The last session before lunch on the Friday. Okay.
Yeah, my name's John Phillips, I'm from Australia and you've got a really complicated looking title in front of you, which I kind of apologize for, but it's about scams and antis scams. So having thought about this for quite some time and boarding the plane from Australia, from Melbourne to Doha and Doha to Berlin, I'm four hours into my flight thinking I just need to chill out and just not think about stuff for a while. And what better than to watch the Jason Stratham movie, which is a sort of action based hero that does stuff that doesn't require much thinking.
So I watched the beehive, the the beekeeper, and the beekeeper. Turns out there's a movie about scams and so I don't get my distraction.
Alright, I'll watch this movie and realize there are certain antis scam measures that are probably more violent than others.
This is not about those measures, this is about something else. So despite the fact that it's Friday, and I know you've had a fantastic, I hope, four days and lots of, and lots of thinking, I actually want to change your opinion about something. So I'm gonna ask you to sort of put some mental effort in still at the last final leg. I'm gonna argue that the way we think about authentication is typically about customers authenticating themselves to organizations.
And I'm gonna argue that in fact, organizations must also authenticate themselves to customers. Now, we've all seen messages like this. I would ask for a polls of hands and stuff, but I'm sure when you read your emails you get these flash up messages warning you that the message sender is not authentic. And in fact, this particular message is from the Australian government. And this literally was just last week.
In fact, they still come like this from the Australian government, not just from this particular domain, business.gov au, but from other ones. And I was, I am curious actually, generally, so I was thinking, what's going on here? So most of, you're probably quite technical and some of you very tending, no doubt. I explore the SMTP sort of basis of the message. And it turns out they're using an intermediary, they're using a, a marketing company to forward on the emails and that's broken the chain of evidence. And so I can't tell it's from the government of Australia.
We're still, and I know there's some banking people in the room, my bank in Australia, which I've obscured for reasons of, I dunno, proprietary or something, send me text messages to tell me stuff that's very useful. How wonderful is that? And some of those text messages are, are telling me that a transaction is completed or something else. I dunno if you can read it. But the one that's sort of second from the top there is say, hi John, please be aware of fake SMS messages. It's a very useful message to receive. These may contain links to fraudulent websites and so on. It goes on.
And then they tell me, oh great, there was a payment made. That's a nice thing. I like that message. And then it goes and says, your account has been suspended. Click the link below.
Now, the reason my phone thinks it's the bank is because there's an SMS short code being used.
The same SMS short code is being used by the scammers as the bank. So my phone tells me it's the bank, it's the bank, it's the bank, it's the bank, it's not the bank.
And I'm, I'm reasonably cautious in some respects, a little bit cynical, so I didn't click the link, right? But I dunno how many other people might have clicked that down link, right? So it's a significantly increased risk profile when this sort of thing can happen. Now we've got a scams problem. I'm from Australia.
We, we have a significant scams problem. This is the latest report. The the flash up that you're seeing right now is from 2023 data.
We've got some initiatives we put in place that are having some effect. You can see a slight dip down on that little curve there. It's got a little bit better. But basically we're still losing or lost 22.7 billion Australian dollars in a population of only 26 million people.
Now, that's pretty damn bad, right? That's not, that is not something to be particularly pre pleased with or proud of. But it's not just our problem.
You know, we're in a global community. An astonishing statistic from a global anti-spam alliance is that something like 25% of the population have been scammed, right? Thankfully, I don't think I've been scammed yet, maybe, but I have been scammed. But that's people who actually have been scammed. And the total loss on an annual basis is 1 trillion US dollars.
This, this is a huge number, a huge number. And you, we all know if you can make a small difference to a huge number, it's a big difference, right?
It's a big number you get out of this. So if we can make a improvement here, we're gonna get a lot of it. So the other thing that's happening, and we're all technologists probably in this room, is that technology has been used aggressively for, for bad reason, for, for by organized crime to achieve outcomes.
They, they're very, very good technologists too. There may even be some in this room. Who knows? So I wanna ask a question, which is, in what ways might organizations do more to reduce the risk of scams for their customers and themselves? So for some time now, organizations have been investing quite a lot of money, quite a lot of time in big groups of people in how to better authenticate their customers. So looking at better customer authentication, it's essential. It helps to protect the customer. This is a good thing. We all like this.
It also helps to protect the organization from fraud and liability. So we're all in so far, this conference has had many, many sessions this year alone and many other years before it, about the technologies that can improve customer authentication.
In fact, the eye of EIC is almost invariably individual and almost never institution.
I am gonna argue that customer authentication and education is not enough to stop scams. If in fact it's almost disingenuous to argue that it is. So the point I'm making is how can your customers know that it's you? You communicate with your customers using a whole bunch of channels. I've listed a few here. You've got print, email, phone, and text.
In fact, there's often a requirement, a fiduciary requirement, legal requirement for banks to use channels that have enable all of their customers to have access to services. And this is the same for other organizations. You might have to have printed correspondence, you might have to have outbound phone calls. It might be a legal requirement. So you need to have all these channels, but then so do scammers. They use exactly the same channels as you do to communicate with their target victim. You use sophisticated technology, personalization, behavioral analysis, ai, so do scammers.
