blocked.
Well, then anybody can just do anything. Right. Seems to become the argument.
And so voice is going to go the same way. More parties right now.
It's limited to just the three major mobile carriers and their analytics partners, as well as some consumer side blocking and labeling applications.
Very few parties are doing labeling today. It's going to increase.
I guarantee you, I fully predict that more parties are going to be pressured in as more and more regulatory pressure comes down on carriers to stop this,
solve this problem. They're going to be pushed into acting in ways that, you know, maybe regulators didn't intend and consumers do not want.
And so we've got to get our arms around it now before the inevitable future in which everybody is out there labeling and it becomes even harder.
And I mean, I'm not even getting into the fact that there is no feedback to you as a business inherent to your phone system that would even tell you whether your calls are being labeled as scams.
There's there's no feedback that happens in that instance. And so it's it's really tough.
That's why a numerical exists as a business is we we help businesses get those analytics on on what is happening with their phone reputations and do those registrations.
So we're out in the trenches and it's a tough place to be right now. I will tell you.
I think we're going to be having this conversation again and again and again, Sarah, because we really need your advice.
Now, we're running out of time. I would love to keep on talking all day with you, Sarah.
But let's finish with one last question, because you're doing a lot of great work, not just for carriers in the US.
I think I think carriers all around the world should take a look at what you're doing in terms of advice for KYC.
But let's just imagine that instead of you having to negotiate and influence people, you are the absolute ruler.
You are Queen Sarah of the of a little island that there's been a volcanic eruption in the middle of the ocean.
It's a completely new island, a completely new country. And Queen Sarah of Delfavenia is in charge.
You don't have to negotiate with anybody like any country. Your country, your people of your country, a small little population.
They want to be connected to international communication networks like everybody else does.
But it's only a small country with a tiny population, not a lot of money because you only just popped out of the ocean.
OK. And the people are conscious about the problems that are caused by bad traffic. Bad traffic is a real thing.
So they are conscious about the risks, about the potential frauds and all the rest of it.
They could be subject to as the wise and benevolent ruler, Queen Sarah of Delfavenia.
What steps would you take to protect your Delfavenians whilst being mindful to learn from mistakes that maybe other people have made in the past?
Yeah, I have to say I love this question. It appeals to my thought experiment, megalomania, being able to just decide for myself what it should be.
There's so many restrictions, obviously, in the real world for this. But in the abstract, I think there's a few general principles I can align on for this.
One is starting with a better system for base identity at the governmental level.
Right. Issuing individual identifiers for each citizen and business entity that's incorporated in Delfavenia.
And once that's done and there's a system of identifying parent or related organizations,
what you could then do is you could make it a requirement that communication service providers in order to sell Delfavenian telephone numbers or phone services,
you need to be searching and going through a series of very clear and codified steps for validation of identity for each of those consumers,
each of those businesses, and then tying that communications account back to that global identifier on the back end to ensure that there's a clear,
there's nowhere to hide. Right. There's a clear connection between the communications that are being made and that universal identifier,
such that, you know, if you do bad things, we can find you on that. If you don't do anything, great.
Go for it. Go forth, prosper. You really don't need to worry about it.
But that's number one is to is to create that idealized system of identity on the back end for folks.
I think the second one is to do the display. So when you can change your phone number as much as you want,
but the underlying identifier is still going to be tied to your communications.
And when you make outbound communications, your identity is going to be displayed, not your, you know,
your personal identifier, but your name, your business name, whatever it is.
So that's number one is identity. The second piece is putting control into the hands of consumers to better decide what communications they want to receive and empower to opt in or out of communications.
So if you have this system, one of the things that you could be able to do is I'm a consumer and I'm getting calls from a business.
I could opt out of receiving calls from that business as a whole, not that phone number where they could just get a new phone number, which is what happens very often.
But I can say, you know what, I'm no longer interested in receiving communications from John Q.
Public or the Bank of Delphey Vania. I don't have an account there.
I don't know why they're calling me, asking me if I want to create one opt out.
And you are then fully opted out as a whole and they can no longer contact you.
The possibilities for this are great further.
You know, when it comes to international communications, because obviously we're small countries that we're going to be communicating with a lot of people outside.
Give consumers the ability to control which countries from which countries folks are able to call them.
This is the thing that I don't know why isn't a universal service today for me to say I only want to be contacted by individuals from the United States, Canada, France.
But anyone who calls me outside of those countries, you can you can have itself selected.
