Subscribe
Share
Share
Embed
Welcome to The Payment Expert weekly podcast, brought to you by SBC Media. Each week we analyse the news driving the global payments industry forward; the innovation, the infrastructure, and everything that has to happen to make it all possible.
:
I actually think the innovation part is key because scammers are always innovating. so for us, I think the foundry is like a brilliant place within the GSMA and the industry. Hello and welcome back to the Payment Expert podcast, your source for the latest news, insights and analysis on the payment industry. I'm Lewis Tompstett, news editor at Payment Expert and with me today, I'm delighted to have Samantha Knight, head of industry security at the GSM Association, which is an advocacy and lobbying organization for the mobile communications industry. Samantha is joining us today to discuss how mobile network intelligence is emerging as a powerful new tool in fraud prevention, which can of course support financial services firms in their anti-fraud efforts. Thanks for joining us, Sam. If you want to kick off and tell us a bit about yourself, your experience and your role at GSM Association. Perfect. Thanks so much. And thanks for having me. It's great to be with you today. Yes, I'm Sam and I head up industry security at the GSMA and essentially we're the mobile industry association. So a lot of the mobile network operators around the world, well nearly all of them, um are our members, um our board compromises of sort of the top 12 and then another 12 that are regionally spread. um And so we are essentially the voice for the industry um alongside a lot of other vertical industries and players, digital players, big tech, that sort of thing. uh And within my team, we look at securing the mobile ecosystem. And we do this sort of in three main ways. The first of that is to convene the industry. And we've been doing that since the beginning of GSMA being created. uh And we have a fraud and security group that has existed. ah And they look at a lot of the specifications around how to secure mobile. uh We also engage um with a lot of regulatory bodies, standards organizations, that sort of thing, um and look at emerging tech, so AI, post quantum cryptography. uh And yeah, we're essentially sort of the um engine room behind what the mobile industry produces. Yeah, fantastic stuff and a broad array of things and specialities there. Let's dive into I suppose scams, for, you know, in banking and financial services, that's a big talking point. Account takeovers, identity theft, they're evolving quite quickly and they're scaling quite rapidly alongside, you know, digital banking innovations that are happening across the market. From your vantage point at GSMA, how much of that threat landscape has kind of shifted or evolved in the last few years alone? Yeah, it's shifted dramatically. Um, I think, I think when you work in the tech industry, you see AI evolve, don't you? Like it's been on, um, on everyone's lips for quite a while. And, but I think there's been a recent democratization of attacks and that essentially means that, um, you and I, or maybe, you know, people that don't normally engage in tech as much as, um, sort of on the ground have access to. technology in a way, it's just so much easier to access it. um We have people just, you know, opening up their laptops and finding out ways to commit fraud and scams. And so it's just, I think that that access has been, it's more available than it has ever been before. And so we are seeing, even for us, we write an annual mobile threat landscape report. And what we're finding is even a lot of We get data from um our members and our threat, our telecommunications ISAC, so Information Sharing and Analysis Center. But we also look a lot at open source and we've noticed, particularly in the last year, quite a steep increase in the number of articles that are coming out around scams and around um just mobile telecommunications and threats and issues around security. So it's definitely something that's been top of mind for us. Yeah, suppose that with open source stuff, it's kind of twofold, isn't it? Because you have obviously, it democratises access to things, but that obviously enables access for those kind of bad players, those bad actors in, you know, across various industries. Yeah, exactly. And I think, I think in some ways it's good as well, because it gives access not just to maybe nefarious actors, but also to defenders. um in being able to have access to that source code and being able to find ways to protect their networks and their assets. Yeah, it's worth considering, isn't it? Because obviously if there are sort of persistent fraud exposures, whether through open source or other routes, the effect that can have on if you're a bank or a new digital bank or fintech, your kind of your operational stability and your reputation over a sustained period of time. Yeah. And I think it comes back to that sort of low skill actors being able to launch fraud at scale. We're seeing this in sort of also a number of different areas specific to mobile. So like SIM farms have increased a lot, sort of automated messaging. We've also seen like SMS blasters increasing a lot. And so we're trying to crack down on that. And then also phishing as a service. um I know the UN brought out a report a couple of years ago and it sort of brought it home for me because they'd said in