The purpose of this CXTech Week 24 2021 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech? The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.
You can sign up here to receive the CXTech News and Analysis by email. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.
Covered this week:
- Stripe raises $1B for Identity Verification
- SMiShing: SMS-based phishing
- Matrix has become the messaging app of choice for top-secret communications
- People, Gossip, and Frivolous Stuff
Stripe raises $1B for Identity Verification
Raising $1B to bring an existing internally developed product to market, Stripe Identity, in a maturing category is a little unusual. Stripe Identity is applicable to their existing customer base, so initial sales/marketing are relatively cheap. The reasoning seems suspect to me. Never believe what’s written on the web 😉
Given the trend of ‘raise $1B+ one week and then spend $1B+ the next week’, I’m looking at you Sinch 😉 I think it’s more likely they’d purchase say TeleSign, which is used by most of the big web-brands for identity verification, to bolster Stripe Identity.
Prove may be a little expensive compared to TeleSign, there are others in the identity verification space with lower valuations. However, TeleSign and Prove are two examples of having solved the ‘working with carriers’ problem, which is not a Stripe core competence. And has been a frustration for Twilio, which tends to work with aggregators than carriers.
Anyway, time will tell what happens, raising $1B to bring an existing product to its existing customer base (low hanging fruit for the existence proof) seems suspect to me. Yes they will need cash to expand into new markets, but that again is more time limited (hiring people and winning customers) than cash limited.
SMiShing: SMS-based phishing
We discussed Flubot in CXTech Week 18 2021. Operators still do not appear to have this under control. The claimed fix of using SPAM control with an SMS Firewall, is not a fix, as the phishing URLs keep changing, and can be directories within well known URLs. They only need to go undetected for a few minutes and their work is done. One approach is like in Japan of blocking all URLs in SMS, but then IP messaging will fill the gap, see LINE usage versus SMS usage in Japan, it’s about 3 orders of magnitude difference.
I had the good fortune to talk with Paul Walsh of MetaCert recently, on the importance of adopting a “Zero Trust” strategy for URLs / SMS, and the human factors around stopping people clicking on those URLs, it’s a complex technology and human factors problem. BTW, here’s an excellent piece from Paul on zero trust URLs, https://pkic.org/2019/10/10/the-insecure-elephant-in-the-room/ and more recently, he penned an ‘Open Letter’ to mobile operators with a goal to create a new security category for anti-phishing. And he wants to make it easy for vendors to resell “Zero Trust SMS” security. It’s a new model for this problem, but it’s a very well established model in cybersecurity – it works well for security vendors who resell on behalf of companies like Proofpoint, Symantec and McAfee.
Zero trust is the approach we need to take for smishing. Have a chat with Paul, you’ll be glad you did.
When I was chatting with people I know on Linkedin about this topic and sharing phishing URLs, I discovered Linkedin are using PhishTank (owned by Cisco). Which is OK, but does not capture some of fresher phishing URLs. As a matter of principle, PhishTank does not evaluate or classify phishing URLs unless they’re used for fraud or identity theft. This means that SMS scams that use phishing URLs for malware downloads are excluded. This means FluBot and all new malware attacks in the future can not be stopped by PhishTank. This is a fact that very few people in the security industry even knows. Relying on “blocklists” and assuming every URL is safe until confirmed as dangerous, isn’t working. Something different needs to be done. Zero trust is the only option, that is assume the URL is suspect, unless confirmed as clean.
Matrix has become the messaging app of choice for top-secret communications
Nice review of how the French government selected Matrix.org. At TADSummit EMEA Americas last year, we interviewed Matthew and Amandine, and covered this topic and many more.
People, Gossip, and Frivolous Stuff
Chip Wilcox is now Product at Transcelestial, free space optical broadband (both ground and satellite).
David Walsh is now Vice President Mergers Acquisition at Corum Group. Mark White joined them at the start of 2020 as VP South East Asia.
Here’s a blast from the past: James Parton from 20 years ago, as well as many others from O2 Genie.
You can sign up here to receive the CXTech News and Analysis by email.
Thank you so much for such an amazing evaluation of our conversation, Alan. There’s no point in having something good if the world doesn’t know about it – so thank you for sharing this.