They either go to voicemail, they're blocked entirely and they receive a notification back saying this user is not authorized to receive calls from your country, whatever it may be.
Obviously, you have to create systems where for critical callers, for critical information, those are overridden and those go through.
But with this base system, you really put the control in the hands of the consumer.
And then the second piece is once you have identity, people are still going to do bad things.
You need the second piece, which is enforcement. And in my Delphey Vania, the enforcement does not happen with the carrier.
The enforcement happens with law enforcement where it really should reside and exist.
And so complaints, they go to law enforcement issues.
They go to law enforcement and then law enforcement is able to clearly identify who is responsible for those communications and determine whether or not those communications rights should be or the phone access should be revoked.
It's a huge thing to revoke someone's access to the phone network. And yet we give that to carriers as though it's nothing like, yes, this person's right to communicate with people.
No, there should be a higher standard. And that should be something that we all agree on in law as to what that should be.
That should be law enforcement control. And then separately, when they do these investigations, the other piece you could say is, OK, well, carriers have all this information about the actual calls themselves.
And we don't want the government to be snooping in on every single call that we make. I 100 percent agree.
But what you can do is if you look to the financial industry and you look to any money laundering rules, the government doesn't get to see every single financial transaction that happens.
Instead, there are reporting requirements from financial institutions to send to the government reports in specific instances and behaviors.
If you make a foreign transaction over X amount of dollars, if you are transacting from this country to this country, you're identified as a politically important person.
You know, all of these are ones where it triggers a reporting requirement. You could create something similar in communications where you set thresholds, you set certain qualifications,
you set certain criteria at which communications providers will then proactively send reports to law enforcement who can then across all the communications providers,
see a full profile of, OK, this is this is Sarah.
She is communicating with all of these people and everybody is there have been three police reports filed saying that she's making fraudulent communications or,
you know, all of three of her communications providers have said that she's making these, you know, communications using invalid phone numbers and caller ID or whatever it is.
I'm going to pursue a criminal case against Sarah because clearly she's done this violation of the law. Right.
So it's two pieces. There's the let's create a better system of identity and consumer control.
And then let's create a more reliable system of law enforcement that allows you to still have the freedom to communicate,
but also on the other end ensures that the right information gets to the right party to really whose best position and best regulated to pursue enforcement against individuals, companies, what have you.
Sounds like paradise, so sounds like paradise. I knew you were the right person to put in charge of Delphey Vania. It was lucky that it is.
Look at the name turned out to be a coincidence there, but you're definitely the right person to rule Delphey Vania.
Sarah, you've got the job as soon as the new island becomes available.
I'll be I'll be putting forward your nomination to United Nations. So I think you're absolutely right with all those things.
A fantastic and thank you so much. I wish we had more time to chat.
Sarah, I've really enjoyed our conversation today and I hope we'll have you back in future as well.
Perfect. Thank you so much for having me. I appreciate it.
Well, thanks, everyone, for watching the interview. I have to say we wanted to play the interview this fall because so much good material there.
So it's such an amazing job at the interview. And when, of course, we're producing this fabulous know your customer policy guy, which is on screen at the moment,
you can obtain a copy of Sarah's model standards for know your customer from www dot numerical dot com slash k y c dash policy dash guide.
Let's just leave that on the screen for a moment. Producer James, so that people have a time to to look it out.
Look it up, perhaps get it. Check out the URL and make sure they can visit it whilst I chat with Ed and Lee.
And I have to say, we've had a lot of fantastic comments come in.
Well, so whilst we've been playing so as interview, so we won't have time to go through them all.
I'll share some of them with you here. Michael Becker says, Hi, would love to meet.
Would love to move to Delfryvania. Bartek Barkowski has been saying how much he's been enjoying the interview with Sarah.
We've got a comment here saying, Will I be coming back on Numericals Tuesday Talks podcast in future?
Of course, Sarah and Pierce do such a great job on Numericals Tuesday Talks podcast.
I'll be glad to be back there. And I hope that they'll both be returning in next season of the show.
George Woodworth comments on Wangiri. I believe for as long as money needs to be laundered, Wangiri will exist.
I've also seen regulators not want to block Wangiri calls because they make revenue out of it.
Going back to the interview, though, Lee, I want to get your input here on this before we move on to our second interview today.
I know we're running along, but so much great content. I think we need to spend a few minutes just contemplating it here.
The know your customer arena. It's an area where telcos serving wholesale and enterprise markets have traditionally failed to do all they might do to weed out criminals.
Or am I being unfair? Have telcos been doing enough?
