On Tuesday 30th November, AdaptiveMobile Security Chief Strategy Officer, Simeon Coney, took part in a fireside chat presentation with Vonage’s Director of Carrier Relations, James Lasbrey as part of the MEF Omnichannel event. The following post shares highlights from this discussion.
Given that Omnichannel messaging is no longer the sole preserve of major corporations, now being also widely available to SMEs, how do we go about ensuring the opportunities that it brings are not undone by an increase in spam and worse, fraud? Threat vectors are increasing, and all too often preventative measures are only enacted reactively or reflexively to what has happened, rather than in preparation for what could happen.
Watch the Discussion in full
AdaptiveMobile Security’s Chief Strategy Officer was joined by the Head of Carrier Relations at partner Vonage, to look in detail at this area, sharing insights on how consumer trust can be maintained, and clients always protected, and looking to the future to ensure not just that lessons that have been learned continue to be applied, but that vigilance and proactivity continue.
Simeon Coney: We would like to talk about securing customers trust in conversations. What we do at AdaptiveMobile Security is essentially securing networks. We are protecting about 1/4 of the world today, and we help keep people safe online.
So, in talking about securing customers trust the first thing you need to establish is, who is the customer? Quite often when we use that word, you know we’re thinking about an individual – the end user who is holding the phone. But I think the reality is, there’s probably 3 different parties who would consider themselves the customer. Firstly, we’ve got the end user, then we’ve got the brand and enterprise – the people who are spending the money – and even arguably the terminating carrier, who are a major part in that transaction.
There are two other additional parties in this chain. One is the Communications Platform as a Service (CPaaS) provider, who are the aggregator, on-boarding the enterprise, and finally one group that’s increasingly becoming more visible across the globe is regulators and industry bodies. They are now starting to have quite a voice, particularly when it comes to securing customers and securing the conversation.
So James, I’d love to hear the insights that you’ve got in the first step of that chain. What sort of requirements are you hearing from customers and brands?
James Lasbrey: From a platform perspective, we work with companies like AdaptiveMobile Security to secure our services, so that when developers sign on and start using API’s, we are making sure that there there’s no fraudulent activity at that point and that they’re monitored to protect both our customers and the brands.
One of the biggest issues which I think everyone is seeing in the market today is fake traffic. This is traffic generated by fraudsters either taking control of an enterprise’s platform, or directly defrauding a consumer’s platform. That can destroy trust throughout the whole ecosystem. So having a partner like AdaptiveMobile who can secure the end-to-end service in real-time, allowing us to monitor and analyze our customers and their platforms, is important.
SC: Let me expand on this point. So often when we talk about “good traffic” and “bad traffic” we’ve got this this view out there that there are these Blackhat shadowy figures that exist and then we’ve got everyone else who’s good. One real example that I can share with you, one of our customers had a very large community of religious organisations, who used the Omnichannel to reach out to their parishioners to keep in regular contact and share details such as sales, community events, services, and prayer for the day. They also happen to be the biggest source of American Express phishing. On the face of it, the two things just don’t reconcile.
It turns out it was a classic example of exactly what you described there James, someone had hijacked an account and taken it over. Likely, somebody somewhere, maybe on a church parish board may have had the post it notes with the username and the account number along with other instructions on how to send messages on behalf of the organization, somebody realized and thought “I can use this.”
So, in terms of understanding what makes somebody good or bad, it is not clear cut. And being able to help and, in this instance, identify the account and assist them in cleansing and protecting against that behavior – you have to find the source, then regain control over it.
The reason that’s a good example; if you don’t understand exactly what’s going on, it can significantly erode trust.
JL: Absolutely, and if you look at the wider implications beyond that case, the education that’s gone on in the industry over the past 10 years – for example when I speak to my parents, they’re now aware that they must protect their identity and they can’t hand over their security details online. But now the question has become “Who’s there for the brands?”
Our customers come to us for guidance, and we secure our platform. But who is monitoring their platform and making sure someone’s not artificially running traffic over it, breaking into applications or their websites that they’ve taken time to build? There’s a huge part of the ecosystem that’s missing, and I think it’s great being at a MEF event, because MEF has taken a position from a Sender ID registration perspective, which allows CPaaS players to help regulate the enterprise business and help protect and control them, but it needs more participation and education.
Again, I can speak to my parents today and they understand what fraud is and how to avoid it, often when we speak to brands, they understand what it is, but they don’t necessarily see it as part of their responsibility, and we must educate on that point.
SC: Essentially, we’re talking about integrating more of our customers – brands and businesses – into these communication channels, and I think these types of risks are going to come more to the forefront and it is essential that they have knowledge and oversight of potential points of abuse or misuse. Any weaknesses on their systems that were previously internal could become a weakness that is exposed to the world, so I think the obligation in the conversation needs to evolve and enhance for brands to understand exactly what it takes now to facilitate security, and that this is not just a question of connecting something up and starting to do something. Rather it’s thinking through the implications of all of this.