there that um scams was now more lucrative than the drugs trade. And I was like, this is just, um yeah, this is just really shifting the way that society even operates. If it's that easy um for people and becoming organized crime groups, it's not just sort of lower scale. It's something that m the industry has picked up on and they're going, no, we actually want to make a stand against this and maybe shifting more towards collaborating a lot more and seeing where we can be working with lots of different organizations and industries and associations on the issue. Yeah, absolutely. know obviously collaboration is a big point. big point, sorry. Fraud as a service itself, I think you can get sort of these kits now and pay, you know, if you're a fraudster, pay, I think like $50 or whatever, and you've got this full on, you know, kit to essentially enact your nefarious desires or wants that you want to do. So it is a point of collaboration. I know there is perhaps some fragmentation across industry. Would you agree with that in terms of having that collaboration where someone might be doing something in the payment sphere and then the mobile sphere, but they can be quite isolated at times. it's about spurring on that collaboration across industries to sort of get that sense of working together to fight fraud. Yeah, absolutely. I've been talking about this a lot, actually, that shift, because I know two years ago, the Home Office did the first fraud forum, the Global Fraud Forum, and I think we only had maybe a couple hundred people there. And then I went this year, the UN hosted it within Tupole, and we had over 13, I think 12 or 1300. And so actually that shift on collaboration has increased like probably tenfold what you're seeing. And so I would agree that there still is that fragmentation and some of it is because of sort of, um some of it is that the fraud is moving at such a pace that our usual processes and systems are maybe not able to adapt to that pace as quickly. Um, and so I think there was probably an initial shock of How do we make these connections with different industries? But there's been a lot of progress made in those last couple of years. And so we've been working with UK Finance to create APIs that help banks. um We've been collaborating with a number of different associations like the Global Anti-Scam Alliance, who bring together all these different players, the big tech, um telco, finance, all the different players within that. And you're right, it is a chain and the scam moves from that first phone call, maybe over to a banking app or to that transaction. And so for us, we are really having to spend a lot more time working with different sectors in order to find solutions that can innovate above and beyond a scammer. Yeah, completely. And I suppose for those in say the payments industry that aren't so familiar with, you know, mobile network APIs and SIM number activity, things like that. What would be uh useful from your perspective at the GSMA for them to know when it comes to, you know, fraudulent activities when fraud hits their kind of bank? Yeah, absolutely. There's a lot that the industry was doing. We actually launched an initiative, I think three or four years ago called Open Gateway. And that was essentially to allow banks and fintechs to access signals through standardized API. So there are a number of unique markers when I guess to mobile data. So we, guess have access to certain things that other industries weren't or the fintech industry doesn't. And so we were like, what are these special indicators? And UK finance were really great at bringing us together with the banks to figure out what they are. And that has essentially launched the um GSMA's anti-fraud APIs and the leading one, Scan Signal. um We don't go into a lot of the details about what some of the, you know, what those indicators are, but I can give you quite an obvious one is quite often a scammer will call us, won't they? um So that is one of the first indicators. And then in real time, while you're on, while they're on the phone to their bank, their bank will actually receive a signal, so scan signal will receive a signal to say, look, we think that this phone call could be fraudulent. And then on the banking side, they'll have their own risk assessment measures to go look, is this unusual from what they're seeing with this customer? And then they make the decision as to whether to pause the call and investigate a bit further or take action essentially. And so to have that real time um know, access or assessment of whether the call is, you know, the call is being scanned or not, it's just so useful to the consumer and in protecting the consumer. we're really proud of that. And it's been really strong in the UK and in Brazil and in South Africa. And it's something that we continue to push all around the world. Yeah, totally. mean, sticking on the theme of the UK and We'll touch on APP fraud, because that's one of the biggest and probably most prevalent use cases of fraud. But the response has been pretty well known and pretty strong across the UK market. How have the network APIs featured in that response? How have they worked within that to kind of uh help in the UK market, but in other markets as well across the globe? Yeah. So I guess for the UK, The thing that really pushed us looking a lot more at APP fraud is that the UK really highlighted the fact that reimbursement