Cameron D’Ambrosi [00:00:03] Welcome everyone to State of Identity. I am your host, Cameron D’Ambrosi. We have a really exciting episode for you today with a trio of guests, all of whom I beg forgiveness for potentially butchering their names, laying that out there in advance. First, but not least, we have Adri Loloci, Senior Global Product Manager at Vodafone Identity Hub, Helene Vigue Identity and Data Director at GSMA and Glyn Povah Global Product Development at Telefónica Tech. Everyone, welcome to State of Identity and great to have you back. Repeat Guest.

Helene Vigue [00:00:41] Thank you.

Adri Loloci [00:00:42] Thank you for having us.

Cameron D’Ambrosi [00:00:44] So, you know, the mobile device, I think, is at the center of so many of the critical discussions around digital identity, I think for a tremendous number of reasons. It’s something that the average consumer has in their possession effectively. 20 47i mean, I’m trying to think of the last time that my cell phone, if I wasn’t actively using it, was not either in my pocket, on my nightstand within arm’s reach. It contains a SIM card, which is probably the single strongest piece of encryption hardware that the average consumer has access to. Who is not in? High level kind of corporate I.T. security or kind of a nation state level actor using more robust government encryption technologies. And the connectivity of the device is effectively constant. So we have a very, very fantastic set of signals that are coming off that device that we can use to kind of understand its behavior in its relationship with the user. You know, when you mash those factors together, it becomes maybe the best single digital proxy that we have where we need a digital representation of a hardware device that can substitute as knowing that this is camera net browsing, conducting a transaction. If we can get my phone to kind of sign off on that, we can feel pretty, pretty good about the fact that, you know, it’s either my transaction or I’m consenting to it because, you know, it’s my wife or I don’t know my son, you know, buying things on on the App Store without my without my active consent. But, you know, it’s friendly fraud as opposed to some sort of malicious account takeover. I guess that’s the high level landscape, but I know that GSMA and mobile carriers like Telefónica, like Vodafone, have been hard at work, kind of continuing to push that ball forward in terms of the technologies that enterprises have access to. So what are you most excited about in terms of what’s coming down the pike and what you’ve just launched that can help further some of these goals that I just spoke about?

Helene Vigue [00:02:51] So I guess we’re here today because mobile operators that have been working together to open up APIs to their data that, as you said rightly, is such a good indicator of potential fraud, an API such as day types to frictionless authentication. They’ve been working together to provide a market with a unified solution. And that’s that’s really new. And our goal is to support organizations to detect and prevent fraud, which is friction in that customer journey. So today we wanted to talk a bit about Number Verify is one of those products that SIM based and that’s Henderson’s solution. Solution to just illustrate what that journey has been like and what it enables industry to do.

Cameron D’Ambrosi [00:03:38] So and I realize I maybe jumped a bit ahead. But before we get into number verify, I think it would be helpful like for folks who are looking to connect with mobile carriers, can you kind of define the swim lanes in terms of what’s the purview and what role does GSA play? And then what role kind of do the individual carrier groups play? And then I would love to to jump in the number, verify and apologize for putting the cart a bit ahead of the horse here.

Helene Vigue [00:04:09] Now, of course, we will be excited. I think we will compete in. Of course. Yet the GSA, we are a global organization. We represent mobile operators and organizations across the mobile ecosystem and not just industries. And we are we are about developing positive innovation for business and society. And we believe that identity is one of those areas where operators can and should be active in, because they’ve got a great position to use their data to solve issues in the market and to do so in a way that’s responsible and that you can trust.

Cameron D’Ambrosi [00:04:42] And Adrienne Glynn, what role do the carriers play? Is it a more direct connectivity like when we’re accessing products? And again, we’ll dove into some of those specific products in a minute here. But what kind of direct role do the carriers play in sort of opening up access to these sorts of APIs? Like Number Verify.

Glyn Povah [00:05:05] So. So, I mean, we’ve been responsible, you know, and I guess exposing our first party data. So developing the APIs, connecting that deep into our networks. You know, you talked about and therefore the SIM card of the SIM card is a trust, I think understanding risk signals in real time and then exposing that capability via partners or direct to relying parties and of course collaborating through Jason with with other operators like Vodafone to achieve that on a global basis. So we have scale and reach.

Cameron D’Ambrosi [00:05:37] And what does it look like in terms of, you know, understanding which carrier or carriers you need to partner with? Obviously, while certain markets have like £1,000 gorilla, so to speak, that maybe has the lion’s share of the market. Obviously, if I’m a platform, I don’t necessarily know, you know, which carrier, if any, my end customer is going to be a part of, you know, how does that work from kind of that routing perspective? Do I integrate with multiple carriers or do I work with third parties that are then taking on the role of kind of integrating across multiple carriers within within a country or region?

