Frank Teruel: [00:00:00] And just SMS toll fraud. Forget the phishing side for a minute. I'll cover that in a sec. SMS toll fraud's a $10 billion a year. Industry. Five or six months later, some finance person goes to the marketing person and goes, Hey, your campaigns must be working really well because the sell bill's gone up by 5 million bucks.

All that ever matters is Frank, really Frank, and is Frank behaving normally in today's environment? Federating threat intelligence. Just imagine now that I see an attack originated at a gaming site and downstream I see that same attack attacking a bank. One of their containers was taken over on the cloud for the sole purpose of mining crypto.

The VP of engineering shows up and goes, we just spent half a million dollars. If you make fraud on profitable, it will go away. If you make it profitable, you make it inevitable.

Ashish Rajan: $10 billion. Yes, billion with a B. That's how much SMS fraud costed businesses in 2021 and it's only increasing today. Now I know you're thinking cloud security, and why are we talking about SMS fraud?

Well, lemme tell you, even after all these years, identity has still been the top five reasons for why there's a cloud breach or someone taking over an account in the cloud. Now, I had the pleasure of talking to [00:01:00] Frank from Arkose Labs and we spoke about threat intel around the whole SMS fraud space. Why is that a growing problem for cloud native people, especially in a world where one would've thought SMS fraud?

Now, it wasn't something that was top of mind for me as a CISO, and it was very fascinating to hear how interesting the malicious actors in this particular space are how much they understand the psychology of how businesses work. Some of the examples that Frank shared during the interview were like, wow.

I'm like, I can see that happening in an organization. This is where the left hand doesn't talk to the right hand, and you end up with millions of dollars in Bill. Because of a fraud. And we also spoke about how AI is being weaponized to build something called Smart bots. Yes, smart bots are a thing from AI agents and it's not theoretical, it's actually being seen in the wild.

Frank and I go into some of the examples of what they're seeing in the market as well. All that, and a lot more. In this episode of Cloud Security podcast, if you know someone who is in that space where SMS fraud is probably been ignored for some time. I would definitely share this episode with them because after this conversation I'm like, no wonder the Nigerian prince have stopped emailing me [00:02:00] because the attacks have become so much more sophisticated now, and they're on SMSs that people are losing access to their cloud accounts.

But as always, if you have been listening or watching a Cloud Security Podcast episode for multiple times, if you've been following us for a while. I would really appreciate if you could take two seconds to hit the follow subscribe button. If you're listening to us on Apple or Spotify, in case you're watching this on YouTube or LinkedIn, definitely give us a follow subscribe there as well.

I'd really appreciate you taking that second to give us a follow, subscribe. Your support means a lot to us. Thanks you so much for that and enjoy this episode with Frank and I'll talk to you soon. Peace. Hello and welcome to another episode of Cloud Security Podcast. I've got Frank with me today. Hey Frank, thanks for coming to the Showman.

Thanks, Ashish. Good to be here buddy. Oh man, I'm so excited for this conversation because before I go into it, can I get to know a bit more about you via professional journey, where you've been before and where you at now?

Frank Teruel: Yeah, happy to do it. It's a long journey evidenced by my grandkids. So I've been at this for, I this for a while, but I came out of the big four big firms, big four firms now back in the day, jumped into cyber Ashish probably 20 years ago.[00:03:00]

And back then I was involved in access control and encryption and kind of a more of an IP protection view. And then quickly realized that digital identity and, deciding how people onboard the applications was the future. And my journey really is focused on that at Arkose. We focus exactly on that.

How do we make sure Frank is really Frank online and how we make sure Frank's behaving normally and not some computer or script acting as Frank. So it's been a journey that's gone from really the the big consulting firms, all the way down into the the real tip of the spear in terms of how we define identity and how we use identity to keep customers safe online.

So it's been a, it's been a good ride.

Ashish Rajan: Yeah I think identity is probably the most misunderstood thing as well. I think the first time we met, I was saying that I started my career in identity and was surprised how complex this field is especially after I left it as well. Considering these days.

Everything that I talk about, whether it's your cloud AI, everything seems to start with identity, and I don't wanna say identity is a new, sexy, new black. It's almost like it's always been there, [00:04:00] so I guess it's always been sexy. It's just that people, it's one of those things where people give attention to it for some time and they don't.

I'm curious, why is it that it has con continued to be a weak spot for after all these years across so many industries?

Frank Teruel: It's such an interesting question. First of all, it's the most dynamic of all markets, so it's constantly changing, and part of the problem is rooted in trust, right? Think about how many identity plays ish there are right now.

So many people federating their version of identity, and the question becomes which one do I trust? Which one actually makes sense? The other issue is not all these things are weighted equally. So if I'm authenticating Frank to an application for gaming. Yeah. Versus authenticating Frank for Morgan Stanley.

There, there's just not, there's no parody in the risk pension that each of those organizations are willing to take. So that's part of the problem. So there's a lot of them. How do I trust them? How do I weight them? And then equally importantly, because of technology, and we see this all the time, synthesizing fake identities is easy, right?

And so there's a very low bar to entry [00:05:00] to determine that I'm gonna create a presence online. And that presence will have a reputation around it. It can a commerce. The adversaries are good at doing that, and suddenly you have a viable, legitimate identity online that's been created out of nothing.

So I think all those things, the fact that the barrier to entry is low, the fact that there's so many of them and they're not weighted equally, creates this issue of who do you trust? Yeah. And I think that creates an exploitation point for the people that we that we work against because they understand the pension for people to wanna get market share at all costs and get new entrants into their product.

