“Spam is a tricky problem to solve”

From a customer simply hanging up to companies watching sharply for “throwaway numbers” and regulators taking strict action against real fraudsters (and not getting lost with the ‘man in the middle’), a lot can be done to effectively fight the explosion of frauds and spam. Rajdip Gupta, MD and Group CEO, Route Mobile Limited shares his perspective on Calling Name Presentation (CNAP), DnD, virtual SIMs, 5G and SIM-swap detection and whether they can help dial down intrusions and frauds in India. Excerpts from his interaction with Pratima Harigunani.

What led to the development of products for SIM fraud prevention and digital identity protection? What on-the-road lessons have you learnt as you rolled them out?

We listened to our customers and the challenges they face. Solving these challenges in new ways is a natural progression of our business. We are already helping them with identity protection, for example, by delivering OTP tokens to users via SMS. As we assessed the market, we found that our long-term partner Masivian, based in LATAM, had developed a product that helps businesses understand the risk associated with trusting a phone number. We recognised the opportunity and acquired Masivian to gain a foothold in the LATAM market and leverage its amazing products for our customers.

India has seen a growing incidence of spam calls and messages. What can be done by the industry to address these frauds? Is enough being done?

Spam is a tricky problem to solve. We have seen blunt policy instruments deployed in many markets around the world attempting to protect users from spam calls and messages. These are rarely effective. Sender ID or Caller ID pre-registration, for example, lower the effectiveness of spam messages, but spam messages and calls are still sent in the billions by switching to generic sender IDs or simply misusing other brands’ sender IDs.

Mobile Operators can protect users by deploying AI and ML to scan for spam calls and messages as they enter their networks. Regulators can strengthen legislation against those who originate spam messages and calls as we are now starting to see in several markets, but these measures need to be targeted at the fraudsters, not those unwittingly in the middle of the delivery chain. While those in the middle do have some responsibility, targeting them is a blunt tool which simply moves the problem elsewhere rather than solving it.

What’s your advice to users and customers?

Our advice to customers is to protect themselves by not believing unknown people on calls and never giving out personal information either. If you suspect it is not your bank calling, then simply hang up, find the bank’s contact number and inquire with them.

Spam messages and calls are still sent in the billions by switching to generic sender IDs or simply misusing other brands’ sender IDs.

How tough is it to balance convenience and frictionless CX and privacy in today’s digital world? What can users do on their part?

Brands can differentiate their offering on the CX they provide. One of the reasons Amazon has been so successful in the e-commerce space is because of how easy they have made it for consumers to find what they want and buy with minimal clicks and all in their pocket. But this comes at a cost. Bots, fraudsters and ready-to-abuse brands don’t protect themselves. A great example of this is in consumer apps that use the phone number as the unique identifier for the user.

Many companies deploy SMS-based phone number verification, which in 99% of the cases is effective and secure. There are, however, some markets where there is a prevalence of ‘throwaway’ numbers. Currently, we are developing a solution to identify these numbers and help customers make an informed decision about whether or not to allow a given phone number to sign up.

There is SIM swapping, missed call fraud, IRSF fraud, Wangiri fraud, and more. How critical are these frauds in India?

Sim Swapping is a huge issue in India as well as in most countries around the world. You only have to look at news reports and you find many examples of real people suffering from loss due to SIM swap attacks. For both banks and mobile operators, this is both a financial and a reputational loss. Banks may have to refund the loss to the customer. Both will lose customers if consumers cannot trust the bank or the operator to protect them. Thankfully, solutions are being launched. Following the success of Sim Swap detection APIs in the UK, Vodafone India is launching an API for banks to detect potential SIM swaps occurring.

Blunt policy instruments deployed in many markets around the world to protect users from spam calls and messages are rarely effective.

The Do-Not-Disturb or DND system is not effectively working for many people, given the barrage of marketing spam one gets. What can vendors, operators and regulators do to fix this?

The challenge with a DND system is that the two worlds of business-to-consumer (B2C) calling and consumer-to-consumer (C2C) calling function on the same network. This makes it almost impossible to ensure that B2C calls that have not been screened against the system are blocked because the bad actors will seek to mask them as regular C2C calls. Even deploying solutions such as Stir or Shaken – suites of protocols and procedures – in the US market has not stopped spam calls.

PBX Pumping, traffic hacking, GSM Gateway, jail-breaking. How serious and rampant are they in India? What solutions exist?

Traffic-related hacks are likely to be low in India. However, ILD traffic leakage to grey traffic does occur and operators can catch them with their fraud detection teams along with the cyber cells of law enforcement agencies. Traffic blasts have been on the rise and are getting controlled partially via TCCCPR 2018 regulation. However, the CNAP proposed by TRAI is likely to bring respite to consumers from unwanted blasts and spam campaigns.

With Apple launching its store in India, the issues of right-to-repair and closed wall-garden business models have come to the spotlight again. What’s your perspective here given the dilemma between the user experience and security?

Closed wall gardens are ultimately anti-competitive. True, it can help to keep an ecosystem more secure for users, but that comes at a cost, both financial in terms of higher fees app developers have to pay in particular to the company but also in the limited user experience they receive. Take RCS as an example: Apple and Android users are barred from sending each other secure, rich IP-based messages on their native messaging apps because Apple wants to retain its walled garden.

Virtual SIMs, Truecaller-like apps, stricter KYC. How much do they help?

Virtual SIM or eSIM is more secure than physical SIM. It is also observed that eSIM users have fewer connectivity issues than physical SIM users. Truecaller-like apps are reliable most of the time for identifying an unknown number. Stricter KYC rules have helped recognise the user if they are the person they claim to be. As these services have their benefits, there are some disadvantages as well. Regarding virtual SIM, there are very few mobile handsets available in the market that support it, and switching devices in case of emergencies can be difficult.

Apple and Android users cannot send each other secure, rich IP-based messages on their native messaging apps because Apple wants to retain its walled garden.

Is there a flip side to these?

When it comes to Truecaller-like apps, the data they provide is sometimes inaccurate and it becomes difficult to rely on them all the time to identify a caller of an unknown number. Regarding stricter KYC, it can create a bad customer experience if it takes longer to verify the data they provide.

Will security get better with the arrival of 5G, Artificial Intelligence (AI), and Machine Learning (ML) in this scene? Why or why not?

Security will improve with the arrival of 5G and AI/ML. 5G improves the confidentiality and integrity of user and device data. Unlike previous generations of mobile systems, 5G protects the confidentiality of the initial Non-Access Stratum messages between the device and the network. AI/ML are intelligent methods that computers use to perform designated tasks independently. It runs on algorithms that analyse the data and perform automated tasks, data entry, checking and filtering emails, and analysis. Automation also mitigates human errors and increases efficiency and operation productivity.

What else should we be thinking of when we think of telecom and subscriber security?

A solution that covers only part of the customer journey can never be fully effective. The entire ecosystem needs to come together to enable solutions at every possible point in the network. Fraud and spam are cat-and-mouse games. As we develop new solutions to tackle these problems, fraudsters will adapt and change tactics.

And what about the innovations that the company is working on?

We will continue to innovate to stay on the front foot helping our customers to protect their users from fraud. At Route Mobile, we provide these services to both ends of the chain, to the mobile operators to help them detect and block spam calls and messages through the services of 365Squared and to enterprise and app customers, giving them the signals and insights, they need to make informed decisions about how to open the door should be on every transaction.

By Pratima H

pratimah@cybermedia.co.in