26 April 2023: SMS Pumping Fraud

Elon Musk lifted the lid on the soaring scale of artificial SMS generation when he complained that bots were costing Twitter $60mn each year by pumping bogus two-factor authentication messages in the direction of crooked telcos. This then became a global story for information security professionals (and a lot of opinionated amateurs) when Twitter switched off the use of SMS for two-factor authentication of unpaid accounts. How serious is artificial SMS generation, does it spell the end for A2P SMS as a service, or are there other ways to prevent SMS pumping? These are the questions that are fielded by Tim Biddle, who is Sinch’s Director of Operator Relations for the UK and Ireland.

Topical news items are also be debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, my name is Eric Priezkalns and this is the Communications Risk Show, the live
streaming conversation show produced by Comms Risk in collaboration with the Risk and Assurance
Group, RAG.
Every Wednesday, we stream live conversation with risk experts from around the world of
electronic communications.
Because the show's live, you can join in too.
Submit questions and observations as we go along.
To message us during the show, just tap your message into the window immediately beneath
the streaming window on our website at tv.commsrisk.com.
Those messages are anonymous, so write your name in if you want me to read it out.
We also stream this show live on LinkedIn, so you're welcome to leave a comment over
there if you like.
We'll try to read out as many of your questions and observations as time permits.
Later in the show, we're going to be talking about artificially generated application to
person A to P, SMS fraud, and the factors that encourage this crime.
And we'll be discussing that with Tim Biddle, who works for Sinch as their director of operator
relations for the UK and Ireland.
But first, let me introduce my co-presenter, Ed Finegold.
Ed Finegold joins us from Chicago, he's an author, analyst, strategic advisor to tech
and telecoms businesses, and a thoroughly good chap.
Lee Scargo, unfortunately, could not be with us this week.
He's too busy dealing with some kind of jet plane type issue, but he will return next
week.
But Ed, I'm going to enjoy chatting just to you this week because we have some sensational
stuff to talk about.
Are you fired up and looking forward to this amazing topic we're going to be talking about
today?
I am.
I'm keyed up and you posted some really complicated questions, so everyone should know.
I have notes.
So if you see me looking at my notes, don't curse me, Eric asked me really complicated
questions and sometimes I need notes to keep track of where I am.
But yeah, I'm ready to go for that reason.
It's not all spontaneous.
It seems like we don't prepare for this show, but we do actually put some effort into preparing
for the show.
So today-
My questions are getting harder.
Well, this is going to be a tricky one.
And again, anybody watching, please do send in your questions too.
We'd love some feedback on this topic that we're going to talk about first today.
Also in recent weeks, there's been this extraordinary video being shared on the internet.
I know a lot of people have seen it because it seems like quite a dry topic, but when
you actually watch the video and pick out the juicy bits, my word, what incredible stuff
has been said in public.
Now, the seeming consensus within the US telecoms industry, so this is why I'm putting you on
the spot, Ed.
The seeming consensus of the US industry is that stir-shaking was the correct way to tackle
illegal road brokers.
However, that consensus now appears to be seriously fracturing.
And we're going to be listening now, well, our production team's already poised to press
the button any moment, to listen to some comments from a gentleman called Jonathan Marashlian.
He's a senior telecommunications attorney, the managing partner at Marashlian and Donahoe,
which does business as the Comlaw Group.
You're going to hear for yourself how he, who works with some of the key players in
the industry, what he currently thinks is the situation with stir-shaking.
He's come out with some remarkable comments, implying, not saying it explicitly because
he is a lawyer after all, but implying that the big US telcos are like a fox in charge
of the hen house.
The implication being that they are using stir-shaking as a means to interfere with
legal legitimate voice traffic of other coms providers.
He made these comments on a show called Broadband Breakfast, which is a US media business that
does commentary, provides live streams, does expert panel discussions on the web.
Not that different to what we're doing here.
And on the schedule of live streaming interviews, he was on one of their panels discussing the
stir-shaking environment in the US today.
So enough of me talking about what he said, let's actually hear what he said.
Producer James, roll VT for us.
Jonathan, over to you, what are your thoughts on this topic?
Thanks, Drew.
Yes, I'm Jonathan Marashlian and our firm has the distinct pleasure of representing
a couple of companies that are helping the industry fight against the bad traffic that's
on their networks.
And from that experience of representing companies like YouMail and Prescott Martini, what really
becomes very clear is that stir-shaking is not the answer.
Maybe it was a very small incremental step in a positive direction, but there are so
many holes in the framework from just a sheer technological standpoint that in our experience
representing clients who have found themselves having to defend against Federal Trade Commission,
CIDs, civil investigative demands, attorney general CIDs, and the like, we are seeing
a lot of bad traffic that's coming from who else?
Many of the members of the ITG itself.
And that is the case-
ITG, could you just define ITG?
The ITG is the industry traceback group.
It's basically US Telecom.
US Telecom also happens to be the trade association that represents AT&T, Verizon, many of the
big common carriers, ILEX, broadband companies.
So again, not claiming that there's some inherent conflict of interest going on there, but when
you put the fox in charge of the henhouse, there's always room for some misdeeds.
My word, Ed, let's just go straight to your reaction here.
What is your reaction after listening to those comments?
So the first one, I mean, I agree that baseline, if you regulate something, you should not
be permitted to have or have had the vested interest in the thing you're regulating.
I mean, that should be the bottom line for any kind of regulation or competitive control,
like you might call stir-shaking, anything like that.
Just you have a vested interest in it and you're overseeing it, then yes, you're the
fox in the henhouse necessarily, and that's what the analogy means.
But interestingly, we break that rule all the time across industries in regulation,
especially in the US.
It's a separate discussion.
So on the one hand, it's not right, and the other hand, I'm not surprised.
The thing that was like, here's the question, and you had asked me this, and I think you're
saying what he's alluding to is the idea that the fox in the henhouse is very deliberately
trying to be anti-competitive or trying to shut down competitors by using this control
mechanism.
And the first thing that struck me about that was actually, at first I thought, it seems
to me it's more like incompetence managing this new control as opposed to conspiracy,
because most of the time I feel like that's what ends up happening, right?
Like conspiracy tends to give the actors a lot of credit for being organized, and you're
talking about people that don't have a library track record on being super organized, although
they do have a pretty good track record of being organized when it comes to changing
rules in their favor.
Separate discussion, we'll get to it.
It certainly could be that though, it could be conspiracy.
I think that either way, right, when you end up with this stir-shaking regime is that it's
something that doesn't quite do the job, which is supposed to be to stop or make robo illegal
and nuisance robo calling a lot harder.
It's not doing that, so I agree with him on that, and so then what it's doing, it's spurring
debates over how it should be regulated as opposed to solving the problem.
Either way, it's a problem, right?
The people in charge aren't getting the job done, either deliberately or by incompetence.