Not so much rigor on identifying who they really are.

Ashish Rajan: Maybe add to this as well, because Attack Mitre one of those bodies that finds out what one of the reasons for cloud compromises and thinking about cloud first companies as well. SMS fraud seems to be a cloud scale problem as well.

I, how is that evolved in this gen AI era? Is it any different? 'cause I feel phishing is one of those ones where people always say SMS is your weakest defense as an MFA SM S fraud is on the rise. What's your opinion on how much [00:06:00] has that evolved?

Frank Teruel: It's massive. Just SMS toll fraud.

Forget the phishing side for a minute. I'll cover that in a sec. SMS toll fraud's, a $10 billion a year industry. And think about that industry. So basically I go to a platform or I'm a bad actor, that colludes with a carrier somewhere and far away in the world where there's premium numbers.

And I go, Hey, I'm gonna take these numbers. I'm gonna run them through, use bots, run them through some workflows. Typically a reg flow, right? I'm registering for something and to make sure Ashish is really Ashish, into your number. We'll send you a code, right? Yeah. And so what happens is they do this at scale, millions of them with high, really high value numbers.

Maybe it's. Places far away. Maybe it's Indonesia, Vietnam, or Kazakhstan, or even Israel, where you see very premium numbers, and then they run millions of these things automatically through bots. Here's what makes it what I call a really low hanging fruit or drive by attack. It never ever hits the security team because what winds up happening is right, you enter the flow.

Yeah, it flicks the flow it hits the meter and then it abandons the transaction. So all of the [00:07:00] mitigations you'd normally have with typical SMS phishing, where security is involved, someone tries to take over an account, there's a compromise. It's not even seen. And what happens with the toll fraud side of SMS is that five or six months later, some finance person goes to the marketing person and goes, Hey.

Your campaigns must be working really well because the sell bill's gone up by 5 million bucks. And then the marketing person goes, I don't know what you're talking about. And we have a real life story of this, of a of a ride share company where literally somebody in the finance organization went to them and said, Hey, wow.

We're not finding a correlation between increased ridership and the cell bill. And it turned out it was an SMS toll fraud problem. So part of SMS as a vulnerability, is on something like toll fraud, where security is not even involved. The adversary has figured out really elegantly how the flows work, and they've gone to these carriers and said, Hey, gimme numbers, I'll share it with you.

The other name for that toll fraud is called International Revenue sharing Fraud. And so there was this built-in incentive for these carriers to go, Hey, great, I get [00:08:00] 90%, you get 10. Now platforms have made it easy 'cause you can get that done. On the phishing side, it's because it's ubiquitous. We're also accustomed to using our cell phones as a second factor, as opposed to authenticator that, it's very easy to get a text and what's happening with technology to your earlier question.

It makes those texts unbelievably believable, right? The latest one floating around if you're looking at the FBI stuff is DMV texts basically saying you're about to lose your license, you're upside down on tickets. If you don't respond to this thing, your license will be revoked and you could be arrested.

And so they feel, they, they feed off of the fear factor. Yeah. And people touch on it. So those two things, you got low hanging workflows or SMS is just mil, is printing money. And then you've got obviously the traditional vulnerability where fear drives us to respond to messages that today are so well crafted that your, your red lights don't start flashing right.

Yeah. It's not bad grammar, it's not weird. It seems to be in context, et cetera.

Ashish Rajan: I do wanna probably acknowledge some people who may not even understand what toll fraud is 'cause [00:09:00] Yeah. How would you describe toll fraud for people who probably like, and to your point, because it's not, doesn't even hit security, they don't even know what they're dealing with.

What is a SMS toll fraud?

Frank Teruel: Yeah, that's a great question. So just imagine and we've all done this. Every one of us is registered for something. You go to the site and you start to register as a new user to the site, and the site goes, Hey, to make sure, Frank, that you're really Frank, I'm gonna send you a code on your cell phone.

On your cell phone, right? Enter that code when you come back. So though you enter your cell number, you hit submit. And then when you get back is a code from that company saying, please enter this code and continue your registration journey. So it's a fairly normal thing we've all done. Yeah. What frauds have done is they've said, Hey, I'll pretend to be somebody registering.

I'll just take numbers, enter them into the flow, hit submit, but never come back. What happens in that world is once you hit submit cha-ching. The transaction runs and the company has to pay for the sell bill. Even though nobody ever comes back to try to take over an account or create an account.

So one of the telltale signs for this is if you're an [00:10:00] organization and you're under attack from these SMA toll fraud attackers is you start looking at transaction abandonment. How many registrations just stop and go nowhere. That's a real good telltale sign that somebody is hijacking the flow and simply taking the money and running.

So for the layman person, we're obviously knee deep in it. For the layman people, it's any registration flow that requires your cell number. Is being hijacked by bots. And why bots? Because bots can do millions in seconds. Yeah. Yeah. So just imagine it's a 40 cent number. By the way, we saw this actually so interesting because fraudsters are very good at seasonal and geopolitical events, right?

So when the war between Iran and Israel happened, yeah. We saw a ton of SMS toll fraud coming with Israeli numbers right Now. Why is that? Because sometimes in, when you're in conflicts. One side wants to make the other side look bad, so why not use Israeli numbers to drive up a lot of fraud?

So we saw across our network an increase in total fraud coming from Israeli numbers where somebody a pret pretends to be an Israel enters the number. It just never comes back. Imagine doing that [00:11:00] 40 cents a million times in a minute. You're just, you're generating huge amounts of losses, right?

