Shush Blog

Find the original post on Medium  by  Jason Malki

I had the pleasure of interviewing Eddie, a seasoned executive with over 30 years of experience driving growth and innovation in the technology and telecommunications industries. He is currently the Co-Founder and CEO of Shush, which is revolutionizing network authentication. Shush partners with mobile network operators (MNOs) around the world to reduce mobile fraud. Sherlock is Shush’s cloud-based solution, which unlocks additional revenue for MNOs by facilitating network authentication transactions.

Prior to Shush, Eddie served as Regional CEO — Americas for Sekura.id, where he led the company’s expansion in the Americas and Asia regions. Eddie has a proven track record of success in sales, business development, and strategic planning. He has held senior leadership positions at Mavenir, LivePerson, and Tyntec, where he consistently delivered results and exceeded expectations. Throughout his career, Eddie has demonstrated a deep understanding of the market, a passion for technology, and a commitment to building strong relationships with customers and partners.

What motivated you to launch your startup?

When I was the Regional CEO at Sekura, I was responsible for the Americas and Asia, and I was speaking to mobile network operators all over the world. They were all saying the same thing: “We want to do network authentication. We have no idea how to do network authentication. We have no money to buy a platform to do network authentication, and we don’t know where to start….” So, I took this feedback to my Group CEO and was told that we, Sekura, only buy network data from mobile network operators after they launch the service. To which I said, “What are you buying if they have nothing to sell?”

At that point, I realized there was a problem in an industry that, according to McKinsey, has a $300B TAM. Also, A2P SMS OTP is currently a $19B business, and network authentication is projected to be 10 times that. After speaking to some mentors and realizing that network authentication services don’t have a demand problem (banks, fintechs), but rather a supply problem, I understood the opportunity. There are currently 1,000+ mobile network operators globally, and fewer than 100 have launched the service. In reality, that number is closer to 27.

At this point, I called my co-founder, and we launched the company.

What excites you about what you’re building?

Great question. I guess what really excites me about what we are building at Shush is that it’s a solution that is wanted, needed, and no one else saw this huge missing piece in the network authentication ecosystem.

What has been your biggest challenge in growing your startup?

Besides raising capital? Finding the right team members to take my vision from a thought to reality. You can always find smart people, but they need to fit the culture and drive, etc.

What are your future plans for your startup?

Build the leading mobile network authentication solution for mobile network operators. If we do that, then we have succeeded.

If you had to share “words of wisdom” with a founder who’s about to start their own startup, what would they be?

Talk to everyone, run your idea by them, and don’t worry about them “stealing your idea.” Get as much feedback as you can, and if your idea passes the smell test, then do it with as much passion as you can muster.

How can our readers follow you on social media?

Sure, on linked in www.linkedin.com/edecurtis on twitter/x @edecurtis and you can follow Shush on both LinkedIn / Shush-inc and on Twitter/X @ShushSherlock

The Growing Challenge of Network Authentication

If you’re a professional, expert, or product leader at a mobile network operator (MNO), you’ve probably been losing sleep over network security lately. With the rise of sophisticated cyber-attacks, keeping your network safe has become a top priority.  The rise of SIM swap attacks should be particularly concerning to Infosec leaders at MNOs. But it’s not just about security anymore—it’s also about customer trust, experience, and staying ahead in a competitive market. 

This article will walk you through the best practices for network authentication, offering practical, actionable insights that you can start applying today. Plus, we'll explore how integrating a solution can streamline your efforts, making your job easier and your network more secure.

Market Landscape: Trends and Challenges in Network Authentication

Network authentication has never been more critical. As mobile devices become the primary method for users to access banking, ride-sharing, crypto trading, social media, and enterprise apps, the need for robust authentication mechanisms has skyrocketed. Add to that the fact that cyber threats are evolving at a breakneck pace, and you’ve got a recipe for sleepless nights. 