alone doesn't help to stop scams. It just sort of shifts where the responsibility lies. And so for us, what we're trying to do is trying to innovate and find ways of how we can have that earlier intervention in APP fraud and in social engineering scams where victims are essentially authorized to do those payments themselves. And so for us, it's been looking at not just so one of the APA's most scams, but sim swap and seeing if we can do some of the number integrity checks that also help banks identify some of those higher risk scenarios of scams a lot earlier in that chain. um And it should just say that, like I mentioned, the scan signals themselves don't necessarily determine the outcome. but they sort of strengthen that decision-making process for the banks when it's combined with some of their existing controls and measures. And the UK response really has just reinforced that need for cross-industry collaboration. And we've also launched United Against Scams, which brings together all the work that the mobile ecosystem is doing within this space so that people can come and have a look and see what the mobile industry is doing, because it's not just um sort of working across um industries, but it's also the measures that we're trying to put on the network. like Bart Hietel have got this AI um scam network detector, and for them it's like 99.8 % accurate. And so there's a lot also going on the network side, not just, yeah, on the front-facing enterprise side between us and the financial services industry. Yeah, is there a case for perhaps more, I'd be interested to hear your view on this from the kind of the mobile side on whether there needs to be more in the way of social media? Because I think a lot of it, a lot of scams kind of do originate from there. Do think there needs to be, uh I suppose that kind of partnership where mobile industry has, you know, worked with payments and finance, but in a way that also stretches over to... those kind of big social media platforms where some frauds and scams originate? Yeah, absolutely. I mean, not just originate, but sometimes they come off our networks and onto their platforms. And so it's definitely something that we're working on. We've got a proof of concept. So the GSMA has a foundry where we try and innovate as much as possible with either small organizations or we basically are the link between innovation and the telcos and trying to test that innovation. So we've got something running at the moment called Scams Data Exchange. And we've got a number of big tech players that are involved in that. And we're using specific indicators, again, that's unique to mobile that might be useful to them. So it might be a specific use case um where a number is moving from one network to the big tech and seeing whether we can identify. patterns in uh where scams occur essentially. yeah, early days still, um but it's so far it's been going quite well and it's just good seeing some of those, um seeing the progress with all the different sectors that we are working with. So that's a good point. absolutely. mean, when it comes to the different, I suppose there are different attack vectors, aren't there? Different ways in which forces can attack. it's reacting in in ways that kind of meets whatever that attack mode is, whether it's sim swap fraud, think account takeover, there's a synthetic identity angle too, so that they all require distinct responses. How does the approach, the API approach and other technologies that you leverage kind of address all three? Do you have to kind of do things slightly differently or is there kind of uh an overarching way in which an API approach can attack those different vectors or? cancel them out. Yeah, that's a good point. The, let me have a think. The, the API's definitely add confidence or sort of friction where it's needed in terms of the risk profile. So when you talk about like synthetic identity fraud, it is more complex, but a lot of the network signals can still contribute by validating sort of whether that identity behaves like a legitimate longstanding mobile user. And so it's trying, yeah, we do try and replicate, um, yeah, a legitimate mobile user, but sometimes when you put it in the real world environment, it doesn't always react in the way that you had hoped, or sometimes you find something new. So going from testing to real world can often be, can often be different, can't it? Yeah, yeah, exactly. And, it does something completely different, but, um, I think it's just being able to, yeah. being able to experiment and innovate in the same way, probably a scammer does like in some ways they're probably something trying to do a, but they get X, Y and Z. Um, and so for us, it's trying to do the same things, but also identifying the most common patterns so that we can crack down on these things much faster. totally. I mean, it seems to be the case that, um, just as much as take payments and, and FinTech, for example, where, innovation is key and everyone's, you know, wanting to get on, on the latest trend. regardless of what you're covering, whether it's payments, finance, et cetera. It almost seems like you need that kind of same level of innovation for fraud and always be innovating to counteract the latest threats that are emerging. Yeah, I feel like I have a convert in you. I think we've been so many years. I feel like the many, think two, because I traditionally come from... security