Yeah. And that's for the it's an easy fraud. It's hard to fight unless you're understanding at the very first interaction that this is a bot driven attack. It's very difficult to stop it. And that's what it is. It's just to drive by. It's grab the money and run.

Ashish Rajan: I think you've hit a interesting point there because a lot of times, and some of us may be working with critical infrastructure in a lot of organizations as well.

And a lot of times we would see threat intel come in and it says SMS fraud. Nine or 10, 10 people just ignore it. Oh, that doesn't affect me. And I'm guilty of this as well. 'cause as you said that the first saw that I had was, yeah, the last time I saw SMS fraud, I totally ignored it as said, and to your point, you guys work in the fraud threat intel space.

That's right. Because in my mind, most people just assume WAF in CloudFront is, or another cloud service is solving this. Is that not right?

Frank Teruel: Your WAF isn't gonna catch it. 'cause remember again, what's happening is this is right at the very front of the registration process. Yeah. It appears to be a [00:12:00] human being.

This is so interesting about our adversary. Ashish, and you know this, as well as we do, but online, all that ever matters is Frank, really Frank and is Frank behaving normally in the context of this transaction? And so a customer who's trying to attract Frank, everything appears legitimate.

Somebody signed up with a username, it's coming from a device, which by the way is why device ID is so important. Because understanding the method of interaction with that transaction's important. And then what does the user do? Everything is normal about the behavior in an SMS toll fraud attack. They enter a username, they enter a legitimate cell number, and.

Then the flow moves on. It's unusual is Frank doesn't come back, right? When you do that at scale, it drives huge amounts of money. So I do think a lot of organizations are waking up to it. As I said last year, and we kinda look at the network, it's about a $10 billion problem in the US was a SMS toll fraud.

It's a huge problem.

Ashish Rajan: Wow.

Yeah, because I was gonna say, are on-premise environments better at this?

Frank Teruel: OnPrem would be just as susceptible to SMS toll fraud because again, as long as there's an SMS [00:13:00] registration in your flow, whether you're cloud, whether you live in the cloud or live OnPrem, you're still hijacking the flow.

So it's still going through that flow, which is why we've seen such a rise in SMS. 'cause it's an easier fraud. It's less of a heavy lift for the adversary because they simply pump it through. Now there's some trade offs with, as on-prem, one of the beauties of born in the cloud, live in the cloud.

Is this whole idea of fusion and information sharing, which we as practitioners really wanna see, right? Yeah. The ability to take threat intelligence and federate it throughout your organization, not just internally, but externally through your ecosystem, helps us fight against that network. OnPrem, you miss that because you haven't got that way to share information in a way that you know is easy.

I can't imagine any corporate council anywhere saying, yeah, punch a hole through the firewall, let these guys put data into our prem, right? And so you get that kinda really adverse reaction from the compliance people when it's on prem versus in the cloud where the trade off is. It's easier for the adversary to some degree to access it, but you have much better use of federated data and to understand those threat vectors.[00:14:00]

Ashish Rajan: Interesting. Talking about federated data as well, 'cause that made me think of your single sign on Yeah. With Cognito, AzureAD, all of that. Does that help prevent such kind of account takeovers?

Frank Teruel: It's an important first step, right? It doesn't prevent them. It's an important first step because again the technology has evolved to the point where it's easy to get around rudimentary mitigation.

So we work and live with a lot of those companies, right? We're privileged to protect the world's largest consumer facing brands, and many of them have those solutions in place. What happens though is that making that distinction between understanding the method of interaction, which is the device, the reputation of the device, the page level biometrics associated with the device, those kinds of things.

Understanding whether it's a volumetric attack, so bots that are interacting with you, understanding all that stuff helps bolster your security solution as you go through. So tho that federation of identity is important, but again, it's, it can be compromised unless you've got a much deeper bench to deal with it.

And so we work with all those, with many of those folks to really understand [00:15:00] the nature of interaction and how you federate data. But I think it's interesting, I would take it a step further. In today's environment, federating identity for kind of single sign-on workflows is a good efficiency tool in the enterprise.

But one step further, federating threat intelligence. So just imagine that you're an organization like ours where I see gaming customers, dig economy customers, travel customers, technology customers. I see, all kinds of folks along my ecosystem, right? All the big companies in the world, the socials, et cetera.

And just imagine now that I see an attack originated at a gaming site. And downstream, I see that same attack attacking a bank, which is what we tend to see. By the way, a lot of attacks originate in gaming. They're perfected and they work downstream. The ability to say, I created a mitigation for the attack on the gaming company that's equally operative for the bank, lets you be predictive and preventative.

'cause now you can go to the bank and say, Hey, this attack is coming, or we just saw it. Here's the mitigation. Yeah. So when I say federate data, I really think about federating threat intelligence [00:16:00] outside the organization like we do and also within the organization. And the SMS toll fraud is a great example.

The best way around that is for the security people, the marketing people, and the finance people to create data fusion shared data amongst themselves so that security, so marketing can say, wow, transaction abandonment's up 5% today. That's weird. And finance can say, oh, coincidentally, sell bills up.

And now security, finance, marketing can fuse together as an organization to fight it. So Federating data covers all those bases and it's a huge important tool that we have in our arsenal to, to keep customers safe.

Ashish Rajan: And I guess to your point talking about account take, I remember we were talking about a report you had some finding on findings around account takeover as well there, like in terms of the number of attacks between mobile desktop and all of that as well.

Frank Teruel: Yeah. Account takeover, two, two things I think that to think about in terms of volume trends, issues should, are stagger. Number one account takeover is just on the rise. And it's really driven by a couple of things. The more people that are now playing in the digital economy and COVID forced everybody onto that, right?