Glyn Povah [00:06:14] Yeah. So we’ve, we’ve works in a kind of mostly cello part or model, so we’ve been exposing our capabilities. All right, guys. So a big sea bass players, I think potentially they’ll be hyperscalers in the future and more specialist partner sites to mention a couple Twilio you’ll you’ll know very well and newer startups like Druid who are very focused on one specific product which is number verify. And I think, you know, in other markets we can expose our APIs directly to big customers. If you’ve got a big a big bank that’s working in multiple markets by Telefónica is where we would integrate directly if that if that worked for both of us.

Cameron D’Ambrosi [00:06:53] Okay. So I think we’ve done a nice job of maybe circling back and picking up some of those breadcrumbs that we had failed to grab on the first pass. So resetting, you know, number verify, I am a business that right now let’s say I’m using SMS one time pass code to understand that initial binding between a consumer and a mobile number. You know, a common use case is I’m opening a mobile payments account and they ask me for my phone number. I put that in historically. They have then sent me that text message with a code. I input that back into the app and that kind of establishes that linkage that the phone number that I put in to the app as Cameron Ambrosi is a number that’s in my current control. Number Verify removes a good deal of that friction by effectively achieving the same result by pinging the SIM card and challenging kind of that private key that’s in the SIM card and measuring that response. Is that a fair summation of kind of how the product works at a high level?

Adri Loloci [00:07:57] Yeah. What I’d also add is that before we jump in, the number verifies it’s also very important to mention the importance that the phone number has in the digital identity. Everything you do today online, whether it’s signing up for a bank account, signing up for Facebook, tick tock, Snapchat, whatever that you do, you’re you’re providing your phone number as as as a method where either that retailer or a bank can contact you or pretty much everywhere it’s being used as a two factor authentication, right? So the phone number is this unique piece of information that everyone knows of. Everyone remembers it, right? And it’s being used ubiquitously everywhere. So it’s like this unique digital identifier. So I think that is very nice. The to number verify. Right. So. If if I you did a very good job of explaining how important, you know, every sim is that people just have them everywhere, right? It’s everyone’s pocket. So to to summarize number verify, a number verify is the frictionless way of SMS. OTP that happens today. Right? So today you receive this, you know, six digit code is most operating system said autofill. And then after autofill, you know, you go through with number verify. We are effectively responding with a true or false whether the number that the user entered in a bank or in an app is actually matching with the number that we can read from the same. So we simply respond frictionless. Is the number match true or false? And then the user in the background sees nothing. It’s completely frictionless.

Cameron D’Ambrosi [00:09:40] That’s fantastic. And in terms of channel, you know, obviously the primary use case for that is going to be I’m on the mobile app, you know, I’m opening a new Venmo account, for example. And rather than having to manually input that OTP code, it’s happening automatically. Is there currently support for if I’m using a desktop application and it wants to challenge my SIM card, or do I have to initiate that session from the device because there’s kind of a consent factor involved in terms of controlling the device and having that message be routed over the telco network as opposed to over the traditional Internet through my ISP.

Glyn Povah [00:10:21] Yeah. So I mean, what was happening with them verifies we’re creating a binding, I guess, between the phone number and the SIM card. And then we’re creating effectively a way of parties to to basically establish that binding and that trust on core, if you like. So I think, you know, today we’re approaching it very much as mobile first. You know, physically, if you look at where traffic is going these days, it’s pretty much app based and it’s more and more app based a little bit on mobile web, you know, and of course, people are still using desktop to some extent, but for now we’re very much promoting number of our find focused on on mobile apps on the mobile channel.

Cameron D’Ambrosi [00:10:57] Yeah. I mean, I think we’re we’re only going to continue to see Mobil take more and more market share. And certainly, you know, as more connected devices come online, you know, everyone is going to start carrying a watch that not only connects to your phone but maybe has a, you know, an E some of its own. I think proving those linkages and that control and association with kind of an established identity is going to prove all the more critical. And, you know, we’re also seeing from the regulatory side a lot of markets increasing the KYC requirements to actually get a SIM provisioned, which I think is only going to be net beneficial to this identity ecosystem because you’re going to have an even stronger kind of kernel of truth to query whether that is, you know, doing something like checking the name against the billing, the address against the billing or or other factors. So really, really exciting stuff. I know we’ve we’ve unpacked a little bit of number verify without letting you tip your hat too much and share things that are not fit for public consumption. I understand that there are some other mobile intelligence APIs that GSM in partnership with global carriers are looking to roll out. Are you able to share maybe just a tiny sneak preview with our audience of what we might expect to see in the in the coming years?