One of the most significant challenges MNOs face today is the threat of SIM swap attacks. These attacks, where fraudsters hijack a user's mobile number by tricking the carrier to transfer the number to a new SIM card, have become increasingly common. 

Just recently, several high-profile cases hit the news where consumers lost thousands of dollars because of SIM swap fraud. One recent high-profile SIM swap fraud attack occurred in Toronto, where ten individuals were arrested on August 1, 2024. This case involved over 1,500 compromised cellular accounts, leading to more than $1 million in losses. 

The investigation, dubbed “Project Disrupt,” began in June 2023 and uncovered widespread fraud that affected telecom companies, financial institutions, and individual consumers.

It’s clear that the stakes are high, and the need for secure, reliable network authentication is more urgent than ever. Recently in the United States, the Federal Communications Commission  (FCC) has taken steps to thwart future SIM swap attacks with a federal mandate. At the November 15, 2023, Open Meeting, the FCC adopted a Report and Order implementing new rules to protect cell phone consumers from SIM swap and port-out fraud, two practices that bad actors use to take control of consumers’ cell phones. This new order requires all MNOs in the US to disclose their secure authentication methods to the committee by July 8, 2024. 

On the bright side, emerging technologies and standards are offering new ways to enhance network security.  Silent Authentication, which uses network attributes that only the MNOs possess, offers a new way of confirming the mobile device requesting access to a third-party service is under the control of the rightful owner, not a fraudster.   

Authentication in Network Security: Why It Matters and Common Threats

Network authentication is the first line of defense in keeping unauthorized users out of your network. It’s how you ensure that the person or device trying to access your network is who they say they are. But as important as it is, authentication is also one of the most challenging aspects of network security to get right.

Let’s talk about some of the most common threats:

1.   SIM Swap Fraud: As mentioned earlier, this type of fraud has been on the rise, causing significant financial losses for consumers and headaches for MNOs.
2.   Phishing Attacks: Despite all the warnings, phishing remains a major problem. Fraudsters trick users into giving up their login credentials, which they then use to gain unauthorized access to networks.
3.   Credential Stuffing: Hackers use lists of stolen usernames and passwords to gain access to multiple accounts, taking advantage of the fact that many people reuse passwords across different services.

These threats are constantly evolving, which means your authentication methods need to be adaptable and resilient.

Strategic Framework: Implementing Network Authentication

To effectively implement network authentication, it’s crucial to develop a strategy that’s both comprehensive and flexible. Here are some best practices to keep in mind:

1. Silent Authentication - This method is the flagship of network authentication use cases. It provides a complete, seamless, and silent authentication process. In this flow, the mobile device IP address is confirmed mutually between the mobile app publisher and the MNO. If the IP address matches, then device ownership is confirmed and the transaction should proceed. 
2. SIM Swap - When a bank or other institution needs to confirm the device receiving an SMS 2FA code belongs to the rightful owner of the device, a SIM Swap date check greatly reduces the chance of fraud. If the result of this inquiry shows that the SIM has been reseated within the last 24/48/72 hours, it’s very likely that the device has been compromised. 
3. Device Status - The MNO has valuable information regarding the activation, billing and operational status of the device. This request provides a critical assessment of the status of the mobile device. This request confirms the device has not been reported as lost, stolen or is in a blocked state.
4. Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to verify their identity through multiple methods, such as an OTP code sent over SMS. However, it is critical that this isn't the only security method used.
5.  Zero Trust Architecture: In a Zero Trust model, no one inside or outside the network is trusted by default. Every request is authenticated, authorized, and encrypted, regardless of where it originates.
6. KYC validation - Network admins should integrate KYC validation into user onboarding and ongoing authentication processes by using automated systems for identity verification and document validation. It's essential to comply with relevant regulations, ensure data security through encryption and access controls, and maintain clear communication with users about the KYC process. Regular audits and updates are crucial for staying compliant and secure. Finally, having a plan for detecting fraud and responding to data breaches is vital.
7. Regular Audits and Updates: The threat landscape is always changing, so your network authentication strategy should be regularly reviewed and updated to ensure it remains effective.