So you had to fight you to interact with your bank and your [00:17:00] providers and grocery stores, et cetera. So the more people that are on, there's now a bunch of people that are on, that aren't as savvy, if you will, in terms of the potential risks. And then also just the need to get customers. People are lowering the barrier.

You and I have heard this a million times, the tension between friction and market share, right? So somebody will say, Hey, I don't want any friction on my customers. 'cause that diminishes market share. And the poor CISOs going, but the fraud's going up and they go, I don't care what we got. This whole thing, that tension has existed like crazy.

And account takeover is a really big problem because what happens now, especially in these big accounts, just imagine a marketplace. If I take over an account, it is unbelievably valuable. I can do all kinds of things in that ecosystem, right? If somehow my prime account gets compromised, imagine what I can do with it, right?

Just a whole bunch of stuff. So we've seen a huge increase in that kind of attack and we've seen commensurately a huge increase in fake accounts where, I wanna create, back to our question on digital identity. I wanna create an account that's believable online. That lets me perpetuate some kind of [00:18:00] activity later.

And we've seen fake accounts skyrocket through technology through, AI and agent ai. Soon we'll be driving that. But these great kind of a plethora of these accounts coming online that are designed for crypto scamming and pig butchering and all the dating kinda stuff. Because I want to create these accounts that later on I can use.

So those two vectors in our studies have gone through the roof account takeover and fake accounts. The scamming part of that's just really going. Really going on high speed.

Ashish Rajan: So in the threat intel info you guys had, are there are they pivoting as well as they go through this?

I don't know, microservices, API and all of that?

Frank Teruel: Yeah. There, you know what's, there's two, two things I'd say about the adversary. Number one, they're in they're better psychologists than technologists, right? They know how to get people to respond to stimulus. That's a, think about it. At the end of the day, there's a human factor somewhere, and that factor is either fear of missing out or fear of loss or whatever is driving it.

Number two, it's all about the money, right? And our thesis here at our company is, listen. If you make fraud unprofitable, it will go away. If you [00:19:00] make it profitable, you make it inevitable. It just, people will chase the money. They follow the money. Yeah. And so what happens is adversaries pivot. They might say, uhoh they've got some good mitigation on the front end.

I'm gonna go to the API and attack the API, right? They look at thing, they go, oh, they've really dialed in. Their mitigations on account takeover. SMS toll frauds will hang through. And so we see very dynamic pivoting and very technology enabled, pivoting happening with the adversaries.

In fact, what used to take a long time, for example, in the bot world, is now done in within milliseconds with, bots that are writing bots. And so AI is having this profound impact of just writing the scripts and putting them. When you take that and then you add the factor of the crime as a service platforms where, again, it's a business where now I can go on online and I can go, Hey, I've got a, I've got a, account on Telegram or a signal, or I can go on, discord or anywhere, any one of these sites.

I've got digital currency, it's ubiquitous now and I wanna buy a Phish it, I wanna buy a fish lid or a bot ticketing thing and I pay five grand, or I pay a monthly service fee and they provide me the [00:20:00] numbers, they provide me the bots, they provide me the infrastructure. Those things are really driving a sea change.

As it relates to that. Another example of what we see in terms of pivoting. If you look at pig butchering, for example, pig butchering, for the people listening that aren't familiar with it, it really romance scams or someone builds a relationship with somebody, and then that relationship inevitably leads to an opportunity, Hey, I just made a lot of money on the stock.

You should try it. And then, they try a little bit. They're, they've given a pretty good return. Yeah. And they begin to build trust, maybe one or two returns. And then after that, they make a big investment and the person vanishes. So they they really walk somebody down a really bad journey.

What's happening in crypto now we've seen the adversaries kind of pivot to say, you know what, we're gonna allow people to get really big returns. They gotta, they almost have seed money where they go, I'm gonna get you in here, give you an opportunity, and Wow, I just made 10 grand on this thing. And the bigger the reward, the more likely they are to invest bigger next time.

So you're seeing the pivot in technology, but a pivot in tactics where, how do I get that [00:21:00] psychology, that psychological hook in to get people into trusting me? A fascinating space, but they're very good at pivoting. Last thing I'll say, Ashish, it's interesting for us, is they are not constrained by corporate.

Requirements. So the earliest adopters of all these technologies through the adversaries, 'cause they have no restrictions. Whereas, just imagine in aren't the worlds you and I live in, you're the cso, you go to the corporate council, you go, Hey man, I wanna take data from two different socials and combine it to do something else.

And they go you outta you, outta your mind. That's all kinds of problems, right? Or you can't put AI in there 'cause you're training the LLMs and how do we know where it's going? You get into this whole thing where it becomes really a headwind for adoption. The adversaries have no such headwind. All those things together make them a formidable force, early adopters, great platforms to be able to share information and data, and then the tools and infrastructure to exploit.

All of that makes those pivots really easy.

Ashish Rajan: I think one, one thing I'm taking away also is that no wonder I stopped seeing emails from Nigerian Prince offering me they moved the sms. Now [00:22:00]

Frank Teruel: I gotta tell you, it's so funny. Many years ago I got a, I got an email from my boss. It was a fantastic email.

And he was like, Hey I've just done this thing. I need you to pay this deal. It was very well worded, so it wasn't Nigerian prince genre. It was better, but it was pre ai. And at the at the very end of it, I'm like, okay, comes down to it and it says, thanks. Have a splendid day. And I'm like, wait, what?

