What's Up with Tech?

Why Mobile Operators Hold The Keys To Fraud-Proof Sign‑Ins

Evan Kirstel

Share episode

Interested in being a guest? Email us at admin@evankirstel.com

Stop juggling one-time codes and clunky authenticator apps. We sit down with Eddie DeCurtis, CEO and co-founder of Shush, to unpack how carriers can quietly verify users in milliseconds using standards-driven, privacy-guarded data. Think number-to-IP matching, SIM swap checks, and location signals—all done behind the scenes so sign-ins feel almost invisible while fraud defenses tighten.

Eddie explains why the real barrier hasn’t been demand from banks and brands, but supply from mobile operators. His team built a platform that bundles three hard problems—API exposure, network integration, and business operations—so carriers can go live fast without buying new equipment or hiring armies of consultants. A recent deployment with Dito in the Philippines moved from signature to launch in under 90 days, supporting a wide set of Camara APIs and 40+ endpoints that future‑proof brand integrations.

We also cover the big turn away from SMS OTP. Prices swing, delivery fails, and attackers intercept. Network-based authentication changes the math with “intrinsic data” that supports multiple checks per user journey—verify number, confirm no recent SIM swap, and only then grant access. That creates higher value for brands and a durable revenue stream for carriers. Consent and compliance get full treatment too: how US CPNI rules enable fraud use cases, why EU Recital 47 differs, and where countries like Poland apply stricter limits. The practical answer is market-specific consent modules baked into the platform.

If you’re building login flows, running fraud operations, or operating a mobile network, this episode maps the path from legacy OTP to carrier-grade security that users barely notice. Subscribe for more deep dives, share this with a teammate who owns authentication, and leave a quick review to help others discover the show.

Everyday AI: Your daily guide to grown with Generative AI
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.

Listen on: Apple Podcasts   Spotify

Support the show

More at https://linktr.ee/EvanKirstel

SPEAKER_01:

Hey everybody, fascinating chat today with a company that's making mobile authentication faster, quieter, and more secure by working directly with the carriers at Shush. Eddie, how are you?

SPEAKER_00:

I'm doing great. Great to see you again, Aaron.

SPEAKER_01:

Well, great to see you. Uh, you've come a long way since we met at MWC a couple years ago. Uh, before that, uh, maybe introduce yourself. What's the big idea at Shush?

SPEAKER_00:

Sure, I'm Eddie DeCurris. I'm the CEO and co-founder of Sush. Shush. Sush was created because, you know, uh, we never had a demand problem with network authentication APIs. We had a supply problem, right? There's not enough carriers. There's a thousand mobile network operators out there, not including the MV and O's, right? And, you know, like 33 launched something, right? So all the demand was pent up and we didn't have the carriers. And I, you know, found this hole, you know, all the or the you know, the you know, blind squirrel got the nut, right? Found the hole in the in the space, and we provide a full monetization solution for the network network operators so they can launch mobile network authentication, Camara, you know, with up to 47 different APIs. So yeah, it's really exciting time. Yeah.

SPEAKER_01:

So in simple terms, I mean, how does your silent authentication actually work?

SPEAKER_00:

So what we do is we have a full platform that we like to call Sherlock. It is, um, I believe to currently today the only platform that is state that has all eight stable Camara API. So number verify, SimSwap, Location, and others, right? So there's about eight. Now I think there's 10, and we'll add those other two. We are the only platform in the world currently today. That is utilizing TS43, EAPAAKA, uh, or thing as a verify 2.0 using the true application ID 2015, which is what you're supposed to be using, not 2014, but that's a whole different. We can talk about that for hours. Um we have 47 APIs, so everything from silent network authentication, you know, which is mobile phone number to IP matching to header enrichment. And for a great example, we made an announcement a couple, uh, you probably saw a couple of weeks ago, where we signed Dito, uh, the carrier in the Philippines. And to give you an to give you an understanding on how fast we move, we signed it September 19th or 18th. We went to network integration in October. They launched their the platform's ready to launch and start making money today with 47. Well, they're gonna launch eight 18 APIs, including all the Camaro ones. Like they're it's available today. It's shocking. No one could believe how quick we went from signature to market launch in less than 90 days.

