On this episode of the Futurum Tech Webcast – Interview Series, I am joined by Joe Burton, CEO for Telesign. Our conversation explores the security challenges brands are facing in the identity space and how Telesign can help organizations overcome these challenges.
In our conversation, we discussed the following:
- An overview of the identity space and what brands are struggling with
- Why identity threats are a major area of concern
- A look at international rate share fraud
- Telesign’s secret sauce when it comes to security protection
It was a great conversation on a timely topic, and one you won’t want to miss. To learn more about Telesign, check out their website here.
You can watch the video of our conversation here (and subscribe to our YouTube channel while you’re there):
Or you can grab the audio here:
If you’ve not yet subscribed to the Futurum Tech Webcast, hit the ‘subscribe’ button while you’re there and you won’t miss an episode.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Daniel Newman: Hey everyone, welcome to the Futurum Tech Podcast. I’m your host, Daniel Newman, principal analyst, founding partner at Futurum Research, and excited to be here live with my friend Joe Burton, CEO at Telesign. Joe, we are back together in person. It’s been a while. How are you doing?
Joe Burton: Good man. It’s been a while since we’ve been in the room together. So nice to see you, even though we talk on video quite a bit.
Daniel Newman: On video, on LinkedIn, on social. Securely, of course, and we’ll get to that in just a minute. But no, it’s really nice to get back in person, and I don’t know what to say other than, having done hundreds, maybe thousands of these interviews now, and it feels like a lot of them during COVID. There’s such a difference, and I think this is why tech companies have gone back to doing live events at such a voracious pace, is there’s a big difference about when we get together in person and doing it over video. And that’s not a knock on video. I mean, I know in your past life, that was a pretty big part of what you did.
Joe Burton: I couldn’t agree more. On one hand, thank goodness for all the video technology that let the economy and the world continue to function during COVID, but boy, it’s good to be back in the room with people.
Daniel Newman: It sure is. And you’ve made a pivot now, and you’re leading Telesign. Very interesting company in identity, in CPaaS, a number of areas. I think I want to focus a little more today on identity and security. I think that would be an interesting conversation to have. And actually, I was kind of pondering, what am I going to talk to Joe about? I’ve got so many different ideas, and it hit me when I was online banking. And the other day, I said the identity challenges in this particular space are so big. You go on, and depending on which bank you use, now you’re trying to see your account, you’re trying to approve a transaction, you’re trying to check your balance, whatever it is you’re trying to do, but you log in. And now hopefully, most people have been forced into using some sort of multifactor authentication, getting that one-time password into their account.
And I was thinking, God, we’ve come a long way here. It’s gotten better. But at the same time, there still seems to be a lot of work to be done, because there’s still a lot of breaches, there’s still a lot of hacking being done. And this is a big part of your business, Joe. So maybe let’s start there. Talk a little bit about how you and how Telesign is kind of thinking about this whole identity space and the opportunity in security.
Joe Burton: Boy, how much time do you have? Because this is my favorite topic. So at Telesign, we really are about connecting and protecting and defending the biggest brands in the world to the consumer, to the person with the mobile phone that’s trying to do that online banking, insurance, medical, whatever. And we need to make that as secure as possible, like you said, and yet as easy as possible. So it’s that constant tension between friction and user experience that we’re trying to get just right. As you mentioned, multifactor authentication, very often one-time passwords where you go to log on, it sends you the text message, you type the code back in, is such a key to getting all that done. And Telesign is a huge provider of that. Going forward, we continue to work on higher-end machine learning type models where we can do even more protection with even less friction. But for the moment, those one-time passwords from a quality vendor really are the key to making this work.
Daniel Newman: So it’s probably worth pointing that out. Not all OTP, or whatever people like to call it, is created equal. There are a number of vendors out there that are trying to take advantage of the market opportunity, and probably all with good intent, but it’s not risk-free. Picking a vendor, I mean, talk about that a little bit, Joe, because it can vary.