Splendid are never words I've heard from my boss, ever. So you still had those telltale signs. You're like, wait a minute. The word splendid is not in that guy's vocabulary. Yeah. The world has changed because now it's contextual. It's well written and your guard goes down because it, it's no longer easy to see bad grammar or bad, or a bad kind of connection.

It's like legitimate with logos. Yeah. And the whole deal.

Ashish Rajan: Definitely 'cause I, I guess you, these days a lot of us are responding to things on email or sorry, or responding to things on social as well, so people can pick up patterns on how we write and completely emulate Ashish online. To your point, the [00:23:00] behavior or if there are things that are na or nature versus nurture, the, whatever the saying is there, it's really hard to figure out if this is actually genuinely Ashish or someone else pretending to be ish.

Frank Teruel: It is really difficult. And by the way, this unfortunately lands squirrelly on the lap of the ciso, right? The CISO's gotta figure out, how do I educate and inform the organization on the proper behavior? So any good mitigation is gonna start with how people behave with having the right technology in place to be able to have a tool and then to have consequences downstream.

We're big believers in three things, right? Make the cost of intrusion expensive. 'cause the adversarial look at it and go, I can't make money here. I'm gonna move on to the next target. Share as much data as possible to either harden the target. So when they try, when if they do get in, there's no value there or to protect the target in a way where it's, once they get in there, they're stopped.

An example might be if you're a credit card company, for example, issuing an incentive to sign up for the credit card and you get a risk score that says, oh, this transaction appears risky. If your a hundred dollars incentive might go down to $2 or [00:24:00] zero because now there's no money in it for the fraudster.

They may have spent 20 or 30 bucks online getting through KYC, but now the money's not there. And then equally importantly, we're applicable, provide real world consequences. CISOs have to look for organizations to go, can we partner with teams to take down some of these platforms? And we've we've seen a number of our very large customers and we've been involved in some of that, where we actually go, okay, we, there's a platform, an X, Y, Z country.

XY country, we're gonna go after it with local law enforcement, with regulators, with these companies. And and we've seen that. We've actually if you get a chance to look at it, we've done some stuff with something called Storm 1152, which was a take down of a Microsoft adversary. But again, I think those three things make it expensive.

Share data and we're applicable to have consequences are tools that help CISOs 'cause this is landing on them and it's landing on them. As you and I know, in an environment that changes daily. It's what you thought worked last week isn't really working today.

Ashish Rajan: No. And I think talking about things that are changing constantly is the AI world as well.

In terms of [00:25:00] weaponizing some of these, is are you seeing and maybe it was in the report as well, how is AI being used to weaponize this actually in the cloud context with there where there's containers, lambdas, APIs, there's so much in there to enable the elasticity. What are you seeing as being weaponized there?

Frank Teruel: It's it's such a great question Ashish, let me give you an example of something I didn't, I hadn't considered, but we actually lived this at a prior life recently through a colleague. And what happened is one of their containers was taking over on the cloud for the sole purpose of mining crypto.

And so what happened is, somebody took over and they weren't trying to, they weren't trying to steal ip, they weren't trying to do other takeover accounts. They simply wanted infra. They wanna compute power. And so over the course of a weekend, the support engineer, the VP of engineering, shows up and goes, we just spent half a million dollars right over the weekend on something.

And people are going, what'd you spend it on? All of a sudden your, your cloud bills through the roof. And it simply was that they had taken over for the sole purpose of mining crypto. Yeah. And so what you wind is there, the vulnerabilities are more than we think, and I think they're looking for any weakness to either [00:26:00] generate money, to exploit, again, create fake accounts, for example to even embed within your infrastructure sleepers, right?

Something that's gonna hit you later, you won't even be aware of. And so I think as you look at it, there, there's a false sense of security, unfortunately, in thinking to yourself, the cloud provider's got me covered. The cloud providers are themselves constantly under attack, and they're working really hard to make sure that they have the right mitigations in place.

We just did a big deal with Azure, for example, where we're part of, we're integrated into their WAF product to, to try to help. But what happens is you can't just rely on them. You have to have, any CSO has to say, look, I've got a good first line of defense. I'm gonna incorporate next line of defense, both technology and behavioral changes.

To protect me and early warning re mechanisms and, quick quick reaction forces to say, uhoh, something's weird. Let me get on. It goes back to that fusion concept. If you see an anomaly that all of a sudden there's a 5% increase in transaction abandonment today.

Yeah. Don't ignore it. It could be indicative of something much bigger. So I think it's it's [00:27:00] an, it's a mistake to rely on the cloud providers and say, they got me covered. Much like it's a mistake, for example, to provide on the credit card companies to say I'm a merchant.

I'm covered, right? All of them are under attack and many of these attacks, as we know, originate through supply chains. So even, it's often not them, it's somebody they partner with. I think it's a degree of diligence that's required for all CSOs, all executives really to say, Hey, do I have single points of failure or single points of reliability where I don't have a backstop if something goes sideways?

Ashish Rajan: I guess you're also saying that there should be a sync between cloud cost and security as well, to your point, because if you see a bill of half a million dollars, you're like, that should have been, maybe have, should have been stopped moment a thousand, I guess I would've thought.

Frank Teruel: It's such a great point, Ashish, you can't just assume that engineering was doing a POV for a great big client.

You can't assume that. You have to understand what happens. So what does that mean? That means that you should benchmark, by the way, this is where AI can help within the organization. What are the benchmarks and what are the the streams that we wanna measure in terms of volume and cost?[00:28:00]

And benchmark them and just have red flags to go, whoa, we had a, we had an increase of more than 5%. Think about it, an increase of more than 5%. There was no proof of values running and engineering wasn't doing anything. Releasing code, didn't have a, didn't have a release window. This is really weird, right?