By following these best practices, MNOs can significantly reduce the risk of unauthorized access and enhance overall network security.

Product Development and Integration: Key Considerations

When it comes to integrating network authentication into your services, there are several key considerations to keep in mind:

1.   User Experience: As important as security is, it should never come at the expense of the user experience. A clunky, confusing authentication process will frustrate users and lead to higher churn rates. The goal is to make authentication as invisible as possible while maintaining a high level of security. Methods that require zero user interaction should be implemented as a priority. Examples include Silent Authentication, SIM Swap and Device Status.
2.   Scalability: Your authentication solution should be able to grow with your business. Whether you’re adding new services, expanding into new markets, or dealing with an influx of new users, your network authentication should be able to handle it all.
3.   Compliance: Different markets have different regulations regarding data security and privacy. Your authentication solution needs to be flexible enough to comply with these regulations, no matter where you operate.

The Best Solution for Network Authentication

At this point, you might be wondering, "How can we implement all this without turning the business upside down?" That’s where Shush comes in.

Shush offers a comprehensive network authentication solution that’s not only secure but also incredibly user-friendly. Here’s what sets Shush apart:

• Domain Expertise: The Shush Chief Product Officer, Jon Morrow, crafted a best-in-class service within T-Mobile USA over the last several years. He is now at Shush developing a best-in-class cloud agnostics platform deployable within the trusted domain of any MNO.  Shush understands what the market needs from brands and banks to global MNOs . 
• No Upfront Cost: We understand the capital constraints within MNOs. As a result, Shush bears the costs of the platform, technical integration, and operation - so there are no upfront costs by our partners. In addition to offering our Self-Service Network Auth SaaS solution, Shush offers a Managed Service Model where all operations are handled by our team which allows Network Authentication to become a revenue center versus a capital expenditure.
• Seamless Integration: Shush Sherlock is designed to integrate with existing API gateways which facilitate authentication, throttling and rate limiting. API gateways facilitate the northbound interactions between Demand partners (CPaaS providers ) and Shush Sherlock platform. Shush Sherlock then integrates with telco-native APIs to retrieve the network elements needed for real-time network authentication use cases.
• Scalable and Flexible: Whether you’re a small MNO or a large enterprise, Shush scales with your needs. Plus, we don’t charge MNOs to use our technology—we offer a managed service where our team handles everything, from billing to support, to operations.
• Proven Track Record: Numerous MNOs have successfully integrated Shush into their network security infrastructure. Case studies and testimonials highlight how Shush has helped them enhance their security, reduce fraud, and improve user trust.
• Compliance-Ready: Shush is designed to meet the stringent security and privacy requirements of any market, ensuring you stay compliant while keeping your network secure.

Security Protocols: Mitigating Risks and Ensuring Compliance

Mitigating risks is all about being proactive rather than reactive. Here are some tips:

• Regular Security Audits: Regularly audit your network for vulnerabilities and ensure that your authentication methods are up to date.
• User Education: Educate your users about the importance of strong, unique passwords and how to spot phishing attempts.
• Compliance Monitoring: Keep up to date with industry standards and regulations to ensure your network remains compliant.

Marketing and Positioning: Network Authentication as a Value-Added Service

Finally, let’s talk about how to position network authentication as a value-added service.

1. Highlight the Benefits: Focus on how your network authentication solution enhances security and user trust. Use real-world examples, like those recent SIM swap attacks, to show the importance of robust authentication.
2.  Leverage Case Studies: Share success stories from MNOs that have successfully integrated network authentication solutions like Shush. These stories can be powerful tools in convincing potential clients of the value of your services.
3. Communicate Clearly: Avoid technical jargon when marketing your network authentication services. Instead, focus on how they solve real-world problems for your clients.

Final Thoughts

Network authentication is a critical component of any MNO’s security strategy. With the increasing number of threats out there, it’s essential to have a solution that’s both effective and user-friendly. 

