Dario Betti, CEO, MEF, introduced John Kennedy, Head of Pre-Sales at AdaptiveMobile Security, during the recent MEF Security Connects webinar and invited him to share his security insights gained from over 30 years of experience in the mobile security industry.
John has an unrivaled view of global mobile security challenges in his role at Enea AdaptiveMobile Security, securing over 90 customers worldwide via messaging security, messaging monetization, signaling security, signaling, and messaging threat intelligence.
In his presentation, John looked to the future of mobile security through the lens of the past, present and the future. Using his ‘time machine’ to hop through the exciting landscape of mobile technology. With mobile technology you need to continually evolve your product set, as we migrate from 3G, to 4G, now to 5G! It never stops. Enea AdaptiveMobile Security keeps up with the pace of change, having recently announced our unified 5G Network Security solution.
See the highlights of John’s presentation below.
What were the top spam texts in 2012?
Hopping into our ‘Time Machine’ to 10 years ago, we shared the top five spam threats back in 2012. In the UK and globally, SMS Spammers were plaguing mobile networks with unwanted Spam. Some were scams, some were phishing attempts and others were growth hacking. The top spam campaigns were:
- PPI claims
- Accident Compensation
- Debt forgiveness
- Pension reviews
Unfortunately, there wasn’t a cohesive response to this from the mobile ecosystem and these spam campaigns continued to undermine public trust in the SMS channel.
Have we solved the curse of mobile spam, phishing and smishing?
Now, back into the ‘time machine’, jumping to 2021 this time. How much has changed? Technology progress has been huge in 10 years, so we must have solved it right? Wrong. We can swap two digits from 2012 to 2021 and reissue the press release and not much has changed. Spam has persisted and prevailed and possibly got worse in terms of the individual impact and potential loss.
SMS Spam has persisted and prevailed
Spam seems to have defeated us, with an onslaught of scams including recent: Package Delivery Scams and Banking Scams. SMS spam is very much in the public domain. In light of the recent Royal Mail scams in the UK, we saw operators and law enforcement cooperate, with arrests being made of the gangs behind the attacks. However, there have been many attacks that went undetected!
Delivery Text Scams
The parcel delivery text scams use social engineering to con consumers. There is a word for this type of behavior - ‘illusory correlation’ - where you connect two unrelated events in your mind. You are waiting for a parcel, receive the fake notification, relax your caution as you think it is for your actual delivery and click on the malicious link.
What is the mobile ecosystem doing to prevent SPAM and protect consumers?
Operator brands themselves are being targeted and oftentimes the customer feedback loop is not working quickly enough for the operators to shut down the attacks. We have seen successes in certain geographies such as North America and Canada which we will discuss later but overall, the Mobile Ecosystem can do better to stop these attacks.
How has messaging security changed?
The attacks of the 00’s came primarily from SIM banks. That still goes on but now sending messages is even more accessible and programmatic. You can send messages cheaply and in high volumes, using APIs via a cloud service messaging provider. Even more importantly, you can also vary the content being sent, so it’s more personalized. The ‘call-to-action’ URL can vary too, using a URL shortening service and this varied content makes it more difficult from a security point of view to identify malicious campaigns or attacks. Many technologies will miss this and fail to identify that they are coming from the same source.
Another change in the messaging security landscape is the increasing consumer demand for a mobile-first approach. We've seen in many regions that online banking has moved from laptop to mobile. Companies are responding with mobile-first strategies. More and more household brands are using mobile messaging to communicate with customers. It’s a profitable business for those involved in the SMS messaging industry, but it is also more important than ever to protect the SMS communications channel and maintain consumer trust.
Who is responsible for messaging security?
Mobile network operators
Currently mobile network operators are not held accountable for providing a security service. The brand, e.g thr parcel company or bank that has been ‘hijacked’ normally gets mentioned in the media, generally it’s not the operator that gets the public blame.
There are many involved in the delivery of the message, but the operator is closest contractually to the customer so there is a role there to be explored around spam control to protect customers. That’s why we evangelize to operators about the benefits of putting Spam control into the network.