Joe Burton: Daniel, it’s really important because, to your point, I don’t think anybody has bad intent, except for the bad guys that we’ll talk about in a few minutes. But on the vendor side, the idea of, you go to log in, I’m going to send you a pin, 123, you type it in, feels like a level of security. But if it’s that superficial, if it really is send 123, get 123. If the numbers aren’t properly randomized, if there’s not deeper checks, this is a pretty thin layer of security. A lot of what Telesign and other reputable firms are doing is, yes, we send that truly random PIN, but we’re looking at a lot of things. I’m looking at our full behavioral model that we’ve built over time on a particular phone. In this case, let’s call it your number. But when the vendor, your bank in this case, sends me your phone number and says, verify this number, I’m actually quickly looking through our machine learning and our data sources to say, has this number been ported to a different phone very recently?
Typically, this number has maybe a one-time password authentication through us one a week. There’s been 20 of them in the last five minutes. Okay, what are the signs that would tell me that maybe your phone has been hacked or taken by a bad guy, rather than it really being you? And then of course, in the end, we are checking that one-time password, but it’s SIM swap, it’s carrier, it’s location, it’s behavioral usage that really makes this a much stronger… I hate it when people call it a second factor. We’re looking at a couple of thousand factors every time we send you one of those.
Daniel Newman: A multitude of factors.
Joe Burton: Indeed.
Daniel Newman: As in multi.
Joe Burton: Multi. Multi, multi, multi. Definitely.
Daniel Newman: Well, I think we have legitimately come through a period that where people really didn’t take security very seriously. I mean, it’s been a bit of a cat and mouse, even in enterprises. Lots of the research we do at Futurum, we’ve looked at sort of a risk reward proposition that is sort of limited, even at the board level, approval of enough investment. I’ve said security’s going to see a big massive investment in the coming years, because the risk’s just too high for companies. But in the past, it’s almost been like, well, if we do get hacked, what is the risk to our business and our reputation versus if we don’t? And I think we’re starting to see the level of importance.
The fact is that, going back to the big hacks of some of the retailers that were in the news very prevalently, they never quite came back from that. It takes a long time to come back. So if you’re not doing everything you can, and by the way, even some of these past word randomizers, they’ve been hacked. So the thing that was actually supposed to prevent you from using the dumb password ends up getting hacked, so then they end up figuring out your smarter password, and then it’s like it comes full circle. But it seems like there’s still this bit of a not if but when for companies to have some sort of breach.
Joe Burton: 100%. And to your point, I think we’re in a spot now, and I come from a technology background before I moved into management and eventually a CEO. I love hard problems. We are in a spot right now where companies cannot get hacked. You cannot come back from getting hacked. You must invest. You have to do every, every, everything you can, and you got to make it easier. So we’re in this amazing position where every company, every brand, if you got a website, if you’ve got a mobile phone, if you have employees, you have to simultaneously make it about 100X more secure and about 2X easier to make everybody happy. And that, my friend, is why companies like Telesign exist.
Daniel Newman: Well, and that’s a good thing. Because like you said, you can’t get hacked, but companies are getting hacked. Sometimes even, like I said, the companies that are supposed to be securing are now the targets, and these hackers are sophisticated. Speaking of sophisticated, something that we talked a little bit about in the background, and I wanted to bring it out to the public, was IRS fraud. And that’s something it seems that you guys are paying a lot of attention to. Talk a little bit about what that is.
Joe Burton: Yeah, let me give a little bit of a history lesson in telephony, and I’ll try not to go on too long. But first of all, in the telephone number industry with telephone carriers, there’s a thing called a premium rate number, a PRN number, A premium rate number is a number that, as a company, I can buy this telephone number, register it with the telephone companies. And when somebody calls this number, this is really important background. When somebody calls this number, you know when you call a long distance telephone number, you get charged?
Daniel Newman: Yep.