Do they need to step up and do more to distinguish between the good businesses and the bad businesses in the telecoms ecosystem?
Sure, especially in the wholesale carrier business area. I think, you know, this kind of links back to your previous question about Wangiri fraud.
You know, so a good majority of these Wangiri calls, they originate from unallocated number ranges.
So the carriers, they definitely know, right, this this this is fraudulent traffic passing through the network.
I personally think that carriers, they need to have the same KYC measures imposed upon them.
Right. So we know exactly who's originating these fraudulent calls.
So if you're terminating the call into a particular country, then you need to have the same KYC relevant to that country.
So, yes, definitely on the wholesale carrier side.
It's a huge problem because on one hand you can sympathise and say, how can you possibly know about the customer of somebody else who's the customer,
somebody else who's the customer, somebody else who's your customer?
With so many links in the chain, you can't go back and necessarily verify somebody who's many links before you.
But at the same time, we have an endemic problem in this industry where that very fact is then exploited.
So we know about huge problems like Wangiri and we tend to shrug our shoulders.
And as George was saying there, well, even regulators are benefiting, profiting from bad traffic.
So we know that bad traffic occurs and we're always shrugging our soldiers saying, well, there's nothing we can do about it.
Well, actually, if we were addressing the problem at root source, if telcos were always doing the job they should do to know their customers,
we wouldn't be having to scale the problem, I don't believe.
Ed, I want to bring you in here. Are you surprised at what we were talking about in the interview with the FCC,
effectively mandating that US telecoms providers do something about checking who their customers are,
but otherwise not stipulating, not providing any advice about what it means to do those checks,
leaving it up to people like Sarah to volunteer her time to explain how it should be done?
Yeah, I mean, that juxtaposition right there is odd,
just in the sense that the FCC would certainly have the capacity to engage someone like Sarah to have her part of the process,
even if it's like a public comment type thing, right? Like it's the normal structure would be there.
So it's really weird. And taking it up a level, I think it's weird that they would get so deeply into something like specifying something like Stershagen,
right, and this very granular level thing, and then have a laissez-faire approach to other issues like KYC,
which at some level, all these things are related. They're all dealing with identifying that who's calling is who they say they are,
and overcoming some of these impersonation scams and other bad actions.
So to look at them so separately like that is just really, it's daunting, actually, it's disappointing.
And so here's my chain of thought on this, is that I know we're running long.
It's aggravating because what ends up happening is you have a lot of regulation gets made that can make business more difficult,
but then it fails to prevent market abuses. So, you know, like I've worked with clients, for example, trying to bring like a new 5G device to market,
and there's all kinds of endless regulatory hoops and certifications to things that they're worried about.
You know, that someone who isn't a good actor is obviously not going to be worried about.
And so a company with bad intentions can set up shop, cut corners, use telecom infrastructure to their advantage,
like, you know, abuse it. Remember that in the last several years in the U.S.,
you know, they redefined telecommunications infrastructure as critical national security infrastructure.
You're talking about the misuse of critical national security infrastructure here, right?
So it's being used to do damage. And those people may never face consequences, but the market suffers.
People suffer. There's no way to compensate anybody, you know, in a lot of cases.
And so when I look at that, I think about the FCC's charter, I just that's a really disorderly market that's not being regulated or governed properly.
And I think that's why we criticize the FCC, for example, on this show a lot, because it's not even asking you to do a better.
Hey, you're doing a solid job on X. Please do better. It's not even that level of criticism.
It's hey, can you play your role in the market and stop with the fluffy half measures and the, you know,
this sort of like, you know, piecemeal approach and make defending telecom infrastructure, which is national security infrastructure, make it a priority.
You know, we were spending a lot of money to build more of it. Can we look at some of these issues and defend it for what it is?
And this is sort of my end of season rant here. But, you know, having started my career as an FCC reporter, now we're ending the season on this.
Yeah, I think the FCC is opening itself to criticism on this basis because you're not preventing market abuses.
Right. You are creating friction in markets that can prevent things from moving forward.
Right. And you're not taking a consistent approach. Right. If you took a consistent approach that was flawed, you might be able to forgive that.
You're taking an inconsistent approach that's not effective.
I think that we need to do a lot better.
I think we need to take a really hard look at how we do telecom regulation and tech regulation in general, given the pace of change and really reconsider, you know, how it's done and not on a one off basis like this.
I mean, I think, well, don't stop. Don't stop. We always want more ranting on this show.
That's why I'm happy to keep on going along because the people who are still getting comments coming in.