SPEAKER_01:

Amazing. And just give tell the basics. I mean, what does just do that, you know, authenticator apps or you know, even SMS codes aren't doing today?

SPEAKER_00:

So this is the new evolution of authentication. Authentication apps are great, there's a place for them, but the only place in the world to get sim swap information is from the mobile network operator. Apple doesn't have it, Google doesn't have it, nobody has it but the mobile operator. Well, you have to be able to expose that. Now, this is the first time in the history of mobile network operators that they're going to expose their CPNI data outside their own four walls. So you have to have a platform and an exposure platform to do that. So any company with some money can go out and build that technology, right? And then any company can go out and you know, figure out that network integration piece. What do I need to make it connect to the network so I can so I can expose those data attributes to a third party? But the biggest thing that we bring to the table, or I like to say our moat, is the business operations. Because my chief product officer is John Morrow, who came from to us from T-Mobile, who ran this product from its inception to its execution from a carrier standpoint. So dealing with privacy, dealing with legal, dealing with regulatory, you know, uh privacy. Privacy is at our core. So being able to deliver three legs of a stool, technology, network integration, and business operations to a mobile operator that has no clue on how to do this because it's all brand new and it's only been spoken about at GSMA and others. To be able to say, hey, I can get you from signature to launch in less than 90 days, as well as a global partnership with Twilio to help accelerate the adoption of network authentication APIs where they're gonna come in and be your first customer, right? It's a win-win at no cost and zero risk to the mobile operator. Do you have to spend tens of millions of dollars on network equipment? You don't have to spend tens of millions of dollars on consultants that actually don't know what that they never work inside a mobile operator. So we bring all that to the table, again, at no cost and no risk to the mobile operator. That's the major differentiator. Oh, amazing. And the most and the best in class platform. No, there's not a platform out there that can come anywhere near to what we're offering.

SPEAKER_01:

Incredible. And so if if you're a business or enterprise, what does onboarding look like? Uh if if I want to use Shush?

SPEAKER_00:

So it's it's that's well, you're not using Shush, you're a mobile operator. You're asking the mobile operator, mobile operator, how do I onboard? Well, you have an onboarding process. You can onboard utilizing the TM Forum's onboarding uh APIs, or you can onboard directly. Um we have all the sandbox, all the code snippets, uh, the ability to do Wi-Fi, um Wi-Fi authentication, you know, for the application. So they're always covered under you under the whole aspects of network authentication Camara. We're a major supporter of the Camara effort. But the but the challenge is today, every there is billions of dollars being spent on network authentication, right? Brands and banks have a huge lead time when they have to make changes to their applications to do different things. So what we do is we say, okay, we're gonna future proof the mobile operator, and we're gonna future proof the brand for that mobile operator. So let's take bank X does SNA, right? Well, our mobile operator can accept SNA traffic in, right? But let's say the bank X went to Camara number verify without doing any changes at the mobile operating layer, the mobile our mobile operators will accept that Camara request. So it's always future-proof for both the brand side and the mobile operator, so they can so they don't have to make massive changes because to get the Camara SDK loaded into an app is a heavy lift, right? So to get from point A to point B, you have to have you have to care for everything in between, and we do.

SPEAKER_01:

Interesting. And are are you meant to replace two factor uh entirely or are you another layer, uh as it were?