And so being able to say, measure those anomalies and get those groups together is a very important first indicator that you might be under assault.

Ashish Rajan: Yeah. And I guess your, to your point because these are seasonal as well, actually because he's seasonal, does that mean every industry is impacted by bots and SMS frauds and all of that?

Or is that specific industries that you It's

Frank Teruel: both. Here's what's interesting, and so just imagine seasonality is a big issue, right? These these folks are very attuned to it. You'll think of things like if you're protecting a gaming company, super Bowl.

Yeah. NHL playoffs, MLB, FIFA, whatever the, whatever happens to be going on the Olympics. Were a great example. We saw a huge increase in volume during the Paris Olympics, right? Where people are like, wow, I, I wanna attack the streaming companies to try to get, in there and resell the streaming accounts.

[00:29:00] All kinds of interesting deals. So seasonality is a really big deal and it attacks the companies that are in play. But it also it also has a downstream effect of saying this attack worked on this streamer. Now I'm gonna travel on some other streamer be, even though there's no event happening.

So it covers both. We see great seasonality at Christmas, back to school and Christmas season. Q4 for any e-commerce companies. A big hit, a big target. Again, we talked about the presidential elections. We saw a ton of activity during the elections. Again, people either trying to raise money.

There was a lot of SMS stuff going on. I got a bunch of these things. Over the years, Ashish I've donated to a bunch of people across party spectrums. Yeah. And I'd get emails saying. You must donate. We, this is our chance to fight. And you have no idea if that's legitimate. If you don't, you wanna click on that link on your s right.

It's probably a phishing attack. Yeah. And so our view was there, these real or not? So you see that kind of activity. People trying to create misinformation those activities. And obviously you've got the perpetual DDoS attacks and things that we deal with all the time that are designed to actually take your system down and make them [00:30:00] vulnerable.

Yeah, seasonality is big and they play off of it. And it affects both the target and downstream companies because again, it's about the money. Hey, if it worked for these guys, let me try that same attack on somebody else.

Ashish Rajan: Yeah, I'm thinking about for people who are probably may have not realized yet, and I was suddenly checking their bills for SMSs after this conversation, they're like, Hey, we should probably check into that SMS thing, considering security never gets a glimpse of it.

'cause I guess you, as you said, that the first thought that I had was in fairly large global companies, people would not, the left hand doesn't talk to the right hand, so they would not even know. They just assume that, oh, engineering just cost that much, oh, we are spending $5 million on this.

Yeah, they just don't even realize it's happening.

Frank Teruel: Think of it this way. I'll give you a great example. This is a real example. So global organization, the finance team's in India, right? So they're in a different time zone by the way, highly qualified. They're all chartered accountants. They're, these are all solid people.

They're in India. Yeah. The bill starts to go up. You can imagine. The first thought through the finance person's head is I can't believe these marketing people look at 'em. The first few months are probably derision like, can you believe that? [00:31:00] The marketing people have no idea this is hitting 'em.

'cause it goes from finance to accounting. Accounting just allocates the budget, right? Yeah. They probably review the budget quarterly, so they have no idea the bill's gone up. And nobody's second the dots because geographies in the way, time zones are in the way, and just the lack of cohesion with those functions are in the way.

And then at some point somebody goes, wait a minute, it's been five or six months in a row. This is what happened. Five or six months in a row the sell bill's gone up. Millions of dollars, millions and millions of dollars. But I don't see traffic increasing and that, that's how you connect the dots.

So yeah, it's, I think the more global and the more complicated your structure is, the more vulnerable you are, no question.

Ashish Rajan: Wow. Yeah, I feel like there's probably a lot of teams underestimating like in the entire conversation we've had so far, and even before this, one thing that stood out to me is just that the.

I guess the fraudsters are taking advantage of the complexity of the organization and that the fact that there is such a big disconnect in terms of people don't relate A SMS cost to a [00:32:00] security incident. I wonder because of ai, are there any other maybe fraud vectors or tax strategies that cloud, maybe cloud security teams are underestimating that comes to mind?

Frank Teruel: Yeah I think I, I'll give you a couple that are interesting. First of all, let's start with the way that AI can create context to lower your guard. I would, maybe you and I went to college together and there was that famous game in, in 2002 that everybody was at, everybody knew of.

We won the national championship. Now think about it with ai, I can go to your LinkedIn profiles, I can go to your What's online. I can determine what school you went to and what years you went to that school. And I can say, oh. And now just imagine the message comes in and goes, Hey Ashish, it's Joe.

We had a class together with professor so and remember that big game we were at? Wasn't it amazing? But so all of a sudden your guard begins to get lowered, right? Yeah. So at that level, if you're somebody who can, who controls critical infrastructure, you have access to the network, whatever. You start to go, this appears to be legit.

Who knew about that game? Or remember that little pub we had around the corner we all went to and they named the pub? [00:33:00] So what happens with AI is it very elegantly and quickly can build profiles that are believable. And that's step number one. Number two, it can adapt and pivot very quickly.

So think of it as a self evolving code. It can go uhoh, this was stopped. I'm gonna adapt to the mitigation. And so it's the speed and context that makes it a really profound weapon because it lowers our guard and happens at speed faster than we can respond. And now agentic is gonna take it to a different level.

Just imagine getting an SMS, or sorry, getting a phishing attempt where someone is trying to phish or take over your account. Maybe that's not in the middle, right? Or MFA compromise, if you will. And someone's trying to take over it and it, they open up a chat box with an agent from the bank that happens to be an agentic.

