In this week’s bulletin:
- There Is Always a Bigger Picture: Global Scam Statistics
- The Disadvantages of Being a Big Fish: Google and RCS for Business Messaging
- Trustworthy Data without the Center: eIDAS and Banking
- Making Tech Do More with What We Already Have
- Thai Anniversary Is Reminder of What Tough Police Can Accomplish
- Other News
Tuesday saw my first official outing as a spokesperson for the Mobile Ecosystem Forum (MEF), as I joined the team in Brussels to moderate three expert panels at the MEF Connects Anti-Fraud conference. I deserve no credit for the superb line-up of speakers; my name was one of the last to be added to the agenda. Working with new colleagues and listening to their thoughts on how to arrange the conference content gave me a fresh perspective into the choices professionals make when conceptualizing where to begin when mitigating risk, and how to manage the connections between different kinds of businesses.
There Is Always a Bigger Picture: Global Scam Statistics
Long-established readers of Commsrisk know how much importance I attach to a mental faculty that I refer to as ‘the zoom’. This is the ability to inspect and understand the detail of how things work at a very low level, to then step back and see how that fits within a much bigger picture, and then to track sideways and to zoom into another part of the picture so we can fully grasp how a choice or mistake made in one place can have enormous consequences somewhere else. For example, the poor collection of data when onboarding new customers can lead to all sorts of delays and complaints later on. A different kind of example involves corruption in Cambodia permitting the establishment of scam compounds. These compounds lure Indian IT professionals into becoming modern-day slaves who are given targets to scam victims in English-speaking countries unless their families in India will pay a ransom for their release. It would be unreasonable to expect an expert in digital identity management to also be an expert in human trafficking, but the importance attached to verifying online identity by authorities in Europe and North America does now influence the motives and practices of traffickers working in Southeast Asia and elsewhere.
Jorij Abraham, Managing Director of the Global Anti-Scam Alliance (GASA), set the tone for the conference in Brussels by emphasizing how the frauds we deal with in the communications ecosystem also enables many crimes that may seem to lie beyond the scope of a telco employee. Jorij’s crisp but fact-laden speech brought the challenge of fighting fraud into sharp relief. For example, GASA estimates that the total cost of fraud during 2023 was USD1.026tn. To be clear, that number involved a ‘t’ for ‘trillion’. Even though comms providers are losing billions to fraud, the failure to stop fraudulent traffic from crossing networks has a cost to society that goes way beyond the cost to comms providers themselves. And part of the reason for that disparity is because some comms providers continue to profit from crime, which is why Katia González Gutierrez of conference host BICS was amongst the speakers emphasizing the need to stop the flow of money to fraudsters. Another way to stop the flow would involve finding the scammers and making them pay for their crimes. However, Jorij shared another informative but depressing statistic about that subject too. Per GASA’s analysis, only 1 out of every 2,000 scammers is ever caught.
The Disadvantages of Being a Big Fish: Google and RCS for Business Messaging
My first panel in Brussels (pictured) addressed the way bad actors would like to hijack RCS business messaging to push spam and scam messages. It would be difficult to do justice to such a topic without any input from Google, so I was grateful that Phil Carter of Google was involved, alongside Claudine Bell of Virgin Media O2, Dave Boddington of Infobip, and Aidan Kenny of Open Mind Networks. I do not think it is terribly rude to observe that when it comes to imposing controls designed to weed out bad actors, there is a tendency to turn towards Google and to expect them to act as guardians of RCS business messaging. This meant we were literally turning towards Phil during the panel, just a little more often than would have been ideal for people sitting in Brussels, the home of the European Union.
There has been quite a history of antitrust lawfare between the EU and Google, including the confirmation of a fine on the morning of the event. But I would not expect that Google would want to monopolize a burden like keeping a business messaging channel free from crooks and spammers. It is easier for them to maintain standards in RCS business messaging than it is for the industry to collectively impose consistent standards across the many players involved in A2P SMS. That comes as a corollary whenever the implementation of technology leans towards centralization of roles and responsibilities rather than their distribution. So examining the dynamics of fraud mitigation for this particular communications channel serves as a reminder of the choices that need to be made when tackling fraud elsewhere too. Responsibility can be distributed, but that means cajoling and policing a lot more players, of which any one might damage the reputation of the service by misbehaving. Or responsibilities can be more centralized, and that has downsides too.