You send unverifiable communication to your customers. So do scammers, unverifiable communication, which is asking people to take action. You're asking them to take some sort of financial action, often take up a mortgage and get a new credit card, do something else, spend money according to this apparently trustworthy organization. And so do scammers do this.
And the, the point I'm saying here is that whilst we often sometimes maybe think about the risk to the consumer, we in Australia, the Antis scam center is focused on helping people who have been scammed, finding quick triage mechanisms, sending out messages about the new scam technique and so on. So we have some of these protected mechanisms. I think there's the possibility of class action.
So if you were as an institution issuing communications that were not authentic and your brand was taken up by the scammers as one to use as a sort of brand to leverage from and give a different bank account detail or something else, I think there's a possibility of a class action.
Not only would you need to pay back the scam funds that have been scammed from people, but you might actually have to face a damages kind of class action, which I think would be attention worthy. So the question is, how can your customers tell your communication from the scammers folks?
How can your customers authenticate you? And you need to ask yourself, are your communications part of the problem or part of the solution? So here's the opportunity and I, one of the things I wanted to change the title was I should have made it something like the multi-billion dollar opportunity for all organizations to attract lots of interest.
But yeah, I do think it's a multi-billion dollar opportunity. So why not enable your customers to verify your communications to them? It's a simple question, why not give better communic protection to your customers from scammers? And why not demonstrate trustworthiness?
I'm gonna make a point in the slide deck around the idea of mutual trust, not just an imbalance trust where you, you force the customer to resent themselves to you. So there's a way forward and I, I've been using a pattern of thinking here that's designed thinking.
You'll see that's like a adeo British Design Council, Stanford sort of cycle. I'm showing, we've been talking about the empathize and define understanding the problem, defining the problem we are are now at ideate. Okay? How might you ensure your customers can check your, that your communication came from you? My premise is there are several methods already.
In fact, I'm gonna give you seven methods already that answer this question. Here's one practice, good hygiene. There are many mechanisms that are underused in terms of preventing or allowing authentication and preventing effects. Getting through the emails you saw earlier didn't make best use of things like SBS DES DA and they used an intermediary which broke that chain.
Anyway, so that was a bit of a problem. Make sure you don't use insecure channels as best you can and, and so on and so on. There's just the hygiene thing. Just be good at hygiene. The second thing is use your app. If you've been in any of the sessions almost this week, you'd have heard about wallets, you'd have heard about apps. And the obvious thing that's happening next is communication via the wallet app combination. So this is then a secure channel, you know for sure the other party of their end. You can trust the communication.
It's a great mechanism for communication and it's very trustworthy. Use the app, sign all digital content, but sign it as my previous speaker said, with due care and due diligence. Don't get the signatures wrong. And there's a very interesting pattern of of opportunity I think coming out of the work of people like C two P-A-C-A-I on how we might think about provenance for all sorts of digital content.
And I think that's actually a really good way forward for a lot of institutions that might have to sort of think about that stuff. Use verifiable credentials.
That's another word that's been often used in this last four days. What should they contain? Well you need to prove you are the organization you claim to be. One of the great sort of existing foundational building blocks you can use is work of people like G Life with legal entity identifiers and the verifiable legal entity, the VLI, which is a verifiable credential. If it either exists, why not use it? It's not even that expensive to actually get a vli augment printed content. So there's a way to think about your printed content, your letters.
What might we do with the printed content such that we could give us some sort of authentication? So one of the techniques that was used back in Covid where we all learned a lot of things, some of which weren't good, but some of which were sort of good, was that New Zealand created a form of the covid credential, which uses a SIBO encoded QR code.
So it actually allowed for some degree of authentication of the content by kind of using the scan and decoding the, the, the QR code to sort of say what's the data content presented here?
So you can get some degree of improved authenticity about what's being sent, but there's a simpler way, it's got a like low tech way. The low tech way is keep a log of what you've actually sent to your customer. So that would be saying that if you logged into your accounts for your health provider, your bank, your telco, whatever, you should be able to see all the communications they've sent to you. So you could check, oh yeah, you did, did send me a letter on letter on Tuesday, you phoned me on Wednesday. That sort of stuff should be easy to do.
But actually it's not necessarily easy to do if you're a very large, complicated organization with separate sort of profit and loss product lines or communicating independently.
It's actually per perversely difficult to know all the things you've sent your customer. But I kind of like putting it up there. 'cause you bloody well ought to know what you've told your customer.
So, so I think it's a worthwhile idea. Number six, idea number seven is et cetera. I know I'm cheating, but the idea would be there's lots of other ideas about how to do this kind of thing. We're it's not, this is not sort of magic as some of the conversations in the, in the last four days might have been. Like this is not a magic kind of show. So my point is the question isn't how might you, but the question is will you, okay. And if you do this, my argument is you demonstrate you care about your customers. You want to protect them from organizations pretending to be you.