So people are still watching. So if you guys don't mind going along, I love to go along.
And I think Sarah hit the nail on the head during the conversation there that I had with her.
And it's something that hasn't got a lot of attention because the FCC is always manipulating the way the stories presented to the public to avoid any criticism of what they've done in themselves in the past.
And Sarah mentioned quite early on in the interview, but I recall, you know, I'll draw your attention to it.
She was talking about really a lot of this work that's now currently taking place.
It's just about finding out which businesses they should be regulating because they don't know which businesses they should be regulating.
They have gone on for an enormous length of time, not really knowing who is involved in the telecoms ecosystem.
And a lot of said about STIR/SHAKEN a technology, an expensive technology. Sometimes people now start talking a little bit more about the robo mitigation.
Robocall Mitigation Database. The Robocall Mitigation Database is essentially a ruse to find out the names and addresses of all the companies that currently that previously the FCC didn't know the names, didn't know the addresses,
but should have been regulated because they may well have had a part to play in the transmission and the distribution of robocalls.
That was the problem. They literally don't know who they're regulating. You impose a rule.
You give a rule to everybody, but you don't know who it's meant to be applied to. You don't have a name.
You don't have an address. You don't have a phone number to deal with it.
And then you slap on some super expensive technology like STIR/SHAKEN, which is essentially a technology that's very good at taking a signature from one place and making sure the signature gets taken hop by hop by hop by hop till the final place.
So, you know, at the end, the signature at the end is the same as the signature at the beginning.
But frankly, if I was to be buying a work of art and it said the signature Picasso at the beginning, I wouldn't buy the work of art just because it says the signature Picasso on it.
I'd want to know that this has been authenticated as actually painted by Picasso and STIR/SHAKEN is a technology which is great at passing along the signature.
But nobody checks to see if it's Picasso who's doing the work of art or making the phone call or somebody else who's just applying a signature incorrectly.
So the KYC is the root of it. And we have completely failed to address the root cause the problem.
That's layering on technologies on top. So I take your rent at and I tap you around.
So forgive me if I do that.
You're, you're good. I actually sort of have a question, maybe for everyone on on the KYC side and it's just, you know, coming out of the interview and it's that I'm having spoken with folks on the banking side about KYC and its flaws.
I wonder, how do we do it better than banks have. So I think here we're arguing like we have none, then we need to have something and something is better than nothing.
Agreed in determining what that something is. I think there are models like in banking to look at and should be looked at, you know, with folks who are are real about it, you know, say hey yeah here's how we did it wrong.
Here's what we can do better let's let's try to advance in that direction and let's at least do it that way if we can implement it.
Yeah, I mean, and we could talk all day about say Swift for example in terms of a messaging system, which works on an international level, so that when a transfer goes from one bank to another bank, you know, which is the origin bank you know which is a destination
bank, there's no nonsense about how that process works. And yet we in the telecoms industry, you would think we'd know all about messaging systems, we don't seem to have the ability to do something as simple as that but let's park the conversation for a moment
because we got another interview coming up but it's worth it. All these things are connected. They really are all connected. Andrew Wong is our next interviewee, he was the chief he's been the chief operating officer of Japanese fintech business,
SORAMITSU, since 2021. His career seems to split his time between Japan, the US and Germany fostering innovative new internet businesses, whilst also lecturing at the University of Mannheim, Meiji University in Tokyo, and the Harvard Business School.
Now Andrew spoke to me of his desire to expand the interests of SORAMITSU from central bank digital currencies and financial transactions to the communication sector, and specifically the use of distributed ledger technologies for consumer protection as demonstrated
by SORAMITSU's million dollar contribution as developer of the RAG fraud blockchain. Producer James, please roll VT.
Hello, Andrew, thank you for joining us on the show today. Now you worked for many years at Yahoo, and you lectured at universities in the USA, Germany, and Japan. Could you please tell the audience a little bit about SORAMITSU, and how you became the chief operating officer.
Well, thank you for the question, Eric. SORAMITSU is a Japanese fintech company that specializes in blockchain technology. We have a diverse and highly skilled international team of around 150 employees. SORAMITSU, we build innovative payment and asset management systems.
We focus exclusively on blockchain technology, and while we work with several blockchains, our blockchain of choice is Hyperledger Eroha, which is an open source blockchain that we pioneered and contributed to the Linux Foundation.
