Last week I was out in Washington, D.C. at the Gartner Security and Risk Management 2015 Summit talking with the who’s who of security analysts, chief information security officers (CISOs), and broad array of solution providers trying to protect companies and government departments from cyber threats and security breaches. There was a range of topics discussed, but I noticed a key theme that ran through numerous presentations, and it was directly applicable to the Whitepages acquisition of Numbercop – A user’s mobile device (the endpoint) is the number one weak spot in a business’s security chain.
Resurgence of Endpoint Weakness in Security
Among many other interesting sessions, I heard SVP Jeff Scheel review Symantec’s top market trends in security for 2015. The list was headlined by “Resurgence of the Endpoint” driven by mobile and the Internet of Things (IoT). In the short and medium term, the vast majority of IoT is mobile phones and tablets, so let’s just keep the discussion there.
This widely distributed and difficult-to-manage array of access points for both employees and customers keeps CISOs awake at night. Why? Well, for a basic example, if you are a large bank, all it takes is one customer using your mobile app to have malware running on their phone (the endpoint) monitoring log-in credentials, and suddenly the banks systems can be compromised, or at a minimum that customer’s account can be emptied.
Punch line? Security professionals, especially in the financial services and e-commerce sectors where many customers are transacting via mobile phones and tablets, the endpoint is a real weak spot in the security moat.
Voice and SMS Channels Exploiting the Weakness
What I have learned over the past few years working with e-commerce customers like Microsoft and Home Shopping Network as well as thought leaders like Tom Donlea, former president of the Merchant Risk Council, is that the bad guys pretty quickly focus on the weak spots and different methods to compromise them.
And that brings me to the most memorable statement Jan Volzke, Numbercop founder, made to me the first time I met him:
The telco system was designed over 50 years ago to let two people have a conversation across a phone line. Now, it is being used to perform complex financial transactions something for which it was never intended. That should concern nearly every person involved in the ecosystem.
Turn that comment over your mind a few times. Let it marinade a couple minutes. Getting nervous yet?
It’s about the worst kept secret in the business and the bad guys have been hard at work exploiting the endpoint at every turn in the road. There isn’t a big bank in North America whose customers aren’t getting hit every week with an SMS attack regarding account compromise or a request to click a link to reset their security password (it’s a phishing link of course). Those same bad guys are calling both customers and businesses to social engineer account log-in information out of the person on the receiving end of the call.
This isn’t your run-of-the-mill phone survey spam or political nuisance call. This is malicious intent, folks, and it’s a direct attempt to rip off a business or a customer (in which case, the business still takes the brand hit).
A Phone Number Carries a Reputation Signature
Whitepages has been watching malicious phone activity for a long time, ever since we acquired MrNumber back in 2012. MrNumber was and continues to be a popular consumer spam and call blocking mobile app. We rolled everything we learned from MrNumber into Whitepages Caller ID, the most popular caller ID app in North America. With 2.5 billion calls being tracked per month to protect our customers, we have real-time visibility on the actions and reputation of a spam or robocaller.
When we met Jan and Numbercop, however, we saw the ability to offer both our consumers as well as our business customers the ability to understand more targeted fraud and high-risk numbers. These numbers tend to operate at lower volumes, hiding in the noise of the telco system’s volume. Jan educated us on the threat at the endpoint a long time before I was at the Gartner Security Summit. Subtle things, like while an SMS message can be bad, an MMS message that can carry an executable (malware) can be much worse. He’s been evaluating these threats for the past 15 years, including a long run at McAfee.
Real-Time Defense Against High-Risk Phone Numbers at the Endpoint
With Numbercop’s technology integrated under the hood and Jan Volzke as our new Vice President of Reputation Services, Whitepages Pro can now offer our banking and e-commerce customers a first line of real-time defense at the endpoint. Based on the activity and intent of a phone number, our Phone Reputation product can help you de-prioritize and block high-risk calls.
The negative list of numbers and the bad guys behind it move fast, turning over every couple of days. In fact, it’s more than 10 times as dynamic as our already fast-moving spam and robocall number list, of which more than 50% change out every 90 days.
This problem is industry-wide, and it isn’t going away anytime soon thanks to the explosive growth of voice over Internet protocol (VoIP) and the cost of making a call going to zero. We are working hard to collaborate with the industry and our customers to be part of the solution at the endpoint. Put in more simplistic terms, we’re trying to keep you from panicking every time one of your customers or distributed employees picks up their phone.