There's so much to unpack with this topic.
Thank you.
I think you did a brilliant job of giving a succinct answer because I think we're examining
areas that just don't get examined properly, and we tend to just go with the flow with
what regulators say.
You make a great point there about, in principle, in an ideal world, you don't put people in
a situation where they're policing themselves, and you especially don't put people who are
in relative power in a marketplace, so they're policing the small players in the marketplace
because of the potential for abuse.
The problem with something like spam causes, nobody knows what's going on.
Nobody knows what's going on.
See, if you don't try to give the power to the people who have got the best opportunity
to work out the best data, the best inside knowledge as to what's going on, well, who's
going to do it otherwise?
It's not going to be a whole bunch of lawyers working for the FCC.
I think the public doesn't understand how regulation works, and they especially don't
understand how it works in a topic like this.
The FCC is going to be like a ratio of 10 to 1, 10 lawyers to every one person who knows
how to do something in the real world.
The lawyers are not going to be able to go through and understand how you implement technology
to distinguish good cause and bad cause.
That's not their skill set.
That's not their background, and they're not going to employ enough people to properly
supervise things.
What they're going to do is they're going to set framework and set rules, and then they're
going to use a group like, as Marashalyn mentioned in the video, the U.S. telecoms industry traceback
group.
You're going to delegate responsibility to them and say, you are now the guardians, the
gatekeepers.
But yes, it asks a lot of questions about how you get to be a guardian and the gatekeeper
and how much you could, even if you're not deliberately conspiring to punish smaller
telcos, smaller carriers, well, it's going to be the big players who are going to dominate
the debate.
It's going to be the big players who are going to dominate how the rules are implemented
in practice.
So even if it isn't an overt bias, is it likely that they're going to be fair and equal to
everybody?
I mean, obviously, crime exists in the places where there's the shadows, where there's the
darkness, where we're not looking at things.
So we're going to have to expect that there are going to be small businesses that are
also criminal outfits, but at the same time, there's going to be a lot of small businesses
that are not criminal outfits as well.
And to tar them all with the same brush is hugely problematic.
I'm looking forward to comments from the audience on this topic.
I'll take a little break now.
We'll come back to this video with Jonathan Mirashian and discuss it a bit more.
But first, here's a message from our serious sponsors, Blue Gem.
Now Blue Gem is a global provider of testing services for telecoms, government and software
businesses.
They can create real phone devices, which means they can create real events such as
data video streaming, music streaming, even fraud bypass test calls using real sims across
a global network platform.
Blue Gem can give you insights into a number of key areas such as SimBox detection, OTT
and refiling frauds, roaming service assurance and customer journey testing.
Blue Gem can detect SimBox fraud using a hybrid developed system of automated devices and
crowd testers, which means they use real devices and sims to detect a higher rate of fraud.
Now the popularity of OTT applications such as Viber, WhatsApp and Telegram has also led
to an increase of OTT bypass fraud.
Blue Gem's OTT solution can protect you by automatically detecting any fraudulent activity
involving apps for IP voice and messaging.
Blue Gem is a risk-based approach to testing for fraud bypass.
That means they strategically target the routes and countries that pose the highest risk whilst
looking for evidence for both on-net and off-net frauds.
The automated alerts also mean customers can profile fraudulent routes quickly and their
flexible solution will adapt to ensure fraudsters are not aware of SimBox detection.
So if you want assurance of your interconnected routes and want to tackle SimBox, OTT or refiling
frauds, you should call upon the experienced teams of specialists at Blue Gem.
The URL is blugem.com.
I think there's so much to unpack here with this Jonathan Marashlian's comments about the
fox being in charge of headers.
I admire the way he said it.
He said, I'm not saying this, basically, and then he said it, which basically is lawyers
speak for, I am saying this, but you can't sue me for saying this, remarkable.
But it's amazing to hear someone be at least that explicit in stating it.
And he's affirming especially to this group that probably the public doesn't think about
very much, the trace back group, the people who are in this unique position of going and
identifying where the bad calls from, and then going back to the FCC and say, not FCC,
here's where you should send your cease and desist letter, here's the people you should
be looking to prosecute.
So it's a really powerful position to be in if you're wanting to knock out some other
business.
Not saying they are doing that, but if you want to knock out some of the business, it's
a new regime for knocking out alternative providers, your competitors in short.
In episode one, we talked about corruption, of course, in quite a different context.
But nevertheless, the theme of corruption, I think we need to come back to this today.
Do you think, Ed, that there's sometimes a blurring of the line between anti-competitive
behavior and the actual governance we need for comm services to weed out those bad actors?
I have like a five-part answer to this question that's prepared.
I won't take that long.
And I'm right now debating whether I should lead with the last point just because it's
the juicy one.
But let me just move through here because I really want to unpack this and answer your
question properly.
So first of all, I actually think it works, oddly enough, it works in both directions.
And it depends on who you define as bad actors.
So keep in mind, right, my first job in telecom was covering the deregulation of US telecom
in 1996 and walking the halls of the FCC and going to the Public Utility Commission meetings
and covering all that stuff.
And I was a rookie reporter and it was eye-opening because I could see how all these people,
how completely unengaged all the people from the Public Utility Commissions were in receiving
all of these briefings for how to go implement the 1996 Act.
So I learned really, really early on a lot of the things that you're saying about what
are the rules and how are they enforced and who gets to enforce them and how selective
is that, right?
And I feel like that's always been there.
And then this one becomes really interesting because it's such a specific control, right?
It's you're the gatekeeper of whether you get the green light or not, right, on the
stir shake and more or less, right, to put it simply.
So that's an interesting one.
So what's interesting to me is if you look, for example, at net neutrality, right, in
terms of determine who's a bad actor, look at how the net neutrality regime was rolled
out in the US.
They would basically assume that telecoms were the bad actors, right, and that they
would abuse the right to charge over the OTT companies excessive tolls.
And they probably was true at the time, right?
That was probably right.
But it was also coming out of an environment in 1996 where there had been a lot of manipulation
of the loop unbundling competition rules.
So there was sort of a distrust there, I think, that came out of that.
But then you fast forward that toll-free regime and what do we have?
We have a handful of dominant tech companies that benefited from that decision, right,
who now threaten to take telecoms out of their own business altogether, which is a separate
piece of research I had been working on recently, right, so, right, unintended consequences.
But then sometimes those guys are considered bad actors too, especially when it comes to
things like privacy and personal data, right, like the social media guys who have benefited,
right?
So the pendulum swings so radically.
That's what I mean by it working both ways.
But let me do this, okay?
Let me flip the whole thing around for a minute, right, because you're asking me, you know,
is there a blurring of the line between any competitive behavior and necessary governance
comp services?
And I haven't really answered that.
I think the answer is yes, necessarily, because it's always a slippery slope.
You're going to end up in a room full of people that are going to decide how to arbitrarily
sometimes define things.