Now, as someone who was born and raised in Silicon Valley, where technology was really at the foundation of my upbringing, I was incredibly fascinated by the mission of SORAMITSU, which at its core is about advancing humanity and designing a better world through decentralized technologies and blockchain.
I found this to be incredibly fascinating and exciting, and because of that, it's far easier to sustain energy and the enthusiasm in your work if you're animated and by a powerful belief in the good that you're doing, and by the knowledge that your work has a greater purpose.
That's fantastic to hear, and that's the kind of thing we love on this show as well. Now, SORAMITSU developed the RAG fraud blockchain using, as you mentioned, the open source platform that you also created, Hyperledger Eroha.
What leads a Japanese firm with expertise in areas like central bank digital currencies to want to create a service for communications providers?
Well, here at SORAMITSU, we possess more than 100 years of experience in both developing secure and really scalable blockchain based solutions for the electronic communications and financial services.
In fact, in 2018, we were the first company in the world to build the first blockchain based central bank operated national payment infrastructure system that I might add has a 1.2 billion worth of account of transactions flowing through it.
Now, fraud is a major risk to companies and their customers worldwide, and frankly, in this dizzying increasingly technology in the world, fraud is ever more increasing in the sophisticated in its design, and this is a problem that needs solving.
So we were incredibly fascinated and impressed by the fraud blockchain vision, really, to be the most sought after and trusted source of shared fraud intelligence globally, and we saw this as really an opportunity to advance the vision
with the capabilities of Hyperledger Eroha, a form of blockchain that really enables our peers, our customers, to share data with specific criteria.
Now, we also very much believe that this business is not only about technology, Eric, but about the people that you work with.
And given Rag and Aurelien's leadership in this space of fraud intelligence, we felt it was a phenomenal opportunity to work with firms that shared the same values as us, and in doing so, form a joint venture to advance our common goals to really fight these fraudsters
and to help the telecommunications space.
You're very flattering, Andrew, and we're very glad to have you on board. Soramitz has been a fantastic business partner in pulling this together. Now, let's be frank here, let's deal with some stuff that we know that people out there believe.
There are some people who say that although it's sensitive information, the kind of information that's being gathered about telecoms crimes being exchanged using the fraud blockchain, it'd be better managed just using a centrally managed database.
Even if it was just an Excel spreadsheet on the cloud, you obviously don't agree. Why use a blockchain instead of something like Excel to do this?
That's a great question, Eric. Now today, the lack of collaboration and fraud intelligence sharing between telcos, regulators, and digital businesses is a major obstacle to the effective management of global fraud risk.
Now, what is required is not a database, but rather a global shared value ecosystem that enables all parties to really subscribe to a fraud intelligence sharing service and derive both data and insights that can really help their business at scale
using the power of the ecosystem. We don't do this via a centralized architecture or a centralized corporate entity managing the structure.
Now, spreadsheets, well, let's be frank, they only offer dead ends that will never ever scale.
And I would argue that spreadsheets exist only to create work for people who need to oversee that the spreadsheets are created and to give fraud managers something to talk about.
As an industry, we need to break down these silos and really challenge the conventional wisdom.
Well, I'm certainly on your side with that. I couldn't agree more, Andrew. I think one thing that people, the audience may struggle to appreciate to understand is because they kind of visualize these things as being spreadsheets, perhaps run by somebody in their spare time.
You know, once every other week, they'll do it. They'll type a few new records into the cells, into the spreadsheet. They don't have a sense of the scale of what Soromitsu has put into this project.
Have you, Soromitsu, created a figure, pulled some statistics together, got some sense of the scale of the investment that you put into developing the RAG fraud blockchain?
That's a very great question, Eric. So Soromitsu has invested a material amount of time, research development, hard work and ingenuity to advance the fraud intelligence method.
It's a very large and seven digit figure in dollar terms.
In US dollars, my gosh. Now, everybody knows blockchains can be used to track transactions involving currencies. In fact, that's maybe almost a problem, though, with blockchains, that people are kind of stuck in a rut and how they think about blockchains and distributed ledger technology in general.
People get bogged down with the idea that it's about money. What is the advantage in designing a blockchain that automatically issues tokens to users who upload their fraud intelligence?
That's a great question. As we discussed before, Eric, we believe that telcos need better fraud intelligence to prevent fraud and to really protect their customers.
Now, the sharing of fraud data between a critical mass of telcos and building a robust ecosystem built on blockchain is an enabler to achieve that.
Now, the use of blockchain gives us the tools to issue tokens to encourage the right kind of participation onto the RAG fraud blockchain.
