An open letter to mobile operators about the need for SMS cybersecurity #2
Paul Walsh
Making the internet safer through a radically new, human-centric approach to anti-phishing security. Most leading security companies license my patents for mobile app security. More pending for SMS security.
Dear Mobile Operator,
TLDR; please integrate a cybersecurity solution that's built for SMS. Everything you have tried so far, has failed to protect your customers. It's time to try a new approach.
If Twilio's own 2FA app (Authy) and their anti-phishing security controls for SMS couldn't detect phishing URLs that impersonated their own branded URLs, SMS Firewalls can't. And "awareness training" is not the answer, unless you believe employees at Twilio, Okta, Microsoft, Cloudflare, and Cisco don't receive "industry leading" anti-phishing awareness training - every month.
Here's my first Open Letter - published in May 2021. This one kickstarted many deep conversations with many stakeholders across the telco industry, for almost a year - including regulators, operators, the GSMA, SMS brokers/aggregators, and SMS Firewall vendors. You were all very impressed when you saw a potential solution, but decided SMS security wasn't important "enough" to try something different. 14 SMS Firewall vendors were so impressed they decided to steal MetaCert's IP and claim it as their own - so it's not like they can be trusted to tell you the truth about their skills and experience in anti-phishing cybersecurity.
In 2021, I made a very confident assertion to a few specific UK operators (in private) about the probability of threat actors targeting major organizations with SMS-led phishing attacks for the first time in 2022. I warned this would happen because it became very obvious to hackers (and me), that SMS phishing is easier, faster, cheaper, more reliable, and more effective, than email phishing. There's no comparison. Moreover, no mobile operator in the world has an effective or reliable cybersecurity solution for SMS - I know this, and hackers know this. SMS has a 99% delivery rate, 95% open rate, and everyone who's likely to "tap" a link will do so within the first few minutes.
The fact that Twilio and their customers (and now their customers' customers) were breached through SMS messages with a phishing URL that impersonated their own, bypassing their own 2FA security service (Authy), should worry the telco industry.
Show me a network that's supposed to have cybersecurity and I'll send a hundred messages with a hundred unique dangerous URLs that seamlessly pass through without detection. Some of you know all of this already, because we already ran these tests on your networks, multiple times. MetaCert even provided data to one of the major operators in the UK, so they could cross reference all of our test results, while adding credibility to our report. Still, no change to the approach you're all taking today.
Hackers only need one person to trust one URL, to cause maximum harm - ONE. Your business customers don't really care too much about the 95% of easy-to-detect spam messages that are blocked, because they are NOT dangerous, they're just annoying. Spam messages are expensive for you to process however, and you lose a lot of revenue. You have an SMS Firewall that's designed to protect your revenue - that's why some of them do revenue share deals.
领英推荐
What your business customers really care about
Your business customers (which include government agencies, municipalities, healthcare providers, schools...) care more about the 99% of phishing messages that hit their employees mobile phones, leading to their corporate networks and customer data being breached. This is the problem you need to focus on because it's getting worse with no signs of it slowing down.
We're seeing really bad outcomes for a lot of companies and many millions of people right now, while operators publicize their ability to stop spam. Here's a specific claim about Vodafone's ability to stop spam. In our formal tests, Vodafone was unable to stop a single phishing message - despite the fact that we tested the same phishing URLs multiple times over the course of a week. In fact, no operator in the UK or Ireland was able to detect a single phishing URL - no matter how many we tested, or the number of times we recycled them inside new messages.
If an SMS Firewall vendor says they can protect your network from phishing, go to phishtank.com and grab some new phishing URLs that haven't been verified yet. I'll bet you all the tea in China that your SMS firewall vendor will fail to detect any signs of danger in any URL - unless they stop every message on your network, open every URL, investigate every webpage for signs of danger, and then block those that are verified as phishing - in less than 300 milliseconds. If they can do that, point them to me as I have a job offer.
Phishing URLs and counterfeit login pages have been used by hackers since 1996, where phishing was first discovered inside emails, IM, and chatrooms. And every year since 2016 has been recorded as the worst year on record for phishing. If phishing is getting worse every year with no data to suggest it will slow down in the future, and more attackers are starting to use SMS instead of email, I feel sorry for anyone who relies on SMS revenue. Enjoy it while it lasts because those growth curves only indicate COVID and post-COVID growth patterns - they don't indicate the most important metric - churn - i.e. people who no longer "click links" inside SMS messages because they don't trust any form of marketing via SMS. This number will become obvious to brands when they realize real conversion rates are just as weak as SMS security.