SPEAKER_00:

So two-factor is going the way. I and you know, you can look at you can look at um mobile square's latest report, the the OTP traffic is dropping exponentially. Brands are finding other ways of doing it. So it is is it a third-party app, which which really is a struggle on uh the user experience, or is it using utilizing OTT on an OTP on an OTT? Say that 10 times fast, right? Doing that, right? Or is there another way or even email? How many more emails have you received with your five-digit code or six-digit code, right? You're starting to see more and more of that moving away from SMS. One, it was never designed to be secure. I remember when we created OTP back in the days, right? Um, there's no price stability, right? So prices just keep changing depending on how the wind blows or who got the latest um exclusivity, right? So there's challenges there, there's delivery issues, man-in-the-middle, you know, there's all these problems with SMS. So they're trying to find another path. That traffic's never coming back, right? So network authentication, more secure, best in class, follows all the security protocols, policies. You can't have man in the middle attacks. There's all these great positive things about network authentication that I like to tell my mobile network operator partners this is not a replacement for OTP, because that's going the way anyway. This is a new revenue stream. This is a brand new revenue stream that is actually going to be substantially larger than whatever OTP was. Because it's because we have intrinsic data. So intrinsic data is 3.2 interactions per API. So they come for, let's say, number verification, they stay for SimSwap, right? Or they stay for location, or they stay for something else. There's there's more than one-to-one interaction where OTP is just a one-to-one interaction. Throw it over the fence, and if the person utilizes the code, he does, or he doesn't. But it's only a one-to-one where network authentication is is Evan on the network? Yes. Did Evan do a sim swap? No. Send Evan an SNA silent network authentication and allow him to access his account. All done within milliseconds. Behind the scenes, the banks, the fintechs, the brands see the value. They don't mind paying the extra uplift. You're moving up the value chain as a brand is more secure. So they're willing to pay it as the mobile network operator is seeing greater revenue because they actually moved up the value chain. They're now offering a service that is truly monumental and secure and fraud protection that they never saw before. So it's a win-win on both sides. The mobile operator makes more money, and the brand has a more secure uh way of authenticating the individual.

SPEAKER_01:

Amazing. And how do you think about uh global coverage when you know networks and rules are different per country or per region?

SPEAKER_00:

How does that work? Great question. Great question. I like to say consent is not a one-size-fit-all, right? So there's been a couple of you know companies out there that go, oh, I got a great consent module. Well, that's great. However, what is allowed in the United States, which is absolutely everything, it's like the Wild West, right? Uh, to compare to what's allowed in Poland, is two different things. It's not the same, right? So again, since we deal with the mobile operator directly, and privacy is part of our foundation, we work with them to make sure we have a consent module in place specific for the market. So the United States has um in our telecom regulations 47.222d, we know it by heart. It's basically no opt-in, no opt-out, it just is. As long as it's for fraud use cases, you can give or share third-party CPI data. Okay, that's like everything, right? But that's a US. And and some countries are like that. And then in the in in Europe, you have Recital 47, which allows for opt-out. And then you have Poland, right? And I use Poland because it's a great example. They're part of the EU, but they have their own specific lords that sits on top of Recital 47 that doesn't allow for any of this. So what you have to do is you have to have, you have to be specific for those individual countries, and we and we care for that. Again, since we're providing a platform for a mobile network operator, or we're providing a business in a box for a mobile network operator, you have to care for all those idiosyncrasies specific for the markets.

SPEAKER_01:

Amazing. So I I think of you as the uh uh you know insider, thought leader, expert in this space. What's the biggest misconception uh people have, even in the industry, about mobile network-based authentication?

