"What’s coming next for crypto fraud".
The following thread is for crypto enthusiasts who use mobile wallets, and crypto journalists who care enough to write about this stuff.
#FluBot #Phishing #Fraud
1/20
The following thread is for crypto enthusiasts who use mobile wallets, and crypto journalists who care enough to write about this stuff.
#FluBot #Phishing #Fraud
1/20
Crypto enthusiasts with a mobile wallet are now faced with a new security problem that’s worse than anything we’ve seen before.
Hackers are using SMS messages to infect devices with #FluBot malware - it steals all passwords, sends messages to contacts, installs spyware...
2/20
Hackers are using SMS messages to infect devices with #FluBot malware - it steals all passwords, sends messages to contacts, installs spyware...
2/20
#FluBot is spreading across European countries right now. Mobile operators *who are impacted* are looking for a solution.
There's no "Proofpoint for SMS", but worse again, the cybersecurity industry doesn't have a category for SMS, let alone a vendor or solution.
3/20
There's no "Proofpoint for SMS", but worse again, the cybersecurity industry doesn't have a category for SMS, let alone a vendor or solution.
3/20
We've been here before. For 2 years, MetaCert was the first and *only* company with a similar security solution for:
- Device OEMs
- Mobile Apps (patented)
- Slack
We were too early, 3 times, over 7 years, forcing us to pivot from one to the other.
4/20
- Device OEMs
- Mobile Apps (patented)
- Slack
We were too early, 3 times, over 7 years, forcing us to pivot from one to the other.
4/20
Reminder: MetaCert eradicated phishing on Slack for the crypto world in 2017 (no competitor existed).
Today, there's a security category for Slack, as well as device OEMs and mobile apps - vendors making $.
So, where was MetaCert during the pandemic to kill SMS scams?
5/20
Today, there's a security category for Slack, as well as device OEMs and mobile apps - vendors making $.
So, where was MetaCert during the pandemic to kill SMS scams?
5/20
We learned from history! We knew it was too early for operators to care enough in 2020 because fraud and identity theft doesn't affect them.
#FluBot forcing customers to wipe their devices clean is the ONLY reason why *some* operators are looking for a solution
6/20
#FluBot forcing customers to wipe their devices clean is the ONLY reason why *some* operators are looking for a solution
6/20
It's so bad in Europe that SMS Firewall vendors are now claiming to offer SMS Security even though they can't.
SMS "Firewalls" are designed to protect SMS traffic and revenue for operators. They are *not* "security" firewalls as the name might suggest.
7/20
SMS "Firewalls" are designed to protect SMS traffic and revenue for operators. They are *not* "security" firewalls as the name might suggest.
7/20
It's easy to test the security posture of SMS Firewalls - send messages with new dangerous URLs to a number on any network. If they get through, there's no security.
Not a single operator in the world can stop a single SMS message that contains an unknown dangerous URL.
8/20
Not a single operator in the world can stop a single SMS message that contains an unknown dangerous URL.
8/20
Not only are the conditions perfect for a solution... 3 established telco vendors have stolen MetaCert's IP in the past 8 weeks. 2 are now MetaCert resellers and the other will likely apply on Monday after I had a call with their CEO.
We don't even have a website for this.
9/20
We don't even have a website for this.
9/20
Operators (AKA Carriers) in North America still don't care *enough* about SMS scams *because* #FluBot hasn't hit their networks, YET.
For this reason, we're focused only on the countries impacted by this nasty malware - UK, Ireland, Germany, Belgium, Spain...
10/20
For this reason, we're focused only on the countries impacted by this nasty malware - UK, Ireland, Germany, Belgium, Spain...
10/20
Crypto enthusiasts who use a mobile wallet in Europe should be scared. There's no security on the planet that can protect them from SMS-led attacks that involve a deceptive URL.
Before MetaCert came along, Slack was like a fortress compared to SMS today. A... FORTRESS.
11/20
Before MetaCert came along, Slack was like a fortress compared to SMS today. A... FORTRESS.
11/20
I welcome security vendors into the new category for SMS - it's a big market opportunity.
How big?
Let's look at the security category for email. @proofpoint was recently acquired for $12.3bn. That's just 1 vendor. And email security isn't even reliable or effective!
12/20
How big?
Let's look at the security category for email. @proofpoint was recently acquired for $12.3bn. That's just 1 vendor. And email security isn't even reliable or effective!
12/20
But there's a catch.
Traditional Internet Security won't work for SMS:
"Assume every URL is safe until confirmed as dangerous".
This approach is no longer effective or reliable, which is why 2020 is the worst year on record for phishing.
13/20
Traditional Internet Security won't work for SMS:
"Assume every URL is safe until confirmed as dangerous".
This approach is no longer effective or reliable, which is why 2020 is the worst year on record for phishing.
13/20
The ONLY way to stop phishing is to:
"Assume every URL is dangerous, unless verified".
We came to learn that traditional anti-phishing is broken. So we decided to try something different. We call it:
Enabling a "Zero Trust" strategy for URL & Web Access Authentication.
14/20
"Assume every URL is dangerous, unless verified".
We came to learn that traditional anti-phishing is broken. So we decided to try something different. We call it:
Enabling a "Zero Trust" strategy for URL & Web Access Authentication.
14/20
Yubikey is the closest comparison - a hardware device that authenticates users before allowing them to log into a website/service.
When MetaCert is added to a mobile network, it’s easy for anyone to spot a new scam in 3 seconds because unverified URLs won’t authenticate.
15/20
When MetaCert is added to a mobile network, it’s easy for anyone to spot a new scam in 3 seconds because unverified URLs won’t authenticate.
15/20
Any hardware or software application that embeds MetaCert's service can have Yubikey-like authentication.
The main difference is that Yubikey authenticates a few hundred sites/services, while MetaCert authenticates over 20 billion URLs.
We came before Yubikey/FIDO too.
16/20
The main difference is that Yubikey authenticates a few hundred sites/services, while MetaCert authenticates over 20 billion URLs.
We came before Yubikey/FIDO too.
16/20
Not only is MetaCert the first to build a security solution for SMS, our unique approach is the only way to kill phishing.
Even if Proofpoint entered the SMS market it wouldn't be able to stop a single message that contains a dangerous URL they don't know about.
17/20
Even if Proofpoint entered the SMS market it wouldn't be able to stop a single message that contains a dangerous URL they don't know about.
17/20
Email security vendors never get blamed for online fraud, identity theft, a data breach, ransomware attack, or anything else for that matter.
Why?
Because everyone focuses on victims - people and entities. What about the "experts" responsible for keeping them safe?
18/20
Why?
Because everyone focuses on victims - people and entities. What about the "experts" responsible for keeping them safe?
18/20
When big vendors eventually claim they can stop SMS phishing (with their legacy approach), we will all know it's untrue.
To verify this, we just need to send ourselves a message with a new dangerous URL. If the message gets through, it means security doesn't work.
19/20
To verify this, we just need to send ourselves a message with a new dangerous URL. If the message gets through, it means security doesn't work.
19/20
Welcome to the future of Internet Security. And by extension, welcome to the future of SMS Security.
You're welcome :)
linkedin.com/pulse/open-let…
20/20
You're welcome :)
linkedin.com/pulse/open-let…
20/20
• • •
Missing some Tweet in this thread? You can try to
force a refresh