This is advantageous for numerous reasons. Primarily, it serves as really a mechanism to logically incentivize customers to contribute their fraud data to the shared ecosystem for the benefit of all.
Such tokens could be used to subscribe and benefit from insights, further value added services and more by sheer virtue of their involvement.
I should emphasize that these are utility tokens, which specifically serve a use case within the ecosystem that is used.
It's like an economy within the ecosystem. This isn't about money that's being spent elsewhere, but it means that there's some give and take and some recognition of the give and take within the system, which I think makes it fascinating.
And again, so different from these centralized Excel spreadsheets on the cloud, which we seem to get addicted to in this particular industry.
Now, how much thought has gone into Andrew making it easy for the communications providers to add and obtain large volumes of data from the blockchain?
Well, we have spent many days and nights and weekends for that matter, architecting really what is a robust, secure machine to machine API that enables telcos and FMS vendors to really seamlessly integrate into the RAG fraud blockchain and using their native workflow.
Now, we believe that this is an example of how we can create a methodology and process to really enable customers to find an automated conduit to participate and experience the benefits of working with the RAG fraud blockchain.
We are also, of course, authoring crisp documentation for all parties to consume.
We strongly believe that our clients' interests will always come first, and as a team, our experience shows that if we serve our clients, our success will follow.
And so we're very much looking forward to working with customers to help realize that value through that API conduit so that they can experience the breadth and value that the RAG fraud blockchain can contribute to their business,
strengthening its connection with customers and really increasing their shareholder value.
Fantastic. Now, of course, you may be aware that the word Wangiri is Japanese in origin.
The RAG fraud blockchain, best known for exchanging intelligence about Wangiri fraud, is there any reason to limit the blockchain so that only exchanges intelligence about Wangiri?
What are your views on the desirability of communications providers using the same platform to exchange intelligence about various other kinds of fraud?
Well, Eric, we want to offer a really well-informed, well-architected, high-value service for our customers.
And Wangiri is an important and critical fraud type for exchanging intelligence, but it's really just the start.
There are many other fraud types that exist in the market today.
IRSF, ATP, SMS, device and more.
The new RAG fraud blockchain is built on really technology to pull intelligence across different fraud types.
And understanding and having a high alert on these fraud types is very important due to the onslaught of telecommunications frauds.
So we're building and we need to build technology for the good of the telecommunications community.
And this is a turning point and we believe the time to act is now.
So you'd be willing to work with telcos, with national regulators, with associations who perhaps want to specify other kinds of intelligence that want to exchange to defeat fraud.
You'd be open to adapting the blockchain to serve their needs, too?
Absolutely. We're looking forward to it.
Fantastic, Andrew. Well, thank you so much for your time today.
And thank you all for the wonderful work that you and your colleagues are doing for the telecoms industry is appreciated by those telcos that are using the blockchain right now.
And we do expect more will be coming online and joining us using the blockchain in the near future.
Thanks again, Andrew.
Thank you very much, everyone. Take care.
Well, thanks, everyone, for watching the interview there with Andrew Wong of SORAMITSU.
I really think it's important that we start to have sometimes more of an engaged, sophisticated debate about these issues where we look at the connections between the problems we face, the root causes and how we look at solutions.
I think too often we're looking at things in a piecemeal fashion.
And with that in mind, I just want to mention here a comment that we've had from Karl Kammerer whilst the interview was playing there. Karl says KYC regulations are for the most part focused on physical legal identity to prove humans are who they say they are.
But there is no regulation, as far as he knows, requiring banks to verify digital profiles, email, phone numbers, domain names, IP addresses, social media cats.
I think you make a great point, Karl.
Here's my rejoinder to you. The G20, the central bankers of the G20 are working, have started to put in place the fundamentals of a plan so that you could, so that it would be possible to verify the digital presence of not just banks, but of other corporations in order to safeguard the financial transactions that occur.
Not everything is in place. Not everybody is following and using the legal entity identifiers that these G20 central bankers have created.
But they're working on the framework and they're working on the framework because, frankly, bankers tend to be ahead of where we are in the telecoms industry, ahead of where the Internet industry has been in terms of addressing these problems.
Sometimes the work that we do isn't seen to be as sensitive or as important, so it doesn't get the emphasis.
Let's go back and reflect upon the fact what I was saying before, the Robocall mitigation database.
The United States telecoms regulator literally did not know which telecoms companies they should be regulating.
They didn't have any list and they're now trying to play catch up with this and they're spending a lot of money on a centralized architecture, whereas the G20 central bankers, they're putting in place a decentralized architecture that could work on a global level.
