Upon his capture in 1934, the legendary bank robber Willie Sutton was asked by FBI agents, "Why do you rob banks, Willie?" Sutton, who believed the question to be rhetorical, replied dryly, "Because that's where the money is."
More than 80 years later, if you asked a cyber criminal "Why do you do communications fraud?" you'd hear: "Because that's where the potential to make money is high and the risk of getting arrested is low."
The Communications Fraud Control Association estimates that mobile and fixed-line carriers lost $46 billion worldwide to fraud in 2013, a 15% increase in two years. This is over 2% of revenue, which is even more astonishing when this is close to the single-digit revenue growth of many mobile operators.
The dilemma that many CSPs face is that fraud is like an iceberg. Above the water is known, visible fraud and the battle here is around time windows. A cyberfraud gang can set up, go to work and disappear in 24 hours or less, before an operator knows the attack is happening. This is just the tip of the iceberg though.
Modern, sophisticated cyberfraud attacks mutate, evolve and arbitrage faster than an analyst can write rules. This type of mutating attack has a cloak of invisibility and sits under the water line impervious to detection with traditional methods. The time window here is not the issue as the opportunity for cyberfraud just goes undetected.
The industry is entering a period of hyper competitiveness with new packages being introduced continually by marketing. However, a cyberfraud gang analyzes every new package as an opportunity for a very profitable arbitrage attack that traditional systems again struggle to detect.
Given this context it was interesting to read the Telecoms.com Intelligence Industry Survey 2015, which asked a question, "Which of the following security breaches has your company experienced in the past year?" Thirty-five percent reported fraud!
This reminded me of two similar statements that were very widely quoted in the security world this year. The first is a the common refrain among security professionals: "There are two kinds of companies in the world: those that know they've been hacked, and those that have been hacked and don't yet know it."
The second is something Ian Livingston, CEO of BT Group plc (NYSE: BT; London: BTA) told delegates at Davos: "There are two types of CEO: those that know their systems are being hacked, and those that don't. For pretty much any company I've come across, it should be one of the top three risks."
Given the response to the Telecoms.com survey, I'd like to add a variation on the second sentiment: "There are two types of CFO in the world: those that know how much they are losing to fraud and those that are losing, on average, 2% of revenue to fraud and don't know it."
In the past, some CSPs have made growth a higher priority or have believed that fraud is too hard to detect and is a cost of doing business. Two things have changed: First, the competitive landscape and decreasing margins mean 2% of revenue cannot be written off as the cost of doing business anymore, and second, big data and machine learning can detect fraud above and below the waterline in a way that can compete with the innovation of cyberfraud gangs.
Gartner predicts that by 2016, 25% of large global companies will have adopted big data analytics for at least one security or fraud detection use case, up from 8% today. With technology finally catching up to fraudsters, fraud prevention can now be simplified down to a measurable line item in the IT budget.
Doing nothing is no longer an option. We are moving to a SIM-connected world where in 2014 over 1.5 billion smartphone and tablets shipped versus 308 million portable PCs and desktop PCs. We are getting to the point where the majority of computing power in the world is on smartphones not computers. In the very near future, smartphones will be joined by connected cars, NFC payments, health monitors and connected devices.
The common denominator here is that the new world is connected more and more, not by a network card, but by a SIM card that is always on, always connected and integrated into our personal lives in a way that the computer never was. This brings a whole new set of challenges when it comes to mobile carriers protecting their subscribers from cyberfraud. Just ask Chrysler or Sprint this week if this is the case. The new world is about new fraud, new devices and new data.
Fraud should be part of the risk assessment every telco makes, and those interested parties should be asking companies both financial and technical questions: What are the size of losses due to fraud in your company? What is the impact of fraud on your EPS and stock price? How do you compare to the average performer in your industry? What technologies are you using to stop fraud? What is your big data fraud strategy? How does your deployment compare to the peers in your industry?
Most important of all, stakeholders should be asking the telco CFO, "Where is the F-word in your annual report?"
— Tom Ryan, President and CEO, Argyle Data