JL: MEF has focused on in a big way was how we educate and work with the operators. I know that’s an area that you spend a lot of time on, Simeon. What you do for the operators and CPaaS players?
SC: From AdaptiveMobile’s perspective, we secure both ends of the conversation. We’re there at the point of origination, when somebody is requesting something, and we’re also deployed in the terminating networks, securing all of the inbound traffic.
If a customer receives something that is purporting to be from a brand who they don’t know, they don’t know that if it was an A2P generated message, versus a SIM bank message, versus a fraudster message. Trying to educate people about what constitutes a legitimate message is incredibly hard, particularly when we’re talking about something happening across the whole world. There isn’t a sufficient education channel to have that conversation. So, from the terminating carrier perspective, they’re wondering how they can put in place controls to enable and support this because carriers are benefiting hugely from this type of conversation. But at the same time, they don’t want to pollute or corrupt the SMS channel, because if they lose that customer trust, they will no longer engage with SMS.
JL: From the Operator side as well, you think everything is under control, but you have very little visibility over the actual value chain. And it’s great the work that MEF has done in terms of bringing that ecosystem together – but I do believe there’s more that can be done around brands, because we very rarely see brands talking at these events. We need to get brands talking at these events with the operators to help educate, because there’s a tendency to think for example, by working with a firewall company, that you’re basically stopping all of the issues, but in reality, you’re very unaware of what’s going on at the consumer level, and how you protect businesses and the whole ecosystem.
SC: Absolutely. In fact, I mentioned earlier that one of the parties who perceive themselves involved in this discussion is industry bodies. And I don’t mean the telecoms operators, the MEFs and the GSMAs of this world, I mean people like the financial verticals and the healthcare verticals. I think having their participation in these discussions is going to be key, because now increasingly what we’re finding is carriers have a luxury where they operate in one country or in a defined set of countries, but we are starting to see several industry groups define expressly what they consider to be appropriate engagements.
We’ve seen financial services, for example, rule on how people use one-time passwords, and two-factor authentications (2FAs) and we’re starting to see national regulators rule on things such as hours of contact for appropriate type of content. We’re also starting to see regulation on what type of category of content messages fall into, what is legal and illegal.
These are all areas that haven’t been expressly regulated but, as an industry, we’ve got an opportunity right now to facilitate those discussions because otherwise they’re only going to occur too far downstream, and the worst outcome is that regulation comes and it’s imposed without being discussed, thought through, and properly understood.
JL: That’s the biggest fear of everyone in the ecosystem. When you get to that point where the regulator must come in, it’s almost gone too far, and thankfully there’s only very few examples where that’s happened.
But in terms of our role, what we’re saying here, is that the market is now shifting from notifications and verifications predominantly to conversational commerce. Last month Vonage announced the acquisition of JumperAI, and that really is to push forward to give us a capability in that space, because that’s the future of messaging and CPaaS as we see it.
SC: So, we’re talking about securing customers’ trust. I think quite often one of the risks is that people see the words security and trust and assume that they mean the same thing in a conversational context, whereas they’re quite different. Security is about what permissions a party has granted, whereas trust is the trust of one party to another for an identified service. It’s about checking to see if parties are behaving in a way that you expect them to. Security is about setting up the rules, and trust is saying are the people who agreed to those rules conforming to them. And the only way you can tell is by being involved in the conversation.
Push notifications, for example, don’t really have a measurable element of trust, because you can’t tell what the recipient thought when they received it. But when you start to engage in a conversation, and you see how the recipient is engaging, you can now start to determine and measure the effects.
JL: Exactly and, looking at the JumperAI use cases, a lot of people talk about that kind of conversation and the way it’s happening, one example is Ben and Jerry’s around the launch of their new ice cream flavors, doing it in such a way that they communicate with their consumers. Rather than just a notification, they found a reason for communicating, and then they fulfilled it at the end by giving consumers free ice cream, so it’s smart kinds of communications like this we’re increasingly going to going to see.
SC: Those are exactly the type of case studies we like to see, because what you’re now starting to see is a clear action and an outcome that is a direct benefit to their business and the consumer where you’re not just measuring the middle part.
We’re trying to put that conversation in context of the business and in turn it will helps us to think with the right perspective of what these people are trying to achieve and then maybe come up with the solutions for that type of market to make it more secure.
JL: And do you Simeon find that you still have to educate people about the difference between security and trust, or do you think it’s becoming clearer?
SC: Definitely, we need to educate people. Some of the big challenges are when people talk security, they think it’s a checkbox. “I bought something; I’ve deployed it. Now let’s move on.” But security isn’t like that. It’s an ethos, it’s a journey for life. You’ve got to keep doing it.
A perspective that often gets lost is that security for one person means that you’re preventing another person from doing something. You’re securing against a particular behavior, and that is being attempted because somebody is making money out of it, so they are motivated to try and get around those controls to try and find a way to exploit the system to their advantage. There is a deliberate reason that they were trying to do that in the first place. Therefore, you have to be mindful of that and think about what they might change as a result of what you’ve put in place to try and get around that. So, security is a journey, not just a particular checkpoint, it evolves.
