This document discusses the growing problem of SMS phishing and how current security approaches are ineffective. It proposes a new "Zero Trust" approach called Zero Trust SMS that would authenticate URLs in SMS messages before delivery to help subscribers avoid phishing links. This is presented as being more effective than just blocking URLs after the fact. The benefits of this approach for multiple stakeholders are outlined. The document also provides details on the company MetaCert and their technology and services that aim to implement this Zero Trust SMS approach for mobile operators and their subscribers.
4. Instead of exploiting mobile apps
and infrastructure, criminals focus
on subscribers, and their
likelihood to “tap”.
5. THE SECURITY INDUSTRY
HASN’T CAUGHT UP WITH
SMS PHISHING YET
“FluBot is likely to continue to spread at a fairly rapid rate, moving
methodically from country to country via a conscious effort by the threat
actors. As long as there are users willing to trust an unexpected SMS
message and follow the threat actors’ provided instructions and prompts,
campaigns such as these will be successful.”
6. WHILE WAITING FOR THE
SECURITY INDUSTRY TO CATCH
UP, MOBILE OPERATORS ARE
LEFT WITH…
Subscribers should avoid
links from people they don’t
know.
Mobile Operator
s
Everywhere
7. It’s time to try something different because…
It’s impossible for any security system to detect unknown URLs.
SMS phishing messages don’t contain enough words for AI to detect a
deceptive call-to-action.
๏ Phishing was the most common type of cybercrime in 2020.
๏ 90% of all cyberattacks start with Phishing.
๏ 1.5 million new phishing sites are created every month.
๏ 2020 is the worst year on record for Phishing.
๏ 2021 is on track to become worse than 2020.
๏ 84% of organizations were subject to mobile-based phishing attacks in 2020.
๏ Data suggests that 2022 will be worse than 2021.
๏ Phishing was
fi
rst discovered on the AOL network in 1995.
๏ The web has evolved since 1995, but the approach to anti-phishing security hasn’t.
๏ Advising subscribers to avoid links from people they don’t know is unreliable and ineffective. It
also leads to fewer conversions for brands and banks.
๏ Risk overall loss of A2P SMS revenue.
7 of 19
8. Subscribers make decisions by
either guessing or using their gut
.
They will be either lucky, or
very, very wrong.
8 of 19
10. Block dangerous URLs after criminals have caused harm
The Old Way
Prepare
Criminals spend
most of their time
and energy
creating malware,
fake webpages
and deceptive
URLs - in secret.
Their URLs are
unknown to
security vendors.
09:30 It’s Too Late
Test
To make sure their
secret URLs
bypass security,
criminals send a
test message to
themselves.
An attack is only
launched after a
test proves
successful.
Start
The attack is
launched
immediately after
the test passes.
The clock starts
ticking for the
operator and
security vendors at
this point.
Finish
SMS messages
have a 99%
delivery rate within
3 seconds.
Blocking the URL
after this point is
meaningless to
these victims.
Report
Subscribers
complain about a
new scam.
Operator asks for
the “suspicious”
message to be
forwarded to a
short code for
investigation.
Block
URL is
investigated and
added to a
“blocklist”.
Firewall vendors
claim to block
phishing URLs in
“real time”.
Paradoxically, industry is proud of its ability
to block a “new” dangerous URL in “real
time”. Criminals have already swapped it
for a new one and clicked “resend”. Loop!
The URL is
fi
nally blocked
The URL passes through the network to
every handset in less than 3 seconds. It’s
no longer possible to protect subscribers
beyond this point.
It’s all over in 3 seconds
Weeks or Months 08:55
Before launching an attack, criminals test
and verify that their secret URLs are
guaranteed to pass through their
target network of subscribers.
Campaign
09:00 09:00:03
(3 seconds)
10 of 19
11. Make it easy for subscribers to avoid links from
criminals before harm can be done
The New Way
Prepare
To make sure their
secret URLs
bypass security,
criminals send a
test message to
themselves.
An attack is only
launched after a
test proves
successful.
Test - Fail
Secret URL fails to
authenticate.
Criminals are
redirected to a
caution page.
Criminals will likely
target a network
that’s not protected
by Zero Trust SMS.
Hi Arian, Telus
has a special
o
ff
er on the
War
This URL was not
Don’t Open
If an attack is launched, subscribers are fully
protected. The caution page helps them to avoid
every deceptive link from people they don’t know.
They’re NEVER exposed to a new threat.
Always Safe
The attack will be abandoned before it even
starts. Criminals won’t waste their resources
on a network that doesn’t authenticate any of
their URLs. They will target another network.
Campaign
Z E R O T R U S T
Is https://
dhldelivery.co
veri
fi
ed and safe to
open?
Every dangerous and unknown
URL fails to authenticate and is
replaced with a link to a caution or
block page - before the message
is delivered to subscribers.