So if we go back to robocalling, especially, you can picture that meeting happening.
That can be manipulated by the parties in the room that says, well, how do we define
what's a legitimate robocall?
Because anytime you ask someone on the telco side, the first thing they're going to tell
you is how important legitimate robocalls are to things like public safety.
I mean, we have to defend this institution, right?
So there's that, right?
And then there's the, okay, we know that there's the clear scam negative robocalls.
Let's have a category for that.
But then we have this nuisance thing in the middle that may or may not be illegal.
And how do we define that?
And once you've started parsing that way, you're already not solving a robocalling problem.
That's been my problem with stir shaking from the beginning.
So last thing I'll say is this, right?
My five point answer.
We're coming back to thinking about like, is the stir shaken regime being managed in
a anti-competitive or potentially corrupt manner?
And looking at the greater telecom industry, if you're an incumbent telecom and you think
that you're going to preserve your business by somehow manipulating the stir shaken regime,
good luck with that being your use of time and energy on where you're going to take your
business.
I mean, if that's really the case, you don't want to end robocalling.
You basically want to squeeze as much blood out of the stone.
That's your dying telephony business as you can, while you can.
And we're going to start talking about the automated SMS regimes or business right now.
And it's the same thing.
I won't spill the pot now, but it's basically the same idea.
You're trying to defend and squeeze as much blood out of that stone as you possibly can.
And you're willing to defend these abusive things and stand on some really bizarre soapboxes
to do it.
It's strange.
There's so much to unpack in this topic.
Straight off, I want to say I don't agree with your net neutrality.
Net neutrality is the biggest political nonsense that I've ever heard of in the telecoms domain.
But let's just leave that to one side because that would be a whole other show on its own.
This dividing line, I think there is some truth to the point that if you're going to
start reducing traffic, and that's what you're doing, because wherever you draw the line
between good and bad, as soon as you draw that line, you're reducing the total amount
of traffic because you're trying to get rid of whatever you call the bad traffic.
As soon as you start reducing the bad traffic, there is less pie to go around to keep all
the businesses happy.
So you're driving down revenues, you're driving down profits, and you're going to drive some
people out of business.
So there is an extent to which, I hate to make this argument on behalf of the big providers,
but nevertheless, there is an argument that you could say, well, the natural consequence
of driving out the bad traffic is you're going to have fewer providers, and more traffic
is going to be carried by the good big providers.
They'll be the good big ones because they're the ones you can police, they're the ones
you can keep an eye on, and they're the ones who can still make a profit, you know, they'll
be able to make a profit with lower level traffic, will be the problem will be the smaller
provider.
How do they continue to be profitable in this industry?
Now flip side that, has stir-shaking been set up with the specific intention of driving
some of the smaller providers out of the ecosystem?
I would argue it has.
There's some clear signs that it's been set up with that thought process, and that's why
I discourage other countries from following the US lead because they can't afford, they
don't have the same environment where they can afford to drive out lots of telcos and
reduce choice to the end user, ultimately, and to the businesses that are trying to reach
the end user.
They can't afford to drive out choice.
In the US, could you drive out choice?
There's thousands of companies.
I can certainly see an argument that fewer companies might be better, simpler, easier
to keep a control of, easier to get your arms around of, and to drive out the bad actors.
But decisions need to be made about whether you're going to have fewer companies carrying
fewer traffic, and maybe those companies therefore having more secure profits because they're
facing less competition.
I'll take a few comments as well here from the audience because we've got some really
good, but also some really long comments since I'm not going to be able to read them all
out, but I'll read out a couple here.
Sahel Saeed says, Jonathan Marashlin, very well said.
There is a way to reduce these unsolicited calls, but Sahel implies that this is all
to do with people inside the company.
That's a good point.
It's not just over company correcting the ecosystem.
There's people within companies that can be opposing each other too in terms of who wants
good things to happen, who wants bad things to happen.
Sossina Tafari says, always love to have you on the line, Sossina, glad you're watching
the show.
What recommendations do we have for regulators to help fix this issue?
Oh my gosh, that's another hour.
We need like an extension to the show to start covering that.
But she does ask some pertinent questions.
Does it make sense to set up institutions to help regulators put frameworks in place
to police and manage this problem?
The issue, as Sossina puts it, is that regulators who are not practitioners do not have the
practical training to understand the full scope of the challenge and have no idea how
to forward assess the greenfield of SMS fraud and misuse.
Thoughts on this?
I think you're dead right, Sossina.
And what I would say is, whoever's watching from the FCC right now, Ed and I will gladly
come down there and tell you how to do things better, because we couldn't do any bloody
worse than you've been doing so far.
If you don't mind me saying, you've been absolutely making the right pig's ear of how to deal
with this problem.
And I'm pretty cheap.
I don't know what Ed's rate is, so he'll probably charge more than me, and we might even get
Lee down there.
He's expensive.
So be cautious if you want too much of Lee's time.
But he does help regulators too, and I genuinely think we need more people from outside of
a small bubble who have been influencing these decisions so far and people who are not just
engineers, because, hand on heart, engineers, God bless them, I love them, they do fantastic
work, but they don't always see the bigger picture.
And the bigger picture has been the reason why stir-shaking, which is, in some senses,
a technological marvel, has not delivered the results internally because of the issues
about how you decide between good and bad, how you put in enforcement ratio, what the
real goal is, how did you do know your customer, topics like this that should have been covered
before, you spend a lot of money on stir-shaking.
Okay, more comments coming in, apologies.
I'm not going to have time to read them all out.
I will try to get more of them in the next section of the show.
But right now, let me do another one of our regular features, getting flustered here,
already falling behind time, too much stuff to cover in the time available.
Another one of our regular features is, of course, the symmetry prism fact of the week.
Now, we'll be talking to Tim Biddle soon about SMS pumping frauds.
But first, our friends who work in the fraud intelligence gathering team of Symmetry have
kindly prepared an SMS-themed fact of the week for us this week, illustrating what they've
learned by traversing the dark underbelly of the communications ecosystem so you don't
have to.
Now, you already know that spam SMS services are being marketed directly to fraudsters,
some openly advertising that they have a direct connection to the API providers like Twilio
and Telnux.
But did you know that many of these bulk SMS businesses advertise that they take payment
in Bitcoin, in Tether, and other cryptocurrencies?
They also claim that customers can choose whichever sender ID they want, or that fraudsters
can send messages that appear to cover any bank.
Perhaps not every promotional claim being made by these companies is true, but they
would not be marketing these services if there wasn't plenty of demand from them from the
criminals.
So be sure you're protecting your business from SMS frauds by engaging with the intelligence
gathering team at Symmetry Solution.
And for a limited period, Symmetry is looking to add a few more carriers to their carrier
partnership program, specifically to jointly investigate and develop new methods for SMS
fraud mitigation.