I'm not saying that they have all the problems solved, but we should be in this industry learning from good examples elsewhere.
I fear that sometimes we don't look broadly enough at others, what they're doing to understand where our defects are and what the solutions to the ideas they put forward, they're clearly not good enough.
They wouldn't hold you up to snuff, as you would say in England, compared to what were the expectations of the sectors.
I'm not saying banking is perfect.
Clearly not.
But nevertheless, we should always be open minded about where we can gain, where we can learn others.
And I look at some of the solutions being put forward to the problems that we face in the communications industry.
And I shudder to think how far behind we are, not just because we need to do something, but because the solutions we talk about look archaic and old and primitive compared to what other industries are doing.
As we were saying in the interview there with Andrew, we have people in this industry talking about effectively putting Excel spreadsheets on the cloud.
And that's how we're going to share intelligence.
It's frankly shocking that we're working in technology-run businesses and we're talking about that low of a sophistication.
So, another little rant there. And now I'm going to start ranting at you, Lee.
Guys, have you put in place the RAG fraud block trading in your telco yet?
Well, we're already using it, Eric.
So, we have a voice firewall. We use that amongst many things to detect CLI spoofing.
We use it to detect Wangiri as well. So, what we're looking to do, we're looking to integrate our voice firewall into the RAG block fraud chain.
And basically what that's going to do is that's going to allow us to share data in almost real time to the database, just as what Andrew was saying there.
So, it's about sharing intelligence across the community.
So, you've got to do it. Is it hard? Is it difficult? What are the reasons why people wouldn't do it?
Why wouldn't they do it? I don't know. Why would you not do it? I don't know. I mean, it's about-
Well, it could be cost. It could be too technically difficult. You may need specialist stuff. I mean, are these real barriers?
No, it's not that expensive to integrate into. It's just integrating into an API, right? So, that's not cost effective. Sorry, it's not expensive to do.
It is actually cost effective to do it, right? I mean, we have this data. Why don't we share it? Why don't we share it in real time?
And I think the community needs to get together and start to share more intelligence like this.
So, would you agree with me that this is a fabulously leading question? And also, the fabulously leading question is there is no good reason for other telcos not to do this.
There is no good reason for regulators not to be jumping on what's actually one of the rare examples of charity, not businesses saying we want this technology because we're going to charge an absolute fortune for it.
We're talking about a technology that's being made available free of charge. There's no excuse not to be implementing. There's no excuse not to be adopting.
No, there isn't. And really, when you think about it, Eric, the technology is there, but it's only as useful as the information which is in it, right?
And I think what the community needs to do is to get together and work out, you know, let's all put this information in.
If I'm putting information in, then I can take the information out and that helps me as a fraud manager, right, in a telco.
I don't know about you, Lee, but I forget the feeling that every three weeks I'm hearing about a new initiative to share information.
Almost all of them from businesses that basically intend to charge telcos for providing the service.
We don't need a new initiative every three weeks.
We need some people to jump on board an existing initiative and start backing it and supporting it rather than always talking about how they're going to solve a problem in two, three, five, ten years time.
Maybe after they've already finished working and catching their pension, we can take action now.
But we don't seem to be always willing to take action now because it's easier to talk about what we might do in future.
Yeah, again, Eric, I completely agree. I think this is a fantastic piece of technology which has had a huge amount of investment.
It's a great service to have at your disposal.
You know, people just need to start integrating into it and sharing data, you know, in almost near real time.
But it works, is the main thing. It works.
Yeah, of course it works.
Well, you say, of course it works. We spend hours and hours talking about stir-shaking and that doesn't work, it costs a lot more money.
But end of ranting.
At least a change of direction of ranting now, Ed.
We've really endorsed ourselves today. We're almost at the two hour mark, but I'm enjoying it so much I'm not going to stop.
We're going to have 11 weeks off anyway before we're next season.
Before we finish today's episode, what topics did we not spend enough time talking about in the 13 weeks we've been doing this season?
What do we need to be giving more attention when we return for the new season on August 25th?
And before you start answering, anybody still out there watching, we'd love to have your comments on that too.
What should we be talking more about next season?
I mean, you know, so obviously I'd love to continue addressing these issues with digital privacy and identity because they're going to keep evolving and accelerating and keeping problems.
So that's for sure. But one of the things that came out of the show is an idea that, just from our discussions, intrigued me, was the idea of maybe looking a little bit more closely at the weapons and tactics of the, let's call it the cyberwar for now, or the identity war, whatever you want to call it.