Shush offers a proven, scalable, and compliant network authentication solution that takes the hassle out of securing your network. Instead of reinventing the wheel, why not trust Shush to help you protect your network and your users? 

Remember, in today’s fast-paced world, staying ahead of the curve is crucial. By implementing the strategies and best practices discussed in this article, and by leveraging a trusted partner like Shush, you can ensure your network remains secure and your users stay happy.

Explore how FCC regulations impact mobile network operators and their consumers.

The Role of FCC Regulations in Consumer Protection

FCC regulations play a crucial role in protecting consumers in the mobile network industry. These regulations ensure that mobile network operators prioritize the safety and security of their customers' personal information and data. By setting standards and guidelines, the FCC helps prevent fraudulent activities, such as SIM swapping, which can result in unauthorized access to a consumer's mobile phone account.

Furthermore, FCC regulations require mobile network operators to implement robust security measures to safeguard against data breaches and unauthorized access. These regulations also promote transparency and accountability, ensuring that consumers have access to clear information about their rights and the services provided by mobile network operators.

Challenges Faced by Mobile Network Operators

While FCC regulations aim to protect consumers, mobile network operators face certain challenges in ensuring compliance. One of the primary challenges is staying ahead of rapidly evolving cyber threats and fraud techniques. As technology advances, criminals find new ways to exploit vulnerabilities and compromise consumer accounts.

Additionally, complying with FCC regulations requires substantial investments in security infrastructure and personnel. Mobile network operators need to continuously update their systems, train their employees, and implement advanced security measures. These investments can be costly and time-consuming, especially for smaller operators.

In a significant move, the FCC approved new regulations in October to combat SIM swap and port-out fraud. These regulations aim to create a standardized framework within the mobile wireless industry to protect consumers. Specifically, wireless providers are now required to implement secure authentication methods before transferring a customer's phone number to a new device or provider. Additionally, providers must maintain records of SIM change requests and the authentication processes utilized. The regulations also include protocols for addressing failed authentication attempts, employee training on handling fraud incidents, and measures to prevent unauthorized access to customers' personal information until proper authentication is confirmed.

Compliance Requirements for Mobile Network Operators

To comply with FCC regulations, mobile network operators must meet specific requirements set by the FCC. These requirements include implementing robust authentication processes to prevent unauthorized SIM swapping and ensuring the secure storage and transmission of customer data.

Operators must also establish procedures for promptly detecting and responding to any security incidents or breaches. They must conduct regular audits and assessments to identify vulnerabilities and address any shortcomings in their security measures. Additionally, mobile network operators are required to provide clear and accurate information to consumers regarding their rights and the steps they can take to protect themselves.

Benefits of FCC Regulations for Consumers

FCC regulations provide several benefits to consumers in the mobile network industry. These regulations enhance consumer trust by ensuring that their personal information and data are adequately protected. By requiring mobile network operators to implement strong security measures, consumers can have confidence in the safety of their accounts and reduce the risk of identity theft or unauthorized access.

Furthermore, FCC regulations promote fair and transparent practices among mobile network operators. Consumers have access to clear information about their rights, billing practices, and the services they are entitled to receive. This transparency empowers consumers to make informed decisions and hold mobile network operators accountable for their actions.

Overall, FCC regulations help create a more secure and consumer-friendly environment in the mobile network industry, fostering trust and confidence among consumers.

As reported by LightReading this FCC regulation is intended to end SIM scams:

"We take these steps to improve consumer privacy and put an end to SIM scams," said FCC Chairwoman Jessica Rosenworcel in a statement late last year, after the agency voted to enact rules to curtail SIM fraud. "Because we know our phones know a lot about us. They are an entry to our records, our accounts, and so much that we value. That is why across the board we need policies that make sure our information is secure."

Future Trends in FCC Regulation for Mobile Network Operators

As technology continues to advance, the FCC will likely introduce new regulations and guidelines to address emerging challenges and protect consumers. One potential future trend is increased focus on emerging technologies, such as 5G networks and Internet of Things (IoT) devices. The FCC may establish specific security standards and requirements for these technologies to ensure consumer safety and privacy.