But trust is coming back more to ask questions like, “What does it mean to my business?”,
“Does the stock market trust my business?”, “Do consumers trust my brand?”. Brands are starting to think, if they send a communication to a user, will they respond because they actually trust and understand who the brand are.
One of the things that we really want to see is for the ecosystem to come together to try and find effective ways of helping develop that trust from the end user, because when we see case studies, everyone is always thinking about the good flow, the legitimate case is the perfect scenario where somebody does something you know, they respond, they choose. But what’s not being considered is the people are going to exploit channels, bad actors who will disrupt or impersonate or obfuscate that experience. This is where we have the risk of trust through association.
If a brand has sent one good message, but a user has got nine bad ones, what do you think their perspective is going to be of the one good message? It’s going to be poor. As an ecosystem we need to be mindful seeing things through the lens of the customer. I think we need more perspective of what the users are facing in their daily lives so we can ask directly, how do we educate them, and how do we keep them safe?
JL: It’s critical for us to understand the trends because we only really know fraud is happening when we see something irregular happening on our platform, which means we’re one step behind from the start. If we’re securing each part of the value chain, so a customer has a secure platform from the start, how do we start that conversation around trust with the enterprises?
SC: Absolutely. Another example here would be Grey Routes. We all understand why Grey routes exist, sometimes it’s the only way to get traffic through to an end location. The effect though that has on end users – I mean who’s pulled out their phone and received a one-time passcode but not known who it’s really from? Or where sometimes you got passwords from 5 different services from the same number. Naturally, you then start to question who’s behind this.
Yes, we understand why that’s being done, but from an end user perspective, they’ve started to lose brand identity. How do you get trust if you’ve not got a clear comprehension of the brand? So, a lot of the actions can have unintended consequences that can effectively have a longer-term impact, particularly as we want to try and evolve some of these services.
JL: It’s just working out the role. We’re part of the Google SMS verification, which is a great service whereby they protect basically all Android users and make sure that they look at the message before it’s sent out and then regulate and make sure it’s basically sent by the business identity or the logo.
It’s working out examples like this where we can make it easier for businesses and consumers to understand where they can safely use services and where there are examples of fraud.
SC: And Omnichannel is a great example where there are inconsistencies. For example, we’re now starting to see signed email/certified email, we’ve got things like the verified SMS, but no such thing exists in the voice environment yet. So, when we’re talking about Omnichannel engagement, how do we give users that feeling of comfort, no matter what the service is, that it actually is the legitimate party reaching them across all those different channels, particularly when they may be using different identities.
JL: This is where we think some of the new use cases should be. The upside of COVID that we’ve seen is that a lot of the technology is being used by the healthcare system, the schooling system, education, etc. They are pushing the boundaries of how they use video in combination with messaging and integrated voice, which has enabled everything to continue in the horrific last two to three years that we’ve had. But securing all of that is about the end-to-end experience.
SC: The end-to-end experience and across different vertical technology stacks. We all understand how complex that technology is – end users don’t. They see a device; they’ve had one experience. So there’s an opportunity for us to try and find ways to find some level of commonality to start thinking about solutions that presents more consistency from an end user perspective.
JL: And what’s your view in terms of like their next evolution? Obviously, we’re seeing a lot of change in the markets. Do you see the market evolving around these services?
SC: What we tend to find is that service innovation happens – and then security is an afterthought. So, yes, there’s most definitely a risk where new services will come to market and people will find a way of exploiting them, and then belatedly people will try and close and patch the holes to give a better user experience. I do see though the innovation and the creativity in other services, and communication methods that are all vying for customer attention as well where the challenge is how they give customers an experience that enables them to transition from one service from one bearer to another.
In terms of evolution, there is a lot of creativity and I think we’re almost at the hiatus of service innovation. I think we’re going to start seeing a whole new wave, particularly as we move out of the current Covid environment and as people are actually able to get together and start implementing all the ideas that they’ve had for the last two years.
But the future of people looking at conversations and starting to make more about actually what is the conversation, not just “What am I doing to carry my little part of it?” is an exciting future and maybe if I can turn it around. What are you seeing in terms of evolution doing both the originating and the terminating side?
SC: When it comes to 5G, there are probably use cases that we haven’t even predicted yet, so it’s an exciting time. The horsepower on the device is there and that’s always a thing that catalyzed the 3G and 4G transformations. I think 5G itself is going to force a lot of businesses to start thinking creatively; what can you do with huge number of connected devices? What can you do with very low latency? What can you do with pervasiveness of contact?
JL: Exactly. But nothing is going to change unless we’ve got the consumers’ and the brands’ and the operators’ trust and we actually get together as an ecosystem to proactively protect them.
SC: That would be the closing statement; we need a joined-up community coming together to have those conversations because if we don’t it is going to be enforced on us.
Watch all two days of sessions from MEF CONNECTS Omnichannel now – MEF Members get exclusive access to additional content including presentation materials and slide-decks.