Any carrier selected for the program will receive Symmetry's PRISM Fraud Intelligence
free of charge for 12 months.
All they want in exchange is an open dialogue about the hit rates for detecting fraud using
their intelligence.
Now contact their intelligence team via the website symmetrysolutions.co.uk.
So back to the topical chat, Ed.
This week, I saw a post on social media from an anti-fraud trainer speculating that rates
of fraud are exploding worldwide because of perceived corruption at the top of our societies.
And that leads to more corruption further down because people emulate and don't see
any reason to be honest anymore.
Reflecting on what Jonathan Marashian said about the fox being in charge of the henhouse
for stir shaking.
Do you feel there's any truth to the perception that frauds overall are getting worse because
we're losing faith in institutions or is that overly pessimistic?
I think it's part of it.
I mean, that's a complicated question again, because it kind of combines technology, economics
and philosophy all into one thing.
I don't want to drag it out too long.
I know we're-
You're the perfect guy to answer it, Dan.
Well, look, I mean, there's a technological part of it where it has never been easier
for people to pull off scams than it is now in lots of different ways.
And we've done shows and can do whole shows on the way that all those things connect from
corporate directories being raided, robocalling, phishing and smishing, the combinations of
all those things that then lead to things like account takeovers and real-time payment
scams.
And so like the mechanisms for doing it, and then like we've talked about before with groups
like Lapsys, the instructions and forums online for doing it have never been easier.
So I think from a technical point of view, and that's a bad setup.
It's already setting up a bad situation.
Something from an economics point of view, I wonder if there, and you see this, you hear
about things like quiet quitting, and in the US you hear a lot about like all the scams
that have occurred with what they call the PPP loans related to the pandemic.
You start getting into this weird mindset of like, it's not so much about earn money
as it is get money.
And there's also like a worshiping of people who get money no matter how they get it.
And so there's sort of that attitude that I think feeds into it too, and it's like,
well, I could get money by this scam, then probably never get caught, or I could show
up and go to work every single day.
So I think that that economic aspect has a lot to do with it, and that's an attitude
that's a little scary, like from a societal point of view.
And then philosophically, again, speaking to the US, I mean, look, we just experienced
a coup d'etat in this country, a failed one, but it happened.
And that was preceded, you know, that was right.
Did they fail?
Exactly.
Separate discussions.
You're talking about the guys with the horns in their heads, I don't take that seriously.
If you've got a horn sticking out your head as you try and take control of government,
you're just a tourist, but now we're digressing apologies.
This radical, chaotic thing, this stabilizing event occurred and was preceded by things
like the US Senate Majority Leader going fancy with the rules on appointing a Supreme Court
Justice, right?
So without getting my own politics too mixed up in it, when you see things like that happen,
it's hard not to say, boy, institutions are sort of undermined and the rule of law has
been undermined.
Why should I give a crap?
So I think that there's some aspect that that feeds into it, right?
I do.
I mean, I do think that there is some connection between loss of institutions and not caring
as much about following the rules and following the law and seeing what you can get away with,
right?
There has to be.
Well, I think when we talk about coups, it all depends upon which side you're on in the
coup.
They tried to have a coup in the United Kingdom too.
There was this referendum, one side won the referendum, and a lot of people tried to undermine
the referendum and reverse it because they didn't like it.
But that doesn't get called a coup because those people have got the right friends in
the media.
Whereas if you send a bunch of idiots down to Congress wearing a helmet with that horn
sticking out the side, that gets called a coup.
I take your point that there's an erosion of trust, but it's coming from both sides,
surely.
To come back to telecoms in this context and rent-seeking behaviors, this is why I get
suspicious about the people who are so supportive, who are fighting so hard, who are lobbying
so very hard for stir-shaken to be adopted in every country around the world.
That's such a good thing.
It's going to be great.
It's got to save everybody.
Oh, and by the way, they're going to make a lot of money.
Have I been perpetually able to generate rent from all of us for the rest of time?
Yes.
Not entirely a selfless activity, that is it.
And where's even your measure of quality?
You're going to have to pay to sustain the technology for all time.
Where's the measure of any quality in terms of performance or results?
That's gone out the window.
No one's even looking at that.
The cost-benefit argument's very straightforward.
Fraud is terrible, fraud is huge, fraud is massive.
And to take your point also before about good and bad calls, let's blur the line between
good and bad because you want to say as many as possible is bad and we're going to deal
with this huge problem.
You bring it in, seems to be just as many calls as before.
Oh, no, there's fewer of the bad ones.
If we try and micro-analyze the data, here's an example of one particular call that doesn't
get, hello.
That wasn't the cost-benefit argument that was presented before, a lot of money's been
spent here.
I wanted to see the results.
It all gets a bit blurry and it all comes fine because we're all on the committee for
governing these things because all the experts on the committee, whereas, as I say, guys
like you and me, maybe we should get invited down the FCC and give them a piece of our
mind and have them at different points of view, not the ones with a vested interest
in supporting the technology.
So that's why I get pessimistic about corruption.
We're not here in different ways.
We didn't even hear, forgive me, I think all the evidence is, I know that some people in
the US industry who say different, but I don't think there's any strong counter-argument
here because I've not seen a lot of evidence to disagree with this.
You didn't even see the fraud community get involved in debating this particular use of
technology in the USA.
The ostensible reason for doing it is to stop fraud.
Why wouldn't you engage fraud professionals and get their expert opinion?
The reason is you don't want professionals who are used to dealing with criminals and
are therefore used to being able to say, well, you put this in place and then they go around
this, and then you put that barrier in place and they work around that.
They didn't want to hear about all the workarounds.
They just wanted the money to be spent and that be the end of it.
But please keep sending your comments in everybody who's watching because I'm sure some people
must be out there disagreeing with me.
I can certainly feel that probably the tension rising and the stir-shaking providers out
there.
Some of them are good people.
It's not getting me wrong.
Some of them are doing it for the right reasons, but they're not all doing it for the right
reasons.
Well, sure.
Someone hired you to engineer a system that followed a certain set of rules and you've
delivered it effectively as the engineering company, like good on you as an engineering
company.
I think that's a separate issue that we're discussing then, whether or not the thing
that was built that was determined by the powers that be to be built and funded, as
you say, was the right thing to build.
To me, it's potentially two different things, can be.
Sometimes it's not.
I'm going to read out one quick comment here.
One quick comment, it's not quick comment, but a comment from George Woodworth here.
So true, it has become easier to perpetrate fraud.
The advent of technology and how easily syndicates and fraudsters can access this technology
themselves is a scary thought.
At the same time as fraud fighters, we have to tread a fine line between being advisors
slash partners to the business and also ensuring we protect the business from itself.
Sometimes we have to be fine with being the bearers of bad news and be fine with not being
too popular for speaking the truth.
Great point.
Comments flying in.
I'm so sorry.
I'm not going to be able to read them all out.