But let's look more closely at those weapons and tactics and start to define and educate and maybe educate stakeholders like law enforcement agencies a little bit more, like that being the intent of that definition.
What are these tools and how do criminals use them and how can you identify when they're being used or misused, like from certain data sets, things like that.
And I think that's, to me, is like just raising that awareness and I don't want to overhype it but we live in this world where there's so much noise and everyone's screaming from the rooftops, but this is a real issue.
So anything that we can do to help people understand it a little bit and get them screaming from the rooftops for us I think is useful.
And so my last thing I'll add though is this is, I think it's imperative on me as an American to prepare more criticism of the UK and EU and other regions and how they might have failed the world in their approaches to telecom regulation and data privacy.
So you put me to that task.
Absolutely fair, absolutely fair. I mean, there's plenty you can find it's been done wrong in the UK I know that for a starter so you shouldn't be short of ammunition there, but I think what I love what you said about the identity war, because you really need
to be starting to understand telecommunications in the context of identity. It's not just about someone's voice getting from somewhere to somewhere else. It's not just about a message getting from someone to someone else.
It's about the identity behind the voice, the identity behind the message, and therefore the identity behind the business that's being done, the information that's being conveyed, the transaction that's occurring as a result.
And if we don't know the identity we are in a terribly, terribly weak position. Lee, final thoughts. Is there anything else that you would like to see in terms of ramping it up on the agenda for our next season?
Well, I mean, this comes back to land, sea, air, space, and cyber. And if you think about those dimensions, telcos runs across all of those.
So plenty to talk about then.
No shortage of things to talk about. We didn't talk about submarine cables once, I don't think in this season did we? Did we talk about submarine cables?
Poor old Taiwan is throwing up the satellite dishes because they're worried about their submarine cables being taken out. Maybe we'll do submarine cables at some point. I know that's one of your favourites, Lee.
Yeah, well, why not? I mean, if you look at the investment around the world, the telco I'm working for at the moment, they've just invested about 250 million in a new cable as a partnership, bringing a new big capacity submarine cable into Bahrain.
So, yeah, I mean, we all talk about submarine cables dead. It's not dead. There's a lot of investment going into that right now.
We need it. We need those connections to still be up and working. And it's funny that so much money gets spent on them. And then apparently somebody with an anchor dragging along the sea bed is always cutting them.
And sometimes maybe it's not just an accident, as the Taiwanese are starting to point out with how often their islands get cut off from the internet too.
So plenty of things to talk about. But that's it for today's show, for this season of the Communications Research Show.
As you've already told, it could have already worked out. We've massively overrun, but I've enjoyed it, so I don't care.
Thanks again to the two interviewees for today's show. Sarah Delphey, Vice President of Trust Solutions at Numerical, and Andrew Wong, COO at SORAMITSU.
Thanks also to my co-presenters, Ed Finegold and Lee Scargall. You are such excellent, sparring partners.
I will miss you for these 11 weeks until we're back in the ring again, sparring on these topics.
Thanks also to the incredible hardworking producers, James Greenley and Matthew Carter. What an amazing job they've done of pulling this show together, producing episode after episode.
Thanks to our sponsors for making this season possible. Our season sponsor was BluGem.
The World In Your Phone sponsor was 1Route and Fact of the Week was sponsored by Symmetry Solutions.
Our thanks to you, the viewing audience, for watching today and to everyone who's watched across the entire season, helping us to reach the previously unimaginable heights of over 2,300 viewers per episode on average.
We couldn't do this without your support and we wouldn't do this without you.
We will be back with a new season starting August 23, so as you've seen on the screen because of our talented producers, click on the link on tv.commsrisk.com.
Take a few minutes now to subscribe to our online calendar. Subscribing means the details of each live stream and each guest will be updated in your diary automatically, so you won't need to worry about missing shows when a new season starts.
Just click on the menu item called subscribe to the live stream calendar at our website, enter your name and email address and the kind of diary you use.
And that's it. Episode 13 of the Communications Risk Show. We will be back on 23rd August. In the meantime, I've been Eric Priezkalns. The archive of the Communications Risk Show website, tv.commsrisk.com, will continue to have all the recordings of all our past shows.
Keep reading commsrisk.com for the latest news and opinion about risks in the commerce industry and visit the website of the Risk and Assurance Group, riskandassurancegroup.org for access to RAG's free services and content.
Thanks for watching. Be seeing you.