SPEAKER_00:

There's a lot of um there's a okay, so there is a lot of I I hate to use this term misinformation, but it is. You just sit there and you kind of your eye, my eye thoughts are twitch, and I feel like brain cells are dying, and you just really just want to blow them up on LinkedIn, and I don't do that because I just think it's not worth my energy. Um, I think the biggest misconception is that, you know, the biggest it's difficult, right? It is difficult, but it doesn't take years to implement. Go back to Dito, go back to all my other customers, right? My other customers have not launched yet because it has nothing to do with technology, has nothing to do with where up, has all to do with they're not sure how to do it, right? No matter how much we it's it's it's almost to the point where um they caught the bus, now what do I do? Right, and we're trying to educate them to launch as soon as possible. And then you meet people like Dito and their thought leadership, and they were like, no POC, let's get this launch, let's go, right? Let's start making money. You're starting to see more and more operators like that. But you know, remember back in the 90s, these guys were cowboys. Now they became real big businesses, and they have to be really, really careful. And every now and then you you find that diamond in the rough, like Adido, that they can, you know, that will launch as soon as they're ready. That's the challenge. I think that's the biggest challenge in the industry is, and a lot of people launched Camara and they go, Well, we launched Camara, and no, should no one showed up. Well, if they actually understood how Camara works, they would understand you you're gonna be waiting for a while, right? Um, because the Camara API structure that has to be loaded into the application is very cumbersome. Like I like to say, it's because what happens when a bunch of engineers get in a room and don't talk to people in the business, right? And they created an they created an SDK that needs that is called from the application. Well, great example, Tulio's Authy product. It already has the waterfalling built in. So you send a login use case, right? But depending on the carrier and what the carrier can offer and what this is and what the brand wants to use, they could say if they have network authentication, use that. If it doesn't fall back to SMS, if it doesn't fall back to, you know, email, let's say that waterfalling is built in. Can't do that with Camara, it's very it doesn't work that way. You actually call it from the application. Well, talk to a bank. Excuse me, I need you to change your security protocols on your app and load this SDK. All right, we'll see you in six years. Again, goes back to you know, goes back to future-proofing the brand, right? So the brand's ready. Whenever the brand's ready, the the carrier's ready, right? So the carrier has all this stuff. And another example, I was talking to a mobile network operator, and they go, We have Camara SimSwap. We've been waiting we we've been working on number verified for um you know the last eight months. We can't seem to get it to work. And I kind of look at them and they what do you mean you can't get it to work? Because they built their own platform, right? Like, what do you mean you can't get it to work? They go, Yeah, we're having challenges to get it to work. I said, they said, What can you do? I said, Well, you can launch with eight stable Camara APIs today. They go, What do you mean? You have them already? I go, Yeah. We integrate to your network, you know, we know exactly what network elements we need to be talking to. If you have uh, if you have an API gateway, we can configure your API gateway for you, you know, to make sure it's talking to the right network elements to get you don't need any new equipment, you don't need to go buy a NAF, you don't need to go by a Scaff. You know, it's I mean we narrowed it down to three network elements that all we need to talk to. To get all 47 APIs to work, we talk to three network elements and that's it. If you have an API framework layer like an apogee, fine. So we like to say we talked to a couple carriers and they were like, Yeah, we have apogee and we don't know how to configure apogee to talk to the network. Well, there were two people at Team Mobile who knew how to do that. I hired one of them. So it's like, get the right experts in, right? We have them, right? We're over 30 employees now, which is amazing, right? From think about this. I sat in front of the, I think it was the Ericsson booth. I forgot what booth I was. You videotaped me at Mobile World Congress. So a little over a year and eight months, I'm now at 30 employees. Um, you know, we got you know multiple carriers of our customers. I mean, we have just grown leaps and bounds. I did a I did a you know, quick story, I did a uh pre-seed round. I was oversubscribed and closed in 45 days when nobody was getting any money, right? So it's it's just been an absolute joy ride. But that's the point. We have the right people, the right experts. Our head of network engineering spent 35 years not only putting these wireless networks together, but actually operating them. So he knows what an entitlement gateway is and how it works and all the pieces that need to go in there. What a what a UDP or you know, an HSS or a PCRF, he knows the languages. He knows how to talk to those network engineers. So having those experts that speak the language and can do the work for the mobile network operator, just again, takes that heavy weight off their shoulders because there's again a lot of uh like we I know this is a long way to answer your question. There's a lot of misinformation of people who who truly don't fully grasp what what needs to happen. We can do it quick, we can do it fast, it's not that difficult. You know, it's just a new way of doing it.