I'm loving all these comments.
I'm glad you're just so engaged, but hey, let's take a break from all these serious
weighty issues and bring on one of our regular features, which is always the feature that
gladdens my heart and punctuates our one hour show with a couple of minutes of joy and looking
on the bright side of human beings.
Here's our regular feature from Jeffrey Ross of Fraud Prevention, Geolocation and Court
Authentication Specialists, one room, a stir-shaking provider.
We do like stir-shaking providers when they're good guys like Jeffrey.
He's going to take us around as usual in his regular feature, the world in our family.
And this week, Jeffrey's destination is Australia.
Producer James, Roll VT.
Hey, everyone from One Route, I'm Jeffrey Ross, and this is the world in your phone.
Let's talk about our friends down under in Australia.
Now, Australia is an amazing country with a unique culture, stunning landscapes and
plenty of interesting facts.
More than the two minutes I have to tell you about.
You know, at the end of 2022, the Australian government vowed to revise privacy rules so
that consumers would be better protected.
This came in the wake of an enormous breach of personal data that occurred.
The new rules will actually allow telcos to share details about government issued identity
documents with banks, thus helping protect the consumers.
Be sure to read more on this at commsrisk.com.
And more fun facts about Australia that I found was kangaroos only exist in Australia
in the wild.
There are over 50 million kangaroos in Australia with the number growing each and every year.
More fun facts, Australian Alps get more snow than the Swiss Alps and 90 percent of Australians
live on the coast.
One thing I found fascinating was Tasmania has the cleanest air in the world.
Good job, Tasmania.
And last for our wine connoisseurs, Australia has over 60 separate wine regions.
Be sure to subscribe to One Route on YouTube where you can catch up with the world in your
phone, but also watch the One Route Roundup where we spotlight individuals and companies
making a positive difference in the telecom industry.
One last fun fact that most may know, Australia's Great Barrier Reef is the largest ecosystem
in the world.
Now, Eric, back to you and more of this great communications risk show.
Thanks Jeffrey, and thanks for plugging comms risk too.
Now let's introduce today's guest.
We're joined by Tim Biddle of Sinch.
He's the Director of Operator Relations for the UK and Ireland at Sinch.
He has a deep knowledge of SMS fraud, both from his work with Sinch and his work at British
Telcos before he joined Sinch.
Hello, Tim.
It's a pleasure to have you on the show.
Let's cut straight to the theme of this interview.
There's been a lot of comments already coming in from the viewers who are very interested
in this topic.
Artificial inflation of SMS traffic, otherwise known as SMS pumping.
Can you briefly give us an overview?
What is artificial inflation of SMS traffic?
How is it accomplished in practice and why has it become such a big talking point?
Thank you, Eric.
Thank you, Ed.
Yeah, sure.
So to cover off those points, I think I'm going to narrow it down a bit from artificial
inflation of SMS traffic to specifically application generated traffic as well.
So if we park P2P traffic to one side and we focus on A2P SMS, so A2P application to
person.
So what is artificial inflation of application originated traffic then?
So ultimately at the moment it is fraudsters running scripts or box, whatever you'd like
to call them on any website or mobile application that they can find has what I'll call a vulnerability
that is allowing scripts to be run to request SMS traffic.
So it may be creating a fake account to ask for a one time pin to log in or click on this.
I'll put your phone number in this box and we'll send you a link to download our app.
Any exploitable website, the fraudsters are running that to artificially inflate the traffic
volume that enterprise is sending to their CPaaS provider such as Sinch and then ultimately
the traffic is terminating on a number range, which is in the control of those fraudsters
and is paying out revenues through the traffic termination.
So that is what is artificially inflated traffic.
Then I think the second part of your question is why is it on the rise?
Was that correct?
Oh, how?
I think you answered how as well.
Basically bots.
Bots.
Bots, scripts, whatever you want to call them on websites, acting like humans and inputting
phone number after phone number requesting an SMS.
Okay.
And why has it become such a big talking point?
Why has it become a big talking point?
So I think 2022 was probably the year that this fraud really started to take off.
It came on our radar very quickly from multiple clients who the issue began to appear for.
There are a couple of reasons that we think it's been driven.
So one, as you address things like voice fraud, for example, and clamping more and more down
on those areas, SMS has been pretty much untouched for a long time.
So people have worked out, actually, this is an area we can make some money in the short
term.
So you couple that with the fact that A2P SMS prices seem to be going up rather dramatically
from operators around the world.
So there have been a lot of price increases pretty much since COVID, last 18 months, let's
say.
And with those price increases, the size of the price gets bigger for the fraudsters for
every SMS that they can send themselves.
So I think price rises and yeah, maybe fraud being addressed in other areas.
So on behalf of Sinch, where exactly is the evidence that this fraud is getting worse?
Is it from the feedback from customers?
Is it from your own detection of these kinds of frauds?
How do you get a handle on the scale of a problem like this?
Yeah, good question.
So where's the evidence?
I think it's both these things you've mentioned.
So absolutely, we have some clients who get hit out of the blue, and it might be a bit
of a one hit wonder AIT fraud.
So an overnight sudden surge of traffic to a far flung destination that's cost that enterprise
significant sums of money for a short, sharp burst of traffic.
Then you've got others who are suffering more of a long rumbling kind of baseline of AIT,
shall we say that that's just there every day.
And they're starting to notice because let's face it with costs rising, they're scrutinizing
their costs more, they were looking into their traffic.
So it was being flagged by clients, I'd say, initially 18 months back, since yes, we've
now invested in some kind of homegrown tools to a lot of machine learning, running on our
clients traffic now to start to analyze traffic patterns, and then it's obviously constantly
learning from the traffic it's analyzing to spot these these issues.
So is it because we started looking for it that we think it's growing so much?
I guess you could slightly argue, yes, we're looking a lot harder, and we're finding it
and we're addressing it robustly.
At the same time, it's become a large talking point in the industry.
And I think everyone has quoted the Elon Musk article that you you've quoted yourself Eric
at some point as well with Elon saying this fraud is massive, I'm out of here and and
he switched off to FASMS for anybody other than paying subscribers.
So security starts starts to become a subscription service, which is really not a good thing
either.
Well, I'm glad you brought up Elon Musk because I wasn't going to put you on the spot by mentioning
Elon Musk.
I now feel as though I need to defend Elon Musk because I do think that was mischaracterized.
The guy is trying to cut costs, and it's been presented as about increasing revenues.
I don't believe a businessman like Elon Musk is so daft that he would actually think he
would generate a lot of additional revenues from Twitter users paying just so they can
do two factor authentication by SMS.
There was hardly anybody using SMS already for two factor authentication.
So why would he think it would be a big revenue generator?
But if there's a lot of bots, and of course, he's made a lot of fuss about bots on Twitter
in the past, if there's a lot of bots generating a lot of needless SMS messages, the costs
could be very significant.