Glyn Povah [00:12:16] Yeah, sure. So I think, you know, we’ve talked about how we can do the kind of fishing resistant cryptographically secure authentication right with them, but verify. And that’s pretty exciting in and of itself, actually. It’s, you know, it’s actually providing an evolution path for for us CMOS, OTP for probably the next decade I would say or more alongside, you know, other passwordless technologies that are coming. But I think if you look at the wider picture about, you know, risk signals, you know, what can we as carriers expose as risk signals, you know, towards the market, towards relying parties? And obviously, we do that within a data protection framework within GDPR to make sure that we have a lawful basis, whether it’s addressing fraud use cases or or marketing use cases or other use cases, we need to make sure we have a lawful basis. But I think to give you an example, because you’re kind of fishing for one, I think that Cameron and I think is a really relevant one that we have in the UK and other markets. If you look at voice, social engineering or Vishing, you know, we see a lot of scams happening these days using the voice channel and I think you’re saying you’re seeing organized criminals very effectively persuading individuals to empty their bank accounts. And I think that’s why the telcos can can really play a role, I think, and provide those kind of risk signals to help banks, financial services or anyone. We’re running a call center, frankly, to help them understand is the person who they say they are on the other end of that phone, whether that’s with that, you know, American Express calling me and telling me this fraud on my account. I actually my first question to them is going to be, will, how do I know you’re on American Express? Right. And the carrier can actually do that with technologies that we have today or even stuff that’s coming down the line, you know, stuff like verifiable credentials and this kind of stuff is pretty, pretty exciting technologies that we can leverage potentially and vice versa. Of course, you know, when I call American Express that they’re going to do a bunch of, you know, knowledge based questions, which is kind of going to be a pain in the ass. Maybe we can.

Cameron D’Ambrosi [00:14:17] Add fundamentally insecure as well. Yeah.

Glyn Povah [00:14:20] And that as well. Right. But we’re going to we’re going to be able to fast track that process for them by actually saying, can I walk, check, check with this carrier API whether, you know, Glyn is who he says he is and linked to my phone number, of course. And we’re going to be able to prove that to quite a high level of assurance through the phone network. And I think I would say that’s pretty exciting. You know, future in solving fraud, crime problems like this today, but also making consumers lives much more seamless in the way they interact with big businesses and brands.

Adri Loloci [00:14:52] The only thing I would add is that without giving away too much again, is that we have been proving this concept by working very closely with some of the biggest UK banks. So we’ve actually, you know, worked together to see if this data signals are going to effectively improve the reduction of this type of fraud. As Glyn mentioned in the UK, it’s this authorized push payment fraud or bank transfer fraud. When someone pretends it’s the bank, it’s actually been growing significantly, right? It’s actually it’s around £1.3 billion of losses that happened just last year on this type of fraud. So as you can imagine, there’s a lot of attention to see whether there’s anything that can be done to reduce the amount of fraud that has been happening. And we as as operators have been working very, very closely with, as I said, with with the biggest UK banks and we’ve had very, very successful results even though at a pilot stage. So we’re effectively in the future looking to see how we can closely collaborate to make this this problem reduced significantly. So yeah.

Cameron D’Ambrosi [00:16:03] I think that’s so, so critical because as we are continuing to see more secure authentication methods roll out, you know, whether it’s Fido to pass keys or other multi-factor authentication technologies, you know, what you’re seeing is fraudsters having to shift to the social engineering type attack. And the deception element of social engineering is, I think, the most pernicious part that we have not really found technologies to to help solve for. There will never be a true technology that can eliminate someone from, you know, being smooth talked into unlocking the safe, you know, on the criminals behalf. But if we can continue enhancing the amount of information that consumer has where, you know, instead of the caller ID saying, you know, JPMorgan Chase, it says fraud alert because we’ve, you know, really been able to drill down on who is behind that call. I think that’s going to go a long way towards helping address some of those critical vulnerabilities. And I think it’s coming just in time because, again, you know, as Fido, two pass keys get rolled out. The ability to take someone’s account over with a traditional fishing is just not going to be possible because you will need control of the device. So the next best thing is going to be, well, let me smooth talk you into using your device to just transfer me the money instead of me stealing it. And I think this is going to go a long way towards hopefully, you know, sealing that that new vector off at the pass, if you will.