background. it was all quite simple 15 years ago and the world has changed a lot. And I think we talked a lot about proactive, proactive security and trying not to be reactive. think there's a certain level of reactiveness that we now have to just accept. um And I think it's sort of, yeah, the same with scams. I actually think the innovation part is key because scammers are always innovating. so For us, I think the foundry is like a brilliant place within the GSMA and the industry um because we're discovering things. Other people have great ideas that maybe the mobile industry hasn't been exposed to or smaller businesses or startups. And for us to be able to test that, you know, with a big mobile player, um yeah, we've seen really good results. We've also got open verifiable calling, which is another proof of concept we've been working on about verifying. You like you get that blue tick, it verifies businesses so that it's building trust within the mobile device that you're going, actually this business that's calling me, it's legitimate, it's been verified. And, you know, that would make such a big difference all across the world. And it is a global solution that we're looking at. There's another, am I able to keep talking? quite like the innovation side. away. It's fascinating stuff. Me sitting with a payments background, it's really interesting to hear how obviously, you know, the mobile industry can come across and help support in all those things. So, yeah, keep going. I won't interrupt any longer. was no, no, there was another proof of concept. I particularly liked as well with Telefonica tech group and they were essentially trying to use, you know, the EU is trying to move towards having digital identity. um And for us, it's always about, you know, trying to use mobile technology for them. we tested, well, they tested essentially trying to authenticate when a customer calls a call center, when you and I call a call center to um reach the bank or whatever for the payment transaction, we often have these knowledge-based authentications. So get like your mother's maiden name or you to put in a pin or something like that. um And this, what it does is it takes away all the two factor, which mobile was never created to authenticate for two factor. And so it basically uses your digital ID, which is connected with your SIM and it authenticates instead of taking the four to five minutes to authenticate, you know, that back and forth. It only takes 30 seconds and it's done all digitally. so it's those sorts of things, which give you more confidence in who the person is that's calling. Um, and there's, yeah, there's more innovation projects similar to that alongside open gateway and OVC, but, um, yeah, think there's been a lot of progress. They streamline as well, don't they? They, suppose, um, the user experience as well, if it's taking 30 seconds, as opposed to four or five minutes, it's, it's almost putting that security layer in the background a bit more, but it's still working just as effectively. Yeah, exactly. And for us, it's always about finding those global solutions. We are a global organization and represent mobile globally. And so we want to find solutions that aren't so much specific to one country or region, but that really impacts more and more users around the world. So I'll end with this last point then, Sam, if there's one thing today that you think needs, um, need, there needs to be more of, I suppose, is it, is it, whether it's more, um, sort of cross collaboration between industries, more innovation across sector. What's the biggest challenge from you today that needs to be overcome to sort of help fraud? Is it the constant innovation against it needs to scale up? Is it partnerships? What's the biggest challenge from your perspective that needs to be overcome? Yeah, I think for us, would say it's actually scammers work across borders and for them, it doesn't, it's not much of an issue. But for a lot of us, think actually for the tech companies, we're all trying to come together to come up with solutions, but we're really restricted actually with what data we can share, where and how and with who. And so for us, it's actually we come and we want to collaborate. And I think collaboration has improved loads in the last um couple of years as I've mentioned, but it's actually having the, um maybe even some of the regulatory frameworks being too stringent in us being able to collaborate a lot more to fight against scammers. Yeah. You almost need a global regulatory body if everyone could exist where everything could sit under. luck with that. exactly. That's a whole other question for a whole other day. Well, brilliant stuff. So if there's anything else you want to... You wanted to end on before we close out. happy to take those, take those thoughts. But it's great talking to you. Yeah. Thank you so much. And if anyone ever wants to come and innovate with us, definitely, yeah, contact GSMA Foundry. Completely. Fantastic. Well, unfortunately that is all we have time for today. Thank you very much to Samantha for joining us. If you've been watching and you're not already subscribed to the Payment Expert podcast, please do make sure to subscribe wherever you get your podcasts with plenty more insights and analysis to come. over the weeks and months ahead. And for the latest news as it happens, head over to paymentexpert.com. We'll see you all next time.