You have no idea you're talking to a machine, but it's contextual. It understands you. It's, Hey, I understand you're concerned about this interaction. I'm so and so from here. So it's got empathy. You start thinking about where the technology can go once, once you get there, and it creates a landscape where CISOs and organizations have to understand.

I've gotta protect against [00:34:00] that by using ai. I've gotta be able to fingerprint and mark these things and say, is there something volumetric or is there something in this interaction at the device level, at the person level where you go, Uhuh, this isn't a person. So I think weaponization is the right word for it.

It's being weaponized. Our report was interesting. If you look at the report on AI preparedness, yeah, the vast majority of people are unprepared and ag agentic just takes to the next level. They recognize that they're up against something they don't really understand yet. There will be threats we haven't even conceived yet that will start coming out as these things come through.

All of it, I think, rooted in what you said earlier the adversaries, the scammers are very good. And not just understanding organizations, but understanding workflows within organizations, right? I know that if I attack this flow, it's gonna hit finance. It'll never hit security. It might not hit marketing.

Yeah. I know how people respond. I know board structures, because they're all, all online. I know who reports to, Frank, I know who Frank reports to, right? Yeah. And so I'm able to use that information in real time to, to get [00:35:00] around mitigation. So I think it's gonna be, weaponization is the right term.

I think it's gonna continue to increase. We're doing a lot of work. We use, and this is an important part, as a vendor, you have to use AI in your mitigation. So we use AI in our own mitigation. To understand whether or not AI is being used against our customers. And there's a whole bunch of secret sauce stuff we do to do that.

But it's important for us to say we are one, training our own models to understand and identify these things and then to create mitigations that will slow down, the AI interactions and make them more expensive for the adversary.

Ashish Rajan: So are you saying that these are not just proof of concept, they're actually real life situations where AI is being weaponized and actively seen against.

Frank Teruel: No question. We've seen we call 'em the smart bots in our world. We've seen an increase in smart bots. It's over 500% year over year where you've got human fraud farms interacting with what we call dumb bots or scouting bots, and then the smart bots that are really the machines that are interacting contextually with these flows.

We've seen a 500 plus increase year over year in those kinds of attacks. All of 'em have gone up, but especially those attacks. What's [00:36:00] a smart bot for context, for people who are watching think of a smart bot as an AI written bot. A bot writing a bot, right? So the ai writing that the software,

Ashish Rajan: so the response time would be a lot more quicker, a lot con, lot more contextual, all of that.

Frank Teruel: If we were having this conversation five years ago, Ashish, you and I, if we were on the adversarial side, we'd be at a terminal writing scripts, right? We'd have to write the software. And that could take you a day. It could take you a week. Today it's being written in real time and it's being written by a business that's the key distinction.

Crime is a service is a multi-billion dollar business. And so these companies, in order to attract customers, have to have continued product market fit. In order to have that continued product market fit, their stuff has to work. So they employ tons of people and technology to keep writing these scripts.

So if script writes itself, the bot's writing itself think of it that way.

Ashish Rajan: Wow. Okay. Smart. I guess listening to all this, and I'm thinking about all the cloud native companies that usually listen or watch us as quite a bit. How does one even start? Once I figured out, okay, maybe I should go and check into my finance team for, hey, is our [00:37:00] SMS bill high or is account takeover quite high as well. What's a good way to start building a program around fraud from scratch? Because is like a big thing for,

Frank Teruel: it's a big hole, right? So I would start with three things. Number one understand your vulnerabilities. By the way, this is really important for API security.

So many companies have no idea what their API footprint is. Many of the companies selling API security products are simply saying, let's identify all the APIs you have. Yes. So start with vulnerabilities, and that could be something like API footprint. It could be something like where are all our SMS flows.

Some of these SMS flows may be things you haven't even considered. A great example, Ashish gets on with customer success or customer service. You got a problem with a product. You're sitting there waiting and waiting, and eventually the inevitable recording says, Hey, enter your cell number and we'll call you back when an agent becomes available, right?

That's an SMS flow, right? So you enter your cell number now you don't get a code back you expect a response back. But, so there's an example where you may not even be thinking about that flow, and so understand, number [00:38:00] one, what your footprint of vulnerability is. Number two get together a team of folks, the fusion team.

We, the fusion of data to say these are the big vulnerabilities. That affect our company and stack rank them, registration, account takeover, those are always gonna be the big ones, right? Where're the critical ones where there's money involved, where there's a real incentive to get there. That's number one.

Number two, I should say. Yeah. And then number three, get together as organizations. Benchmark what has to be measured and be responsive to it quickly. You can't eliminate it. That's just, people that believe you can get it down to zero, just it will never go to zero. It's an issue of how do you manage it, right?

How do you manage the risk? How do you adapt in a way where you lessen the impact of that both to the consumer and to the enterprise. And so I think that's the thing. Understand the footprint of vulnerability, stack rank and prioritize. What's the big ones I have to worry about? And they get these teams together on a regular cadence to understand here's what we've seen and here's how we mitigate.

And I think maybe there's probably a fourth thing, and that is those of us that have been in the CISO role, pardon me, this has to get elevated to the board. You need top down, right? Kinda support for this. Mo Most [00:39:00] boards are now adapting and realizing that, you've gotta, a CISO needs a seat at the table.

And, this used to be in, in a public company, the the security stuff would sit somewhere in the audit committee. Kind of report this. This now needs to be its own section, its own vulnerability. It probably is the single biggest potential, a contingent liability an organization will face with cyber.