Adri Loloci [00:17:36] Yeah, absolutely. And and I also feel that the technology that is preventing fraud needs to be almost invisible to the user. Right. If you think about who are the target market or who are are the victims of this type of fraud? You know, the victims are, you know, some of the most vulnerable people in society. You are some people get maybe easily social engineered. And, you know, regardless of the, you know, the phone they use or the technology they use, we need to be able to to to protect everyone. Right. Not everyone that has the latest you know, the latest smartphone or the latest is so effectively protecting everyone. Right. So that’s that’s what we’re focused on.

Cameron D’Ambrosi [00:18:18] And you know, from a carrier perspective and from a GSM perspective, it seems like, you know, Apple’s shift exclusively to Esim is something that maybe has not gotten enough attention in the space, but it’s something I’m really excited about because I think hopefully it is going to enable a much more aggressive response and protection from SIM swap attacks, which I think have been some of the most pernicious types of fraud that have really been able to circumvent previous deployment of, you know, SMS Ottps and you know, the equivalent of, of a number verify effectively. So you know how are carriers thinking about this transition to to e sim from a fraud perspective.

Adri Loloci [00:19:04] Yeah, I, I think it’s it’s a very, very good point. Right. The, um, my thinking is that I think this is a great move for consumers because consumers are going to, you know, easily going to be able to move from one carrier to another. So it enables them a lot of flexibility. But with that greater flexibility, the fraud is potentially going to be on the rise. Why do I say that? Because suddenly to swap a SIM, you don’t necessarily have to go to a carrier in the store, present them when they’re ready to do a SIM swap. But suddenly all this process is going to be digital, right? And unless the the process of swapping the SIM is fully for the tide. And the problem that you’ll have is that SIM support text could be could be on the right. So it’s going to be very, very interesting to see what happens in the US. Right. It’s I’m very curious to know whether we’re going to see any type of change in the amount of SIM swap attacks that happens in a market that is fully going esim versus a market like the UK where you know, you have hybrid, where most people have physical sims. But I think what’s important to mention is that carriers like, like us, you know, we’ve made the SIM swap APIs available so, you know, a bank or a financial institution can clearly understand when was the last time that the sim was so because to protect the user right. From from these type of attacks. But yeah.

Cameron D’Ambrosi [00:20:44] I think that’s a great point. And you know, we talk a lot about having kind of a holistic security posture. And I think the more signals you can consume to help inform the given risk regarding a, you know, a user or a transaction, the better, you know, perspective you’re going to get. And, you know, I think the mobile carrier APIs are going to play a very, very important role in, you know, inputting a lot of that data into the equation. Because when you can pull more, more than one signal and, you know, when you’re start looking at the consumer’s email address and associated behavior over time, and then you can layer in, okay, what’s the tenure of their phone number? Has it been SIM Swap recently? Does this name match the billing we have on the account? You know, has our network, you know, when you’re talking about kind of more networked approach platforms like the Sifts of the World or email edge or secure, you know, have we seen this person be a bad actor before, whether it’s their name or whether it’s the number? You pull all those things together. And even if a criminal manages to swap the SIM out, you know, you’re going to get that red flag that’s going to allow you to, you know, if not immediately, just boot that person out. You’re going to start layering incremental friction in until you can reach the requisite level of assurance that you need. Because, you know, sometimes people do swap. Sims You know, I get the new iPhone every year, so like I’m SIM swapping once a year, but also that predictability of my behavior helps make the risk score more accurate. You know, I bet in those models, like when I have SIM swapped every year on the day the new iPhone comes out, after the third or fourth time, they’re going to realize like, okay, you know, Cameron is getting a new device every year and therefore, like, this is not inherently suspicious. Now, on the other hand, somebody who doesn’t change devices all that frequently and their phone is SIM swapped at two in the morning local time, like maybe we’re going to want to, you know, give a closer eye to that underlying transaction.

Adri Loloci [00:22:43] Actually just it’s something it’s very minor and it’s the detail. But sometimes when you move a sim from one phone to another, that’s not necessarily a SIM swap, right? You’re just simply moving your, you know, the existing SIM profile from an old device to a new device. So, for example, in the Vodafone world, that could not necessarily be a SIM slot. There would be a device change. Right. So you would have less false positives. If I if I can say that. Right. So a SIM slot would actually be when you you know, when you decide to change the SIM completely or when you activate a new SIM profile. Right. So it’s a it’s a small it’s a small distinguished with.