Communications platform as a service (CPaaS)
The CPaaS sector has been growing rapidly, both scaling themselves and enabling enterprises to grow. These cloud-based messaging providers are revolutionizing communications. It’s now cheap and easy to sign up to use APIs to send messages into the ecosystem.
There is an argument that more mobile security advances could be made in this sector, with more due diligence on ‘Know-Your-Customer’ (KYC) processes upon customer sign up.
Government and Communication Regulators
Regulators have been slow to respond and we haven’t seen an effective global move from regulators to improve the situation for consumers. Privacy laws and GDPR are often used as an excuse for inaction on mobile security. This leads to an imbalanced playing field when it comes to tackling attackers. Fraudsters can use any technology they desire but for operators, once the data is inside the network, they have their hands tied in many jurisdictions. Their ability to do certain in-depth data analysis to better secure consumers is hampered due to privacy laws in certain jurisdictions. Also, there’s not really a culture of sharing intelligence between operators in the same way it is done in the cyber security industry.
Some regional successes against SMS Spam
In North America, we do see improvements with the introduction of 10DLC and The Campaign Registry. Both American and Canadian operators take customer satisfaction and the blocking of spam very seriously. The uptake of the 7726 service is strong. However, it is more the exception than the norm in the global mobile security landscape.
Are mobile security vendors doing enough to stop Spam?
The issue has been with us so long people get exhausted talking about it and most of the security vendors are a fraction of the size of their customers, with limited time to lobby and get involved with regulators. We do continue to educate and share our security insights with the wider mobile community, but as a business there is also a focus on sales and customer satisfaction.
The business case for SMS Protection
What operators and CPaaS providers are interested in buying ultimately drives the technology agenda and product road map for security vendors. Generally, monetization has been the primary driver and sales focus for the past decade. Monetization is a well-recognized activity; firewalls are installed to block grey routes and maximize A2P SMS revenue.
What is the difference between Spam Protection and Monetization?
Many people think spam filter and monetization filter are the same things and whilst there is a degree of overlap, there is a different feature set for both. SPAM and smishing have a ‘call-to-action’ which is a shortened URL. To secure against SPAM and Smishing, we must take the URL and process it, go to the domain to collect the “who is” information from the data base, come up with a reputation score for that site, and then feed that back into decision making process. It a complex process at scale.
Monetization is less complicated; we generally know what brand messages look like and we can quickly identify that traffic when it comes into the operator's network from a grey route. Our customers want to get a better idea of the category of messages - whether they are 2FA, invitations from finance or entertainment etc. Once they can be categorized, the messages can be treated differently and operators and CPaaS providers can decide on how they will route it, when to send it or indeed how to charge for it.
Solving Messaging and Revenue Protection
Messaging protection and Revenue protection are different issues and if you try to solve them both in the same place with the same process, the monetization features and filters will often get prioritized due to the commercial models. If you really want to address SMS Spam, you need to focus on SPAM primarily and not think that it can be dealt with in the same place and with the same processes as monetization and grey route prevention. Now we're seeing the consolidation of security vendors with CPaaS, and we need to consider whether that will improve or dilute their security focus? Economics are driving towards monetization and not better technology for preventing SPAM.
Mobile Security Predictions for 2031 and beyond
- SPAM and message security issues are unlikely to vanish 100%, there is too much money to be made.
- It takes effort and focus to stop SPAM, who invests?
- Industry initiatives improve the integrity of the delivery chain:
- Brands clearly identify themselves and their campaigns in registries
- The Campaign Registry for 10DLC in USA is now live!
- TRAI (India) opt-in preferences using blockchain
- The principles of KYC are applied to senders
- Harmonization of privacy legislation across regions
- Greater oversight of enterprise mobile devices and threats
- STIX/TAXII model for threat exchange
- Regulators enforce best practice to protect consumers
- And who knows what Apple/Google will do…
And a key takeaway, if we are hopping into the time travel machine; we must also remember to NEVER set the time travel clock to 2020!
Watch the full session on demand