You brought up Elon Musk, so now I feel like I can ask the question.
He did mention a very large value for how much Twitter was losing as a result of fraud.
He said it was in the order of $60 million a year as a result of the activities of businesses
outside the USA.
So he didn't say anything about anything inside the USA, $60 million a year for activity of
business outside the USA.
Is that a plausible number?
Probably quite hard for me to quantify because I don't know the volume of SMS that Twitter
would have been sending is the honest answer.
So it's plausible they were losing large sums of money, absolutely.
I couldn't quantify $60 million and off the top of my head, he quoted something like 236
different telcos around the world involved in this, again, probably a little bit of hyperbole
involved in that number.
Maybe there are other reasons that we're not aware of.
So I don't knock his statement.
I think we all acknowledge as an industry, he's maybe taken something that was a problem
and slightly overstated the size of it potentially, I couldn't say because they didn't have insight
to their traffic.
But there's definitely credibility in what they said.
And no, I don't think that his plan is everybody's going to now subscribe because they want SMS
2FA so much.
But I do think it's a dangerous move in terms of you're now moving security to a chargeable
service.
It's a shame a business has had to go that far when actually regulation and an industry
without fraud could have stopped things getting to that point.
And is he the first mover?
I don't know.
I don't think he's the first mover in the space.
Well, you're leading nicely to my next question, which is, I was going to ask if there was
another customer of Sinch that started talking to you about saying no longer sending one-time
passwords by SMS, which is really the easiest example to understand in terms of bots generating
meaningless traffic for the sake of making money.
What advice would you give him?
Obviously, he wouldn't give me the advice to do that because you're saying you can continue
to use SMS, but what would your advice be?
Because even if say Musk was exaggerating by a factor of 10, if it's not $60 million,
nobody wants to lose $6 million needlessly either.
So what can be done to reduce the waste, the fraud, the cost of a result of these meaningless
SMS messages being sent?
Yeah, so I think there are quite a few actions that can be taken and we are actively working
with clients exactly to that point so they come and they've realized there's an issue.
They want to reduce their messaging volumes.
So as I say, we've invested heavily and we have a whole kind of team now focused literally
on AIT within our business now.
So we've got things in place which we can deploy on clients to automatically detect
and block.
Will I sit here now and claim 100% accuracy every time?
It's like any product.
It's good.
It's a work in progress.
I think, you know, let's see how it goes.
We've got clients who will happily sit there and state we've saved them millions of dollars
and that's only in the traffic they can see we've blocked.
Well actually, if we hadn't have blocked it, imagine how much that could have escalated.
So absolutely there are things we can do to help clients.
There are number ranges we can identify because we have a large volume of traffic going through
our business.
So we have known high risk destinations, shall we say, you know, there are ways clients can
stop sending traffic to certain countries, for example, altogether.
And we've also got some recommendations for clients on the enterprise side because ultimately
we're not blaming our clients.
They didn't know this fraud was going to recur, but they do have quite a lot within their
gift to deploy on their side to stop bots finding it quite so easy to generate this
traffic as well.
So I think there's lots they can do and they can join us in potentially, you know, lobby
and regulators and operators to be a lot sharper on how they're handling this.
It's an education thing at the moment, I would say, and that's something we're really trying
to help with.
It's an education, as I say, whether it's regulators, whether it's operators, whether
it's clients, for everybody to do their bit in the chain to try and stop some of this
fraud.
I must have made that distinction between the USA and the rest of the world there.
And coming to your point in terms of risk, you mentioned different countries, perhaps
different risk.
Obviously the rates for ATP SMS vary around the world and the USA would be cheaper than
some Asian countries.
So when you are looking at signs or the level of risk for bad traffic, is there more of
a tendency for this to occur when we're talking about certain countries where there is a larger
premium, a larger cost for sending an ATP SMS?
Is there a degree to which you can correlate this to the amount it costs to send an ATP
SMS per country?
Yes, is the short answer.
The long answer is yes, we have lots of caveats of we also see it in some cheaper markets
where revenue share payments and long numbers are so easy to get hold of that actually it's
a market with little resistance, so you may as well generate lots of traffic in a low
cost market when you don't have too much resistance, but yes, definitely high cost destinations.
You don't have to send so much traffic as a fraudster to get a good payday.
Now here's a comment from Ravi Sankar Vadi who's coming from LinkedIn.
He says in many countries, ATP messaging is not regulated better.
It is not yet under the radar of regulators.
Otherwise they might start levying taxes on that traffic.
How true is it that there's a kind of variance in how well regulated ATP traffic is and is
there an extent to which perhaps they might start throwing taxes on top of this traffic
driving up the cost of ATP SMS that would only lead to more fraud?
So I mean on the tax front, I mean ultimately in certain countries, so like to exist in
the UK, we have to pay Ofcom because we're a communication service provider and so we're
already paying fees and taxes and so on anyway, so I'll part the tax bit.
In terms of is it regulated, I mean in some countries it absolutely not, there's no regulation
on the price, very rarely is it regulated in price.
Is it regulated in what can be sent and what can be paid out in terms of revenue shares
to third parties and so on?
Can't see much in a way of regulation at the moment, so I'd agree with Ravi there that
it's predominantly unregulated.
Is that a good thing?
I don't particularly think it is.
We'll be careful what we wish upon ourselves as someone who works with ATP SMS a lot.
We don't want to drown in regulation, but sometimes it's good for a regulator to at
least have a bit of an eye on what's going on in a market.
So certainly we've made it our job, should we say, to speak to some regulators in local
markets just to make sure they're aware of how their number ranges are used when they
allocate them to third parties and maybe just try and give some guidance and advice to those
regulators as to what we'd like to see as a third party suffering from this fraud.
Ed, I'm not sure if you wanted to jump in there because you certainly seem to be engaged
with what we were saying there with Tim.
Even if not, I'm going to bring you into the conversation now, touching on some of the
things we've already been talking about there and this difficulty of knowing how much to
regulate areas like ATP SMS.
I can infer that you would have been approved of some level of regulation of ATP SMS.
Do you think that we're getting the balance right in countries like the USA?
I don't see how.
I mean, just the fact that we're having this conversation, and like we were talking about
before, I feel like there's a...
I'm forgetting the number right now, but recently I saw a chart that I trusted that was eye
popping in terms of the amount of revenue and the percentage of...
So the amount of revenue overall that is a message for messaging and the percentage of
that that is ATP messaging is mind blowing.
And so it automatically called into mind for myself, like the question of what's the incentive
here?
And I don't think that the incentive is to make less revenue come from that service,
and which stands in contrast to the fraud issues that we're talking about.
So I think there was inherently a conflict, and I don't know that there is any to your
point.
Is there a regime that's set up that's making this work better?
I don't think so in the sense that you see endless SMS abuse, right?
Endless SMS abuse, which we can jump into that if you want to, if you want me to elaborate
on it.
