Welcome to the first TADSummit Online 2025 Conference Session. We plan to run these once per week, and as always delivering honest insight. No BS, it’s in our policies.

The group of people included: Kevin Graham, Bohdan Hopanchuck, Noah Rafalko, Johnny, Dennis Kersten (audience), Ahmed Serag (audience), and myself. Aaron Birnbaum was without power so missed the call. He’s very concerned about QR codes becoming broadly accepted and people using them for financial transactions, more on than shortly.

What prompted this session was the article “Google Confirms Gmail To Ditch SMS Code Authentication.” They’re moving to QR codes for authentication to “reduce the impact of rampant, global SMS abuse.” The abuse is AIT (Artificially Inflated Traffic) and inflated international A2P SMS prices. The application is Gmail access, nothing involving credit cards, BUT as the scope of QR code applications expands the risks become higher, more on that later.

Given SMS for OTP (one time passcode ) was deprecated by NIST in 2016, why hasn’t it gone away? Noah stated it simply, besides voice, SMS is the most available mobile app in the world. This popularity has created a large volume of demand, hence low prices, and as Google pointed out, rampant, global SMS abuse. As mentioned by one of the audience before the session, the competition on price has forced CPaaS to ‘excuse’ AIT to make money on the deal. Customer theft is never excusable. Hence the lack of resolution in AIT, because solutions like Augnet were not adopted.

For Google to choose QR codes, it’s important to understand the application that’s being used, Gmail. It’s reading your email, not making purchases. Bohdan explained how popular QR codes have become. He was in Spain for Mobile World Congress. He had a personal QR code to access his room and the services available through the hotel. At cafes and restaurants not only in Spain, but across Europe QR codes provide a popular and convenience method to access menus. The application is accessing menu web pages only. BUT Bohdan highlights in regions such as Africa, the lack of smartphones, rather Facebook phones limit QR codes reach. In Africa SMS and voice will remain dominant.

Fraud with QR codes is growing fast as people grow accustomed to using them. Bohdan shared a fraud case of a lady thinking she was paying for parking in a city. The real QR code had been covered by a fraudsters QR code. And she ended up paying 1000 Euro, and unable to get her money back, the reason given is she should have paid more attention to the transaction. But we’re often in a rush, the code was by the parking space, it seemed authentic.

Kevin explained how QR codes require sophistication in what applications are OK, what applications are risky, and even whether in the country of use QR codes are acceptable. Google is only enabling Gmail, NOT payments. It’s a relatively simple application. BUT on the cost side, in some countries artificial monopolies have created drastic price rises in A2P SMS. As described in the Great A2P LATAM Robbery. Businesses are being subjected to 250%, 267%, and 6600% price increases for international A2P SMS as global aggregators squeeze out the local aggregators. And we’re seeing even local A2P SMS price increases of 1125%. Countries where this is happening push large web brands away from SMS.

Noah brings a great perspective on the growth in QR codes across markets, the driver is speed and simplicity. In markets like Hong Kong and Malaysia, with a significant Chinese population, where I first experience broad adoption of QR codes. To today the broader enterprise adoption for compliant opt-in to marketing campaigns. Noah shared how TSG Global are using QR codes for small business applications to build complaint lists. For example a local corner shop asking its customers to sign up for end of day offers that meet regulatory compliance,

Noah then brings up the RCS angle, is Google doing this to take advantage of its RCS investment with carriers around the world. As a gateway to drive adoption of RCS. Noah does point out payments with QR codes is risky, because that are so easily hacked. Paste over an existing sticker, and a percentage of people are too busy to notice. Also MMS has risen in adoption over the past 18 months, think of it as a simpler multimedia message.

Kevin brings the discussion back to the enterprises responsibility to protect its customers. QR codes are not a credible security mechanism. From an experience perspective they deliver ease and speed. But the security layer requires something more than QR codes. It could be SMS, passkeys, biometics, tokenization, single sign-in, symmetric authentication, network APIs, etc. We’re at a point of more options than we’ve ever known, But what a large web brand / enterprise can use is vastly different to what small and medium businesses can access.

Kevin hit the nail on the head, we’re at an inflection point, from my perspective too many options, too much hype, and a lack of joined up thinking. Leadership will come from the large web brands. They are the ones complaining about the “global SMS abuse.” And will push the initiatives that are gaining broader market adoption, e.g. passkeys. With RCS / MaaP (Message as a Platform) and Network APIs there’s significant work required to integrate with their workflows.

Noah highlighted we’re seeing banks limiting financial responsibilities because of the rapid growth in fraud. Though in Europe the responsibilities remains with the banks. Hence fragmentation is growing across markets.

SMS is here to stay, it will dominate the SMB segment, we’ll see more diversity at the top end (large enterprise). But SMS will remains a significant chunk. Predictions of 5 to 20 years in the longevity of SMS. Bohdan highlighted SMS routes are being bought and lots of money is being made. The abuse will continue, large brands will need to take decisive action in moving away from SMS. Some carriers are raising fines per illegal SMS to between 5k Euro to $100k. As we see in the US, billions of spam SMS can be sent per month, and no one is assigned responsibility. Bohdan also shared how biometrics are being hacked in Telegram, and how in Saudi Arabia some of the old Premium SMS frauds are being repeated on the elderly. It’s still the wild-west.

There was an interesting disagreement between Kevin and Noah on whether Google will successfully monetize RCS. Kevin see monetization as challenging, and they will look to the carriers to run that. Which could happen in Europe. While in North America, and India Google will mine all the messaging data, its been waiting decades for it. There are certainly issues if Google is able to mine the data without consent. But that’s outside the scope of this discussion.

As we wrapped up the discussion Kevin made an important point on the growth of WhatsApp over the past few years growing to $3-4 B in revenue. And key points on RCS and Network APIs, how their fragmented nature will limit adoption. We heard from Uku of Messente a similar issue in European markets outside Germany and UK.

SMS will remain for potentially 20 more years. BUT the large web brands will move away from SMS, e.g. using passkeys, because they are the fraud targets. QR Codes lack security, it’s about speed and ease of use. A security layer will be required.