Authentication
Weeks or Months 08:55
12. Hi Arian, Telus has a special
o
ff
er on the new iPhone 11.
As a valued customer you
get a 75% discount. Go to
telus.o
ff
er.com for details.
Warning!
This URL was not verified by
MetaCert. Proceed with caution
or don’t open it.
Don’t Open Open Anyway
!
12 of 19
๏ Immediate increase in conversion rates for every campaign.
๏ Increased SMS revenue for mobile operators and vendors.
๏ Business and enterprise customers will eventually select
operators that protect their employees from SMS-led attacks
on their networks and customer data.
๏ Brands and banks can build better relationships with
customers.
๏ Best-in-class brand protection for brands and banks.
๏ Reduction in overhead costs for internal security teams.
๏ Signi
fi
cant reduction in overheads associated with anti-fraud
awareness campaigns for operators, brands and banks.
Subscribers can open every link inside
every message, no matter who the sender
is, or where the URL might take them.
MetaCert Bene
fi
ts
13. 13 of 19
Cybersecurity
SMS Firewalls
Email, Team
Collaboration,
Social Media,
Mobile Apps,
Endpoints, and
Networks
SMS
Competitive Landscape for
SMS Cybersecurity
14. 14 of 19
Competitive Landscape for
Zero Trust Cybersecurity
Web/URL
Authentication
Users, Apps,
Devices, & Network
Data
Block
Known
Threats
Zero Trust
15. MetaCert Competitive Advantages
๏ MetaCert is the
fi
rst “cybersecurity” company in the world to build a security
service for SMS.
๏ MetaCert pioneered the concept of “Zero Trust” for URL & Web Access
Authentication.
๏ MetaCert pioneered the concept of “Zero Trust SMS”.
๏ First security service with anti-phishing awareness built-in for end-users.
๏ It’s 10x faster and easier for an operator to integrate MetaCert than it is to
integrate an SMS Firewall. 90% of the grunt work takes place inside
MetaCert’s infrastructure and authentication system (see diagram).
๏ SMS Firewalls cannot be updated to offer a “Zero Trust” strategy for SMS.
That’s why leading Firewall vendors who recognize the new landscape, are
joining MetaCert’s reseller program.
๏ MetaCert is the only security team in the world that can prove everything it
offers, with a 1 minute virtual demo - demonstrating the entire end-to-end
solution for mobile operators as well as the user experience for subscribers.
15 of 19
16. Building Better Subscriber Trust
& Brand Reputation
With special access to the MetaCert Verify service, your security team,
business customers, and partners may submit domains, downloads, and
social media accounts for verification. All verified URLs will authenticate
across your network with no need for a software update.
MetaCert has classified tens of billions of URLs
to keep your subscribers safe with Zero Trust security.
But we like to be extra careful.
16 of 19
17. 17 of 19
Zero Trust Authentication server that makes it easy for an
operator to implement “Zero Trust SMS” security. On premise and
cloud-based solutions available.
Threat Intelligence API with 6 lines of code / lookup 50 billion URLs
in 470ms.
Web App that makes it easy for customers and partners to verify their
URLs before launching a marketing campaign.
URL Classification technology that can identify and automatically
classify domains, sub-domains, folders, user accounts, downloads, and
regulated gTLDs like .GOV and .BANKING.
Global Registry of 50 billion URLs, getting bigger and smarter every day.
Regex, AI & Machine-Learning built into monitoring services that
automatically identify phishing threats on social media.
Domain Age Reputation service that automatically checks the
“creation” date of every unknown domain that’s checked by our
Zero Trust authentication system. Domains that are >x-n days old
are automatically classi
fi
ed as “Dangerous” in 250ms.
URL Origin service that automatically
fi
nds the
fi
nal destination of
every URL, irrespective of how many times they redirect, in 50ms.
Proprietary tools, services, and techniques that we can’t share for
security reasons. This is what makes us different.
Malware &
Phishing
Veri
fi
ed by MetaCert
Proprietary Tools
and Techniques
Web
Crawlers
Regex, AI
& ML
Domain
Age
Reputation
Authentication
Zero Trust
Registry
50 Billion
URLs
Infrastructure, Technology & IP
18. Recognized as one of the "Top 100 CMOs in the
World” Kieran is the Chief Marketing Of
Chair
Sheetal was appointed Chief Strategy Officer in 2021 to the
Gov’t of Alberta, Canada, to provide leadership and guidance
for Alberta’s Recovery Plan. She is focussed on sector-related
strategies that foster investment, technology innovation,
economic policy, and position Alberta globally.
Investor
18 of 19
Board
Co-instigated the Standard for URL Classification at the
W3C in 2004 - the Standards body for the World Wide
Web.
CEO
19. Paul Walsh
Founder & CEO
To see a 1 minute demo that showcases the entire
end-to-end solution, with your handset, or to request
more information, please contact me directly.
paul@metacert.com
Thank You!