But it's not like SMS has governed all that well in general.
I want to take the pressure off Tim here because my temptation is to say somebody needs to
basically say, we need to turn up the dial and do more regulation.
We need to turn down the dial and do less regulation.
I'm probably guessing we're not going to say that too much.
Or we need to do different regulation of the marketplace.
And then who's the person who says that?
Is that you, Tim?
Should you be telling us how we should be regulating these markets because a lousy job's
been done so far?
Not that you would say that because you're too polite.
Too polite, yeah.
So it has a lousy job being done so far.
It's very market specific.
Let's put that out there.
So there's some regulators I'm sure doing a fantastic job.
As you highlighted, I manage our UK and Irish relations, so I can't comment too, too deeply
on wider markets.
Should there be regulation?
You know, Ed mentions SMS fraud.
I mean, that could cover a whole different topic to AIT as well.
Yeah.
SMS fraud, I think it's important.
I saw come out of a recent conference is actually very low compared to email fraud, for example,
and compared to other forms of fraud.
So potentially very effective when it's executed, which is why it gets so much attention.
So like smishing and so on as well, very effective, but actually low as a percentage of that overall
traffic.
So I think as a self-regulating industry, we're lucky that there are some very big diligent
players like Sinch in the market who see it as a self-preservation thing to regulate ourselves,
make sure we are doing what we can to catch AIT, to catch any other kind of fraud, and
to try and educate and help operators in each territory, maybe impose rules upon us and
our competitors that ensure a safe market for everybody to play in because we're here
for the long run.
And actually an element of regulation is good because it gives us a sustainable marketplace
that we can remain in.
Well, we're talking though, can I ask Eric real quick?
We're talking though, right about 2FA, like using SMS specifically for two-factor authentication,
kind of being at the root of this fraud problem and at the root of the Elon Musk story that
we were talking about.
And the thing I find, I'm getting heated about this, the thing I find frustrating about it
is the fact that like we're talking about how to handle something that's already been
demonstrated to be completely unsecure for the purpose.
And now we're talking about, could we regulate it better?
Could we do better using SMS for this purpose to get rid of this inherent problem that it
has?
And it's like, no, it's an inherent problem.
It's inherently insecure and being used in a way it shouldn't be.
And it creates all of these other security and fraud problems that are mind blowing and
actually hurt people.
And then we're sitting here arguing about how SMS should or shouldn't be regulated as
it's applied to that.
If you're going to regulate it to anything, say it can't be used for security period.
If there's any attachment between SMS being scammed and someone's identity being stolen
and their life being harmed, that's a problem.
Like those two things need to be some, I'm tipping that a little bit because we're going
to get into this, I think later in other shows, but that makes me upset because people suffer
harm as a result of this technology.
And then we have discussions about how we regulate this technology that's hurting people
instead of talking about the fact that it needs to be addressed the way that this is
being misused to hurt people.
It makes me absolutely insane that we all just walk right past that issue with SMS.
Yeah.
Yeah.
I mean, I would counter that slightly.
So yes, people are being harmed potentially.
I'd say a hell of a lot more are being prevented from harm actually.
So yes, there are some flaws in SMS security, like there are in lots of security products
and they don't think anybody ever denies that that's the case.
I think you were referring to kind of things like SS7 interception and so on, which is
a very targeted crime, which is probably like a state level thing where you need a lot of
money and a lot of kind of expertise to do that.
So the amount of people that have been protected by SMS to FA so significantly outweighs any
harm that anyone's ever incurred from SMS to FA.
Anecdotally, I'd say I can't obviously evidence that, that, that I would, I would counter
your argument slightly.
So should it be used responsibly?
Yes, it should be used responsibly.
Is it completely insecure?
No.
And obviously having an SMS to FA is far, far more secure than having no second factor
of authentication.
It is the only kind of ubiquitous second factor available to a lot of people.
So, you know, I would, I would probably need an entire other hour show of Eric's to get
into things like SS7 interception and so on.
So Eric, have me back.
I can talk all about signaling and whatever we want to dive into there.
For the topic of AIT, you know, that's not subscriber harm really.
Yes, we could find some fringe ways it's harming subscribers and the topic of AIT though, that's
enterprises being defrauded.
So kind of steering it back onto that conversation.
Yeah, the enterprises are unhappy and I don't blame them and we're doing everything we can
to prevent that.
I think, you know, the fact that that's happening is showing that enterprises care about SMS
to FA.
Otherwise they'd have turned it off.
They do care and they do find it as a very good offering for their subscribers.
But Eric, I'll let you chip in there because you were about to speak.
There's so much to say here.
It's so hard to get through it all in the time available.
What I would say is to come back to your point you're making earlier about the scale of this
fraud that involves bot-generated SMSes, the SMS pumping compared to other kinds of frauds.
The significance of it may be greater than just the pure scale.
Because if you have a legitimate business like your Twitter that says, I don't want
to be wasting all this money just so less than 2% of my customers can choose to use
two-factor authentication by SMS, the vast majority of Twitter users do not have any
form, any second factor for authentication.
So why would you choose to lose all that money if you're going to be treating, giving a very
small portion of your customer base a bit more security, a lot more security.
Let's be more generous.
Yes.
Two-factor authentication.
Clearly any second factor is better than not having a second factor.
It's a huge incremental gain on that score.
But at the same time, as a business person, you don't want to eat an enormous amount
of money relative to the profitability of your business.
$60 million, if that figure is right for Musk, wouldn't have made a difference between
profit or loss, but it's a heck of a lot of the difference between making a profit or
loss in a company.
And if you don't want to eat it.
So there's an outsized extent to which if this crime, if these frauds against the enterprise
are permitted, it undermines your rationale for how you're protecting the end consumer.
Because do you want big businesses to be eating huge losses and feeding the criminal world?
We're giving criminals capital.
And my argument always with giving criminals capital is it's no good to say, oh, well,
this kind of crime is okay, because for this kind of crime, no one's really harmed.
If you give criminals capital, they'll invest it in new criminal schemes, and they don't
care about who's harmed, and they don't care where the harm is.
You're just empowering the forces to come back at you and attack you in other ways and
maybe that's even less palatable than the way you've accepted so far.
So yes, enterprises are suffering fraud in this case.
Once you become an expert on navigating the world of SMS and being able to exploit the
intricacies of how pricing works and understand the regulations in place, you're not going
to just stop and say, oh, I'll stop being a criminal now.
I see that they've put some new controls in place at Sinch.
I see that the regulators booked up and done a better job.
They're not going to just stop.
They're just going to vary their methods.
So we do need to stem the flow of money, do we not?
And so this is perhaps an outside topic because banks, so many institutions, everybody's relying
on two-factor authentication to a very heavy extent.
I mean, Ed, you're shaking your head here.
Maybe you don't like that, but that is the reality.