Joe Burton: When you call this number, you get charged 10, 20, maybe even 50 times as much to call this number, and you don’t know when you call it. But the trick is here is these premium rate numbers, the carrier splits the profits back with the owner of the number. Bizarrely, you’re a little younger than me, but not much. Remember in our youth, the late night TV where there’s the products getting sold at this impossibly low price?
Daniel Newman: Thighmaster.
Joe Burton: Thighmaster. Amazing knives. And you’re like, how can they sell that for nine bucks? Well, number one is it’s probably not a great product. But number two, they call this number now. When you call the number, the telephone carrier is splitting that money back with the company and that’s their other revenue source. So premium rate numbers cost 10, 20, even 50 times as much when you call them, and the owner of the number gets half or so of the money. All right.
Enter the bad guys. IRSF, international rate share fraud in this area, a bad guy will go by one or a block of these PRNs, of these premium rate numbers. So they have these numbers, they register them with the telephone carriers, and now they go, where are all the places we can trick people into calling that number a whole bunch? So they’ll go to an account, they’ll go to a website and they’ll use bots to create thousands of new account log-ons, hoping that they’ll send one-time passwords to that number. They’ll go to a contact center, to a conferencing service. Anywhere they can get the other side to call out to that number a bunch of times, that is IRSF fraud. $8 billion annually in IRSF fraud. Every hack has an average $50,000 cost. So that’s what this problem is.
Daniel Newman: And I’m going go out on a limb, and I’m going to guess this is one of those hard problems that you and the team at Telesign are working on solving.
Joe Burton: Love solving this problem. Incredibly, incredibly hard. The simpleminded things that people do are obvious ones. They will look at, my goodness, if the number of one-time passwords your bank’s website sends is typically 100 per minute, and suddenly there’s a request to send 1000 of them, then maybe we should rate limit that. Kind of lame, but it’s what they do. People that have a regional business, I sell products in America to Americans, and suddenly I’m being asked to call a Chinese number a million times, maybe they’ll limit that.
At Telesign, we’re back in that many, many, many factor approach to solving this. We’ve taken our machine learning tools and we will look at, across every time there’s a number that we’re asked to do this IRSF fraud prevention on, we’ll look at, is the number a number we’re seeing an anomalous number of times? Is it in a block of numbers that has a lot of fraud? Is it weird cross-regional that makes no sense? Once again, trained machine learning that’s looking at a couple of thousand factors to figure this out, plus network effects, because we’re doing this for thousands and thousands of companies across the globe, every time I stop fraud for you, it makes my ability to stop fraud for the next person even better, and vice versa, and around and around and around.
Daniel Newman: Yeah, I figured you were going to head down that path, because this is not something that’s going to be solved using manual checks. It’s too big. It’s too big of a problem, and it’s too much volume, which, by the way, most fraud in general right now, the biggest solution out there’s going to be some sort of accelerator, some sort of HPC, some sort of algorithm that can basically learn to detect it. Not all algorithms are created equal. Not all AI and ML is created equal. We all know sometimes when we ask our device to find us a website, that’s just NLP and it still can’t do that well. So being able to look at thousands, if not millions of concurrent transactions, of course, the hackers, that’s what they try to do.
You go back to things like denial of service, it’s all about just pounding the network and making it very, very difficult. These are almost like trying to be crimes in plain sight by volume, because there’s so much volume of traffic and calls and numbers, and they’re just trying to basically make it almost routine. And then that money’s just flowing through. What’s the Telesign sort of… Because you’re not the only one trying to solve this problem. What’s the Telesign sort of secret sauce with your AIMLs, or a little bit more you can share on that?