SPEAKER_01:

A new way indeed. No, it's really exciting. Um, and let me ask you about the US market. And without naming names, I don't want to throw anyone under the bus or uh mention the the you know the the characters we all know or love and hate in some cases, but um what's the status? Why why aren't we seeing here in the US more of the technology being rolled out to consumers and businesses?

SPEAKER_00:

So believe it or not, T Mobile and Verizon have been doing it for a while, and it's a pretty big business. It was a big business at T-Mobile, it was all the major banks were using it. Um I think they need to use it a lot more. The challenge was ATT, right? And I'm not trying to throw ATT under the bus. They, you know, they there wasn't there was an issue, and they had rightfully so. They had concerns about letting aggregators in, hence the 120 million dollar location fines that they got. Now, there's a whole story behind that that we can get into over a beer if you want, but it wasn't as bad. It was the third party who actually uh violated the terms of the agreement. At least that's the best way to describe it. Maybe it wasn't, but it was done via a third party, and we all know the the players in this space. So ATT, rightfully so, said no aggregators. Everybody needed to come direct. Well, getting a bank who has no idea how to do this, or fintech, to connect directly to ATT's network platform, right? Whatever platform they have, it's hard, right? And that, you know, so you're you you have less than a dozen customers where T-Mobile can have thousands of customers based on working with aggregators. My understanding is, my understanding, and then you know, don't quote me on this, but my understanding is AT ⁇ T has come around and come to terms with the fact that they need aggregators to grow the business. So what we like to say, AT ⁇ T has been unlocked, and I think that's just gonna fuel the market because we are the platform for the CCA, right? We are the platform for the CCA authentication hub with our partnership with an amazing little company. Well, I don't think they're little anymore, called Clear Sky, who works really close with those tier two, tier three rural CCA members, right? And our platform sits as the um as the power behind the uh ClearSky Snap solution. So a mobile network, a small operator, we we uh they made a couple of announcements. There's more behind these announcements than just the ones they already spoke about. Um First Cellular of Uh Northeast Arizona is a small carrier that's now connected. Um uh NTT Docomo Pacific is now connected. So, you know, just by utilizing this ClearSky platform powered by Search, these these small rural operators can become completely compliant, completely up and map and running in less, again, less than 90 days. You know, it's super easy for them. And ClearSky manages it from their from their multiple data centers in the United States. Super, super simple, great partnership, great team over there at ClearSky. They really, really help because a lot of people forget we still have more than 60 mobile operators other than the big three, right?

SPEAKER_01:

Yeah, you tend to forget, yeah.

SPEAKER_00:

And they still have the same requirements as the big three, right? They have to have a sim swap solution, they have to have this, they have to so they have all the same requirements, and clear sky fills that gap for us.

SPEAKER_01:

Fantastic. Well, so much uh accomplished, so much work to do. Congratulations on all the success study onwards and upwards.

SPEAKER_00:

Yeah, it really truly, and I and Evan, I can't thank you enough for being a huge supporter of ours. You were my first, you were the first person I told. I'll never forget texting you going, I got something for you. I want to tell you about it.

SPEAKER_01:

I don't think I understand, uh understood probably 70% of what you were saying at the time, but now I do. So I've come around and it really is opening a lot of eyes. Congratulations, Eddie.

SPEAKER_00:

Thank you. Thank you so much, and thank you again. Thank you for being a big support. I too I truly, truly appreciate it.

SPEAKER_01:

And thanks. Thanks for being here. Thanks everyone for listening, watching, sharing the episode. And be sure to check out our TV show, techimpact.tv, now in Bluebird TV and Fox Business. Thanks, Eddie. Thanks, everyone. Be well.