It's good for them and it's good for you to do this.
You want to have a a, a stance and a position that talks about mutual authentication.
We are, we are mutually authenticating each other. And by doing that we are through showing trustworthiness and respect. And it's a, it's a mutual trust that we're trying to build here. Not a one-sided equation. If you can as an organization, promise your customers in bold fonts across all channels, that from now on we will authenticate ourselves to you in the best way possible in every communication on every channel. I think that's marketing gold.
I think if you were able to say we are the most trustworthy organization in our sector or in our country because we are doing this another organization that no other organization is doing, that's pretty awesome, right? And it doesn't necessarily cost you a lot of dollars. I don't want people to be disingenuous.
But you, if you genuinely intend to authenticate yourselves to the extent possible, then that's, that's kind of a good start.
Right? So I was talking about this with a guy called Malcolm Crompton who was an ex privacy commissioner of Australia, and he gave me this, this is literally what he typed out. You can see it on LinkedIn as a comment of the, the sort of advert that I was coming over here to give this talk. And Malcolm, who is brilliant at short pithy phrases, it was sort of pointed, given the point of view as a previous regulator for Australia, that it is in his, his sense remarkable.
It's, it's a, he wonders why it isn't a requirement in law that we should do this, let alone essential for building customer trust. And as he puts it quite bluntly, simply good manners. So my argument is this is good for customers, it's good for business, it's even good manners. So what do you think?
Thank you.
We have time for maybe two questions. Anyone from the audience?
Yeah,
Maybe it's more than a comment rather or expression rather than a question, but absolutely share what you, what you explained. And, and I was surprised also just from my own experience when I had some issues with adding my new credit card to the Apple wallet. I approached the bank and at some point of this, like fixing the problem, they called me, presumably they called me asking to do something about my credit card to fix this and ask guys, how do I know these are you calling me?
And to, okay. And that guy was like very respectful. He like knew the problem exists also, but they have no solution for that.
They just, oh, then you have to call us back. And luckily probably you will not reach me out personally. So you have to explain that I have instructed you. So this problem is not that easy. And maybe phone channels, maybe if you have some ideas. So expressions about call centers.
Yeah,
I I think firstly thank you. And, and yes, there, what, what the paradox for me is there's been lots of work done in technology terms to authenticate the other person at the other end of the line.
Like I I, there's even voice recognition technology and voice sensing technology that says, are they lying? Right? There's the person lying to the organization. We have very little that works the other way around. But the fact that as you're saying, they had a, a recognition that the person individually understood the challenge and offered the well ring our organization, that's, that's better. But of course they could have given you a false number to ring. You'd have to sort of double check that that was the right number to ring.
And they can give you your ticket number so that when you ring, you give them the ticket number and that you get channeled through to the, the right path for solving your problem.
I, I don't think landlines voice calls are very easy to fix.
I I, I think there are going to be channels that are hard physical channels, that there are popup branches of organizations that are set up by scammers. Sometimes they actually physically build a thing that looks like it's the thing, right? And you walk in and you get processed in every sense of the word and, and they, they scam you.
So I, I think this is a, you know, it's a challenging problem. It's wicked problem if you like, but there are things we can do that improve stuff. Phones can be improved to some extent, but there's probably limits to this.
Hi yo Deloitte, thank you for excellent presentation. I think a very unique topic here as well, so good to get some attention.
Maybe a, a small point and a and a question. So the point on class action this is happening today. There's a lot of issues in the Netherlands last week around an online bank bunk. They clearly skipped a few measures in terms of security, which led to a lot of scams. People losing, I think it was on average about 50,000 euros from their accounts. And now people are looking into like, did the bank actually do their, their necessary measures probably will turn out that they didn't, that's why they're cheaper than the other banks or have a lower operational cost. Okay.
So let's see if they get their money back. Just in terms of the question, I was wondering to what extent is the mutual authentication active or, or passive. So lots of the authentication done today is sort of solved for you either in the browser by, by TLS connection or like you showed by email or even your phone saying this is, this is probably your bank. Is there a way to imagine some sort of authentication like I'm doing today as an end user?
I have to, to, to press a button and say I'm authenticating. Is there something on the side of, of the relying party like that?
So I I I mentioned idea too. I think the app wallet app, the, the, the idea of using the, the combination, I say app wallet because wallets can be considered to be a very narrow sort of scope of functionality. And the app is a sort of thing in addition to the wallet.
So if we're considering this as a, a trusted communication channel, what we are using if in some implementation certainly is a, is exactly the sort of public private key shared sort of system that means you can be very sure about the identity of, well it can be very sure of the controller of the private key, public key that you've been communicating with is the same one. And, and I think that gives probably the greatest level of confidence.
It, but it also, I mean it, and it doesn't necessarily restrict it to sort of text-based communication. You can imagine that you can use this to encrypt voice calls, video calls, other things as well, as long as you've got this kind of robust key exchange. And the best holder for that, I think is the wallet environment.
Any other questions or are we ready to get some lunch? Yeah. All right. Well thank you. We'll be back in an hour.