Joe Burton: It’s interesting that you mentioned denial of service attacks a few minutes ago, because denial of service attacks were how they started in these IP attacks, and then they moved to a distributed denial of service attack. Much harder to understand, much harder to stop. We’re seeing the same thing in this IRSF fraud, where they don’t just attack a particular bank with a million of these fraudulent account openings or one-time password requests. They’ll do a hundred of them to your bank and a hundred to my bank and a bunch to the insurance company over here. So the Telesign magic is really twofold. By having all of the CPaaS traffic and fraud traffic that we see in a month, we’re seeing billions and billions of transactions that allow us to tune machine learning, that’s incredibly fast, global and accurate. That’s the Telesign sweet spot, this global, fast, accurate, where we can see, is this a normal flow or is this anomalous, and we’ll see something happening at your bank and this bank, as long as they’re both Telesign customers, and they really should be. We’ll see that as a single pattern where we can squash it.
Daniel Newman: Yeah, you bring up something that’s probably very important for the audience, anyone that’s out there kind of wanting to understand how this works, is that almost all AI, Joe, to be valuable requires immense volumes of data. Kind of a well understood thing. But in this case, it’s not only huge volumes, it’s seeing transactions that are every day good transactions, and the system to be able to create markers that say, these are what good transactions look like. Of course, the hackers are going to try to create transactions that begin to look, it’s a spoof. Let’s make these look more and more like a good transaction. And then you need even more intricacy, and that comes from volume. That huge amount of volume of looking at transactions provides the opportunity for you to be able to use your systems, tune your systems, and improve the outcomes to hopefully reduce fraud, reduce that $8 billion. That’s really big.
So maybe how I’d like to wrap this up is, how does this evolve, Joe? Because we’ve talked a lot about, I think every company’s selling this big data play, big data turns into big machine learning, turns into big AI and big solutions. How do you stay ahead of the curve? How does Telesign stay competitive? How do you differentiate, as these volumes of data become table stakes in some industries? Not right away, but it will over time.
Joe Burton: It’s a great question, Daniel. And one of the things I love about Telesign is, yes, we’re sitting in the middle of many of these data flows, much of this data. We do this for exactly one purpose, to keep you safe. We’re not packaging this data up and selling it to somebody to advertise. We’re not selling it to somebody that wants to win an election. This is about keeping you safe. I love the cat and mouse. We are always in there looking at the seven and a half billion phone numbers in the world, and talking about what are the flows we need to see? What do our data scientists need to get up and look at every single day to stay ahead of the bad guys that’ll never go away, so we can have that simple, safe, online experience that we all deserve? We’ve got an eager team that lives for this, and we’re going to be sitting back there, keeping you safe every step of the way.
Daniel Newman: Well, as I said, security is going to be a massive opportunity in the next, well, I could say really infinite decades. But because that cat and mouse game, it’s never going to end. And so as our daily lives are more digitized, there’s more data, as we’re doing more of our transactions online. In the future, I’ve said we’ll always need banking, but we won’t need banks. That’s because everything will be digital. And people, whether it’s social media, whether it’s eCommerce, whether it’s your brokerage accounts, your trading, your crypto, whether it’s doing an everyday transaction, taking tests online, everything becomes exposed to risks of security breaches and fraud. So you guys are in a really exciting position as I see it. It’s really fun to watch you leading this company and evolving the products, Joe. Telesign’s definitely one for today, but also one for the future.
Joe Burton: Well, that’s certainly what we believe. Thanks for having me on, Daniel. It’s always a lot of fun.
Daniel Newman: Yeah, absolutely. Thanks for joining me here, Joe. Everyone out there, thank you so much for tuning in. Check out the show notes. I’ll give you some links. You can learn more about Telesign’s IRSF solutions and all of their identity solutions, the CPaaS company we’ve been very intrigued by, we continue to follow. And you’ll be hearing more from us with our analysis. Joe Burton, CEO, Make sure you check him out. Lots of good stuff coming from Joe. He’s a social CEO, which I really do enjoy. But for now, I got to say goodbye to everybody. So hit that subscribe button, tune in to all of our shows. But for the Futurum Tech Podcast and this interview, we got to see you later.
Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. Read Full Bio