Additionally, the FCC may further enhance consumer protection measures by collaborating with other regulatory bodies and industry stakeholders. By working together, regulators and operators can share best practices and develop comprehensive strategies to combat fraud, data breaches, and other security threats.

Furthermore, the FCC may prioritize consumer education and awareness programs to help individuals understand their rights, the potential risks they face, and the steps they can take to protect themselves. By empowering consumers with knowledge, the FCC can further strengthen consumer protection in the mobile network industry.

Discover the latest trends in fraud prevention and how the FTC is working to safeguard the public from significant financial losses.

Understanding the Impact of Fraud

Fraud is a serious issue that can have a significant impact on individuals and society as a whole. It involves deceit or dishonesty for personal gain, resulting in financial losses for victims. Understanding the impact of fraud is crucial in developing effective prevention and intervention strategies.

Fraud can affect individuals of all ages and backgrounds. It can lead to financial instability, loss of trust, and emotional distress. In some cases, victims may struggle to recover financially and may face long-term consequences. By understanding the impact of fraud, we can better protect ourselves and the public from falling victim to fraudulent schemes.

Common Types of Fraud Schemes

Fraud schemes can take many forms, each with its own methods and targets. Some common types of fraud schemes include:

- Identity theft: This occurs when someone steals another person's personal information, such as their Social Security number or credit card details, to commit fraud.

- Phishing scams: These scams involve tricking individuals into providing sensitive information, such as passwords or financial details, through fraudulent emails or websites.

- Investment fraud: This type of fraud involves misleading individuals about investment opportunities to steal their money.

- Impersonation scams: Scammers may pretend to be someone else, such as a government official or a family member, to deceive individuals into sending money or providing personal information.

By being aware of these common fraud schemes, individuals can better protect themselves and recognize potential warning signs.

FTC's Role in Combatting Fraud

The Federal Trade Commission (FTC) plays a crucial role in combatting fraud and protecting the public from financial losses. The FTC works to enforce consumer protection laws and regulations, investigate fraudulent activities, and educate the public about fraud prevention.

Through its various initiatives and enforcement actions, the FTC aims to hold fraudsters accountable and ensure that consumers are aware of their rights and protections. The FTC also provides resources and guidance to help individuals recognize and report fraud.

By actively engaging in combatting fraud, the FTC contributes to creating a safer and more secure environment for the public.

Effective Strategies for Fraud Prevention

Preventing fraud requires a proactive approach and the implementation of effective strategies. Some key strategies for fraud prevention include:

- Educating the public: Raising awareness about common fraud schemes and providing guidance on how to protect personal information can empower individuals to make informed decisions and avoid falling victim to fraud.

- Strengthening cybersecurity: Implementing strong passwords, regularly updating software, and being cautious about sharing personal information online can help prevent identity theft and other forms of cyber fraud.

- Verifying information: Before providing personal or financial information, individuals should verify the legitimacy of the request and the identity of the person or organization making the request.

- Using secure payment methods: Opting for secure payment methods, such as credit cards or payment platforms with fraud protection, can provide an additional layer of security when making online transactions.

By adopting these strategies and staying vigilant, individuals can significantly reduce their risk of becoming victims of fraud.

Collaborative Efforts to Safeguard the Public

Combatting fraud requires collaborative efforts from various stakeholders, including government agencies, law enforcement, financial institutions, and individuals. By working together, we can create a stronger defense against fraud and protect the public from financial losses.

Government agencies like the FTC collaborate with other organizations to share information, coordinate investigations, and develop policies and regulations that help prevent fraud. Financial institutions play a crucial role in detecting and reporting suspicious activities, while individuals can contribute by reporting fraud incidents and spreading awareness within their communities.

Through these collaborative efforts, we can build a united front against fraud and ensure a safer future for everyone.