Trustworthy Data without the Center: eIDAS and Banking
The balance between centralization and distribution also came up when Italian former parliamentarian Stefano Quintarelli told us about his role in the evolution of eIDAS, the EU regulation concerning identification and trust for electronic transactions. Being European, more importance was placed on eIDAS having a distributed architecture than Stefano expected would be the norm for digital identities in other parts of the world. But I secretly hope his pessimism will prove unfounded. Perhaps Europe can make such progress with delivering useful services to its citizens that eIDAS will be treated as a paradigm to copy rather than an ideal that other regions will undercut.
Bryn Robinson-Morgan of iProov joined Stefano on stage, and it was encouraging to have a man with Bryn’s background of working for major retail banks talking about the safe networking of identity. Belgium is also the home of SWIFT, the cooperative messaging system set up by banks in 1970’s which is used for approximately half of all high-value cross-border payments worldwide. SWIFT was a form of decentralization motived by the desire to prevent any single bank from controlling the international flow of money. It has worked well. The key point is that SWIFT’s purpose is to convey secure messages about transactions, not to act like an intermediary bank that handles the transaction itself. Perhaps banks will become natural allies in the creation of global network protocols that provide assurance about the identity of each party to a transaction whilst diminishing the world’s reliance on flawed assumptions about a mobile phone number serving as an identifier for a specific person.
Making Tech Do More with What We Already Have
I usually play the role of cynic when judging hype about new technology, but my other panel on the technology of tackling fraud suggested we may finally be turning a crucial technological corner. Yaunese Aazibou, CTO of BICS, set the tone with an upbeat assessment of what can be accomplished, not least because of the amount of bad traffic that BICS is already blocking. Pravesh Arora of Telesign and Igor Skutsenya of LANCK Telecom reinforced the point by talking about comms networks being able to do a lot more to discriminate between a genuine consumer and an imposter. I turned to Adrian Harris of XINTEC in the mistaken belief that he would be the one panel member who would play down the effectiveness of algorithms as a replacement for human intelligence, but then he explained how AI can be used to improve the way people make decisions about how to handle seemingly anomalous patterns of traffic. Adrian was the only speaker I had invited to the conference, and I wanted him because he never exaggerates what can be accomplished with advanced technology. So if he is feeling optimistic about what can be accomplished, even at a small scale for tier 2 and tier 3 telcos, then that makes me optimistic too.
Thai Anniversary Is Reminder of What Tough Police Can Accomplish
One of the statistics that was repeated several times in Brussels was that fraud represents 40 percent of British crime but only consumes 1 percent of the budget for British police forces. The numbers are cited because they are thought to exemplify the low priority allocated to fraud prevention and deterrence by other countries too. But just as I enjoy highlighting examples of comms providers who show others how to succeed, there was an event in Thailand which also deserves to be mentioned in this bulletin. A ceremony was held to celebrate the fourth anniversary of the Technology Crime Suppression Division (TCSD) of the Thai police. The operations conducted by TCSD since its formation include:
- ‘Operation Shutdown Stingray’, where they arrested crooks with Hong Kong connections that used an SMS blaster to impersonate a bank;
- ‘Operation Shell Game’, where they closed down a scam compound run by Indians and Thais that targeted victims in the USA; and
- ‘Operation SIM, Wire, Pole’, where they identified and destroyed cell sites and internet cables used to provide connectivity to scam compounds in neighboring countries.
Congratulations to all the police officers involved in these and many other operations that targeted telecom and cyber criminals, both inside Thailand and beyond. I especially like the fact that the Thai police have chosen to reassure the public by openly talking about the need to target resources at finding and punishing the criminal gangs behind the scams. A few more examples like these may help to raise the law enforcement hit rate of 1 scammer caught per every 2,000 scammers working worldwide.