It's the reality that we're using it.
So I come back to the main theme of this interview then.
What should comms providers on behalf of their customers be doing to reduce SMS pumping,
if there is anything?
And I'm talking about the brands that the man in the street would know, the Vodafone's,
the Verizon's, the AT&T's of the world, the Telefonica's, okay?
Is there anything?
What can they be doing?
Is there anything that the businesses that are the target, that originate the ATP SMS
messages, what should they be doing to protect themselves from fraud?
Other than saying, I'll get Tim Boodlin from Synch, because he's a nice guy, he's used
to know what he's doing.
What else can they be doing internally?
Yeah, so quite a bit is the honest answer, and I'll try and keep it succinct looking
at the time.
So effectively comms providers, so we're talking mobile operators here, for example, those
that lease number ranges, those that host number ranges for third parties and so on,
do some due diligence, check who you're giving your numbers to, look at the traffic coming
into them.
One UK operator, fantastic example this week, coming to me saying, this is the application
originated traffic you're terminating to virtual ranges on our network.
Great, that's the info we need from an operator, because then we can look into each of those
clients and start to identify patterns.
So you can be a very responsible operator in the way you run your virtual number business,
or you can be a very irresponsible operator, in which case you're going to have problems
and you can look away and ignore them, or you could maybe even, you know, deliberately
facilitate them.
I don't know, and I'm sure no mobile operator deliberately facilitates them.
So certainly as an operator, due diligence is number one, it's easy to see the problem
if you look for it as an operator.
So yes, not everything stops at an operator.
Sometimes the messages get short stopped, we don't have time to get into that.
Then as a enterprise, you said, what could you do as an enterprise as well?
So you know, some enterprises don't suffer this at all.
So they're doing things right.
It doesn't mean the enterprises who are suffering are doing things wrong.
It's a very delicate balance for an enterprise between customer friction on the customer
experience and the cost of the fraud.
And maybe that's where Twitter are at.
I don't know.
I don't know enough about the Twitter case, but ultimately they have to make a decision.
How many barriers do they put in place?
So capture codes, the maximum amount of requests you can make for a one-time pin or any SMS
because it's not a one-time pin within a certain amount of time, IP addresses that requests
are coming from, you know, start actually analyzing the number ranges you send traffic
to because AIT goes to specific number ranges within an operator generally, it's not scattered
all over an operator.
So there's a lot of analysis and barriers you can put in place and it's finding that
balance as an enterprise.
So you've got good customer experience, you've got customer security, but you're not enabling,
as you said, that flow of your enterprise money to the criminals, which none of us want
to happen.
So I think there's a lot that can be done at both ends.
And then us in the middle have to do things as well.
So, you know, we have to do, as I said, invest in technologies and techniques to identify
and block this fraud and, you know, improve contracts and so on.
So that we actually have a very legitimate position to go and, you know, either refuse
payment or demand money back from suppliers when issues occur.
It's not enough time to cover this topic, is there, Tim?
It's been, actually apologies that you're having to go a hundred miles an hour.
I am constantly trying to, if you've got a few more minutes, we'll hang on to you.
I'll read out, there's been so many comments, Tim, we could not possibly go through them
all.
And to illustrate how many comments there are and that I do try to be fair, I'll read
out this one.
Funny you haven't connected the inherent conflict of interest in banks using SMS2FA and banks
being the ones who are actually running the ITG, the Industry Traceback Group.
Mate, I'd love to talk about that too.
It's not deliberate that we don't discuss these things.
We just don't have time to cover it all.
So maybe we'll discuss it in future.
Tom, here's a comment from a guy called Tom.
He asks, what about movements to other methods of two factor authentication, such as authentication
apps and flash calls?
How likely is this?
Tim, I don't want to put you on the spot in terms of like how likely it is, but flash
calls, obviously that's something that is seen in the market as an alternative to SMS
for the second factor authentication.
Is that something that since she's expecting there'll be more flash calls in future?
Yeah.
I mean, flash calls on the rise, you've got other seamless authentication methods that
still rely on the SIM card, but aren't an SMS as well.
So, you know, as a business, we've had to embrace those because we don't want to be
left behind.
So absolutely there are other authentication methods.
Ones that rely on a SIM, in my personal opinion, are the most effective because they have a
similar ubiquity, at least to SMS.
Whereas if you try and drive people to authenticator apps, I still have this concern that your
marginalizing those that aren't tech savvy or those that maybe can't afford a smart device
and so on.
So there's a delicate balance as to how much you can tip away from SMS, but absolutely
yeah.
Things like flash call, I hate to say, and you know, let's see where the market goes
with them in the next 24 months, let's say.
The comments just keep coming in.
They just keep coming in Tim and I don't have time to read them out to you, but I think
that shows that if you don't mind, we will be having you back in future, Tim, because
there's so much, so much has come out of this show.
So much that still needs to be unpacked.
If you will, if you're welcome, if you're willing, we'd welcome you back to have a guest
in future.
Thank you for your time today.
Tim.
You've been a fantastic guest.
Thank you, Eric.
Thanks for having me on.
It's good to meet you.
Likewise.
That's it for today's show everybody.
My gosh, I'm sorry we couldn't satisfy everybody.
We're getting all the comments and questions out, but I guess it's such a meaty topic.
Maybe we need more of these shows in future and tonight we'll be back again next Wednesday,
as will our other regular co-presenter, Lee Scargall, when we'll be talking about advanced
fraud prevention techniques with Arne Baranofsky, CEO of Oculus.
We'll be live on Wednesday, 3rd May at 4 p.m. UK, 6 p.m. Saudi Arabia and 10 a.m. U.S. Central.
Why not save the show to your diary by clicking on the link on the communications risk show
web stage, or just subscribe to watch every episode of the series.
I don't have to keep reminding you about this every single week.
It'll put all the diary entries into your diary automatically in the right time zone
for you, so you can fling all these questions at us and then be complaining that I didn't
have time to read them out.
I'm doing the best job I can.
Thanks again to today's guest, Tim Biddle, Sinch's Director of Operator Relations for
the UK and Ireland.
Thanks also to my co-presenter, Ed Finegold, smart chap, always thinking, always teasing
out the real importance in the subject.
Thanks to the men behind the scenes, we could not do it without our production team, James
Greenley, assisted by Matthew Carter.
That's all for episode seven of the Communications Risk Show.
I'm Eric Priezkalns.
Remember to visit the Communications Risk Show website, tv.commsrisk.com, to replay all our
past interviews.
Visit our main website, commsrisk.com, to stay abreast of the latest news and opinions about risks
in the comms industry.
Check out all the free stuff provided by the Risk and Assurance Group at riskandassurancegroup.org,
including the industry's most comprehensive inventory of fraud and revenue leakage, and
telecoms fraud intelligence shared by the RAG fraud blockchain.
Thanks for watching today.
We'll see you next Wednesday.