Cameron D’Ambrosi [00:23:24] Thank you. Yeah. You know, always looking to learn as much as I can every day and love the chance to hear directly from the expert. With our time here as we’re coming to a close, I would love to hear any of your closing thoughts and maybe some exciting predictions for the future in terms of things that you are either hoping to see out of the ecosystem or things that you expect to see. But I saw you raise your hand as well, so can let you chime in maybe with the first stab.

Helene Vigue [00:23:59] Oh, thanks. Yeah, I think what we’re trying to say is voter, you know, we’ve got this product and we make it on pretty simple. You know, we’ve got this number verifies available globally across billions of users, although maybe not everyone is aware of it. And we think it really offers the next generation of surveillance and education solution and user experience. But I guess what’s really quite exciting and from the gist emails, really what’s what we’re passionate about is that we’ve managed to have mobile operators working together. There’s an enormous amount of collaboration to get this product. You’ve got all these great features because the solution to deliver to the entire mobile ecosystem, the cryptography have received network security, and yet it works across US platforms, across networks, across markets because you know, we’ve made it so. And all this complexity is hidden from the customers and from the customers behind a single API. And there’s also a collaboration with the key industry partners that take these APIs and then develop them into the customers business processes and and to have solutions for different verticals, as you were saying, you know, to combine all the intelligence from those sources. So at the GSM, it’s very much what we were about. We were bold because, you know, so two years ago there was a need to create interoperability for roaming. And now we see the same need for the mobile ecosystem to come together and collaborate on identity. Yeah, I guess you should, if you’d like to, to join us on this journey to the spending. More happening at the same identity data. So yeah. Would be happy to engage further.

Cameron D’Ambrosi [00:25:39] Fantastic. Adri, you wanna go next?

Adri Loloci [00:25:43] Um, so I think, I think it a great summary, right? I think for us, we really think that this is just the beginning, right? Where we’re as alignments and opening up API access. And then our main focus or our mission is, you know, data fraud prevention and frictionless authentication number verify is part of that frictionless authentication. And I think the most important thing for the future is for us to closely, you know, collaborate together because as you know, we’re quite a big industry. And the only way that we’re going to be successful as an industry is we, you know, close the work to live together on, you know, product standardization so that these APIs work across everyone and not just become local APIs. So yeah.

Glyn Povah [00:26:36] Yeah. And then I guess just to extend the you know what I was saying, you know, I think APIs are, you know, are going to be our future and, you know, opening up what’s capabilities we have in our networks that we’ve proven with identity. We can address a bunch of identity, use cases, authentication, ITV and some others, and we can do that successfully as an industry. We can do it in a standardized way. We can do it with, you know, the right data protection frameworks to make it work in the markets. But I think if you can take the power of that and apply it to everything else we have in our network and unlock some of the stuff that’s coming down the line as well. Think about 5G and 5G standalone, you know, the power of the power of the insights and the real time nature of what we could have on those networks and on the Iot use cases as well. Right. So even looking outside, you know, human identities, you know, other the other identities for devices, I think we can we can create a really powerful ecosystem as an industry. So these APIs can be launched at scale in a standardized way across all mobile operators. So, you know, not only reach 6 billion subscribers, you reach 60 billion devices. Right. And the thing with with a SIM, or at least them, I think that is going to be the exciting future and is coming from the top of our businesses that you know, that that is the way we’re going. And I think you’ll see, you know, an unleashing opportunities available for any ruling party, for any brand that wants to use operating services via APIs in a way that’s unlocking that opportunity. We saw with roaming that I mentioned that we started, you know, many, many decades ago, that opportunity is now going to be unlocked via APIs.

Cameron D’Ambrosi [00:28:18] And in terms of how folks should get in touch, know if I’m a fraud practitioner or an enterprise product manager listening today and I’m thinking to myself, Gee, I would love to have some of these signals incorporated into my product stack. What is the best place for them to go to learn more about these new capabilities and to get to work in integrating them?

Glyn Povah [00:28:44] Yup. So first up folks suggest the number verify you can go a number, verify the org w WW dot number, verify the org and you’ll see the product there and some of the distribution channels and partners we have. And many of those partners will have access to a bunch of our other residuals and API. So that’s a great starting point, I would say. And for me personally, just, just reach out to me on LinkedIn Glympse profile or directly Glencore over at Telefónica dot com.

Cameron D’Ambrosi [00:29:16] Fantastic. Well, thank you all so much for joining me. It was fantastic to chat and really, really excited about what the future holds. And obviously the mobile devices, you know, continuing dominance of the mobile identity space, for lack of a better word. So thank you again.

Glyn Povah [00:29:36] Thanks very much.

Adri Loloci [00:29:37] Thank you for having us.

Helene Vigue [00:29:38] Thanks for having us.