Because it's where you get the fastest, most impact and can devastate the organization quickly. So those things understand your ecosystem and footprint and vulnerability. Stack rank them. Make sure you have the right technology and mitigation to protect against it. Get the teams together to fuse and share data.

Try to work with vendors that, sure, not just internal data, but external data and threat intelligence. And then finally, make sure that you're keeping your board of directors and C-Suite keenly aware of the threat environment and making sure that they're investing the resources necessary.

Got to get it done. A few a few months ago, maybe about a year ago, I spoke in New York at a CSO conference and the through line for all of us was there's not enough money. There's never enough money for the cso. Figure it out. I think resource allocation has to be a priority 'cause the [00:40:00] adversaries have unlimited resources.

And I match.

Ashish Rajan: Now, to your point, AI weaponizing basically the same kind of attacks at a much larger scale. Yeah. Yeah. Makes it a lot more harder as well. Yeah. Wow. Now thank you for sharing all this. I actually fun enough, that's all the technical questions I have. What, three fun questions for you as well, just so people get to see the other side of you as well.

First one being, what do you spend most time on when you're not working on solving SMS fraud and the fraud in general?

Frank Teruel: You know what, Ashish, I'm older than dirt. I got nine grandkids. So they're always over here. They're always over in the pool. So I'm spending time with those guys.

I love doing that. We've created a great culture at Arkose for number two, where we're we do a lot of things together. We're a big Spartan Racers. We've got Spartan team as an organization, and we run a, it's a great bond, a great bonding thing. So really thinking about what fitness and wellbeing and bonding as an organization that way.

And then and you can see on the wall behind me. Yeah, these are, this is a wall of instruments I've played in my life. Just never well, so I try to keep that up. It's work in progress. It's a work in

Ashish Rajan: progress is, how

Frank Teruel: would say work in progress. It's a catharsis to ch to use [00:41:00] music to relax.

Yeah. Things like that. The we're, look, we're in such a dynamic environment and it's great to walk away and be creative and get some space. Yeah. That was fair.

Ashish Rajan: Second question I have is, what is something that you're proud of that is not on your social media?

Frank Teruel: I I have had the privilege and, I'm so proud of our Arkose team. They're amazing people, but many of the people that I have brought here to Arkose with me, this is our fourth and fifth time together at companies and. I'm profoundly proud of them. I obviously, it's not on social media, but the ability to have dozens of people potentially across the years, but people that, let's do it again.

That you trust, that you understand that are fantastic. And I think we're probably about a dozen people now at Arkose that have come from prior lives, and I think at least two or three of them have done five companies together. A few of them, two or three together. And a couple and four. So when you bring it out that I think I'm just profoundly blessed to be able to have a group of folks that I love collaborating with that.

They join me along the way on these journeys, and I think we got, we're in a market now where it's just fun to watch these people develop and grow as [00:42:00] professionals. Yeah. And and ultimately get to an outcome that's great for our customers and our shareholders. But yeah, I'm really proud of 'em, that's a huge thing.

Those are great people.

Ashish Rajan: That's awesome. No, that's a great thing to share as well. I'm sure they'll love to hear this as well. Final question. What's your favorite cuisine or restaurant that you can share with us?

Frank Teruel: Cuisine is, I love to cook, by the way. It's another side hobby. But in terms of genres, I love tappas.

I love paella. Oh, nice. And by the way, there's a great restaurant in Palo Alto called Macarena, if you're ever in, in that area. It's a great restaurant. I love doing that, but I big. Yeah. It's a great restaurant. Another thing, it's interesting, it's a, we have an office in Pune so we have a lot of our folks, and we're, do a lot of travel to India, but I love chicken burani.

It's a, oh, it's a great, it's a great dish. Yeah very op, very open palate. But yeah I love, yeah, love, like food you can munch on quickly, like tapas and Mediterranean food in general. Yeah, that, that's a cuisine beyond that it's traditional stuff, 4th of July burgers, all that kind of stuff.

Ashish Rajan: Oh fair. Thank you for sharing that. That definitely makes me hungry as well. Now where can people [00:43:00]

Frank Teruel: time for lunch too.

Ashish Rajan: Yeah. Where can people find you and connect with you and know more about Arkose and what you guys are doing in the space as well?

Frank Teruel: Yeah. Thank you Ashish.

You can DM us DM me on LinkedIn. You can also hit me on Arkose on email fTerrell@Arkoselabs.com. Arkose is in the fight in a profound way. As I said, we're privileged to represent the world's largest consumer facing brands. We see billions of transactions and devices and behavior. We're in the fight, in the bot world.

And come see us. We have a lot of great content on the site about AI and this and the scammer reports we've done, things like that. So Arkose Labss.com is a great way to do that. Hit us up on our LinkedIn page as well. Or hit me directly on LinkedIn through a dm.

Ashish Rajan: I will put that in the show notes as well.

But thank you so much for joining us, Frank. I really appreciate your time and you have such a great conversation. I now, I know much, so much more about SMS fraud and how the, where all the money has been hiding on the weekends, or has been being spent on the weekend.

Frank Teruel: That's right. It's amazing.

Ashish. Real pleasure man. Thanks for what you do. It's an honor to be part of the program and thank you for informing us in the fight. You're a great resource for all of [00:44:00] us in terms of what's happening out there. So really delighted to be part of this and great connecting.

Ashish Rajan: I appreciate that.

Thank you. Thanks everyone for tuning in and we'll see you next one.

Frank Teruel: See ya.

Ashish Rajan: Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there.

Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a. The podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next time.

‍