Let's be honest with ourselves: the importance of accuracy
I read this article about better smishing protection arriving in Ireland from the Institution of Engineering and Technology (IET) yesterday and I was disappointed by the inaccurate claims it makes for the Mobile Ecosystem Forum SMS Sender ID Protection Registry scheme. I think a journal like this simply must do better.
I've written before on how important I think it is that tech reporting is correct and Dean Bubley wrote on a similar subject too this week in his excellent article on the importance of us all using the correct terminology.
The MEF SMS Sender protection scheme is providing a very useful service and its expansion is welcomed but it also has a number of limitations. It works by enterprises pre-registering their sender IDs (i.e. their brands: Amazon, Royal Mail, Barclays Bank) with the MEF and adherents to the MEF code (most reputable SMS service providers: including Sinch) taking on the responsibility for ensuring only those enterprises are sending messages using those sender IDs. If any bad actor tries to use 'NHS' for example (or any number of variations and combinations) their messages are blocked at source and consumers are protected.
This protection is valuable and really important. One of the biggest challenges with SMS is the in-built ability (for good reasons!) for the sender ID to be spoofed with an alphanumeric string to show who has sent it. There is nothing worse than legitimate messages from the real Bank of Ireland sitting in the same "thread" as scam messages from "Bank of Ireland" as SMS allows no other clues in the sender ID where that message has come from.
However the MEF scheme is not enough. The only protection it offers is on sender IDs (as the name suggests). It does nothing to protect subscribers from the message content which, in EVERY smishing attack is where the danger is. The only way to effectively protect subscribers from the threat of smishing is using Zero Trust SMS which Paul Walsh, CEO of MetaCert, has written about extensively in the past. His open letter to mobile operators, in particular, is well worth your time.
Here are the bogus claims in the IET article:
The cross-stakeholder working group has seen a significant drop in fraudulent messages being sent to the UK consumers of the participating merchants.
This is a case of "truth but not the whole truth". It may be true that the working group has seen far fewer bad actors trying to use legitimate routes with spoofed sender IDs intended to trick recipients but that doesn't mean the overall volumes of smishing traffic has decreased at all. As the last link in the chain, only the mobile operators can determine whether the total volume of smishing has reduced and (as Paul Walsh has explained) there are no tools today which allow them to measure how much smishing is sent to their subscribers.
Recommended by LinkedIn
Messages sent from these devices [...a reference to SIM farms] can be easily identified and blocked by the Registry as they always originate from a regular mobile number, rather than from a merchant or brand using alphabetic characters.
This is 100% wrong. There is ZERO ability for protected sender IDs to allow a mobile operator to identify and block messages from a SIM farm. There is an argument that it allows subscribers to identify when a SIM farm is being used and they can then block that number but this is an endless (and frankly pointless) game of whack-a-mole as each sending number (MSISDN) is only used once. If this were true, SIM farm smishing would have been eliminated in the UK months ago: however it still continues at an alarming rate.
One of the most common scams over the last few months has been fake text messages pretending to be from Royal Mail. The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website where victims are then asked to give their bank details. These fake texts can also spread harmful malware, which once downloaded gives the fraudster access to sensitive information on the customer’s device.
"Missed delivery" scams which take the user to a fake webpage asking for payment (thereby capturing the victim's address, bank details, credit card and other sensitive information) to reschedule are probably the most common in the UK with not just the Royal Mail but also Hermes and DHL being impersonated.
Fake malware is distributed via a completely different scam type by Flubot and other "SMS viruses" (I wrote about that here) and, again, it's really important to understand that SMS is only the communication mechanism, it does not spread the malware itself.
With the Mobile Ecosystem Forum’s SMS Protection Registry, everything stays the same for the consumer – all that changes is the reduction in smishing texts
Again, only the mobile network operators can definitively make this statement... but anecdotally it seems VERY clear that since the MEF scheme was adopted in the UK that smishing was not reduced: it was merely displaced to SIM farms. If the headlines and public awareness is anything to go by, if anything it has increased rather than been reduced at all.
The article then goes on with the usual advice to be wary about clicking any links (wait... I just thought you said all fraud can now be blocked?) which is fine... but it's more than proven now that consumer education alone is not enough.
Why does this matter?
I know this is a bit of a rant (and some might think a bit of a witch hunt on the IET or the MEF) but, to me, it's really important that we are open and honest with ourselves: particularly when it comes to protecting consumers from fraud. Unless we admit the limitations of the systems we have in place we are blind to their shortcomings and protection won't improve. Different solutions all have their role to play in eliminating the scourge of smishing on mobile networks and, important as it is, sender ID protection is not enough.
I understand that an earlier version of this post has been somewhat misinterpreted. To be clear, Sinch are supportive of both the Mobile Ecosystem Forum (where we are represented on the board) and their SMS Sender ID Registration Scheme, of which we are fully signed up participants in the UK and elsewhere. My concern, which I hope are clearly expressed in the article, is that it doesn't help anyone if that capabilities of *any* protection are over-stated. We all owe a duty of care to our industry and to paying subscribers to ensure things are reported accurately and the article I analysed in depth did not do this. I expected better from a trusted source. If anyone spots an errors in the article, please let me know, privately or publicly and I will happily make amendments.
First, Thanks Stuart Mitchell and Paul Walsh for the great content and contributions made regarding this serious topic. I totally agree that sender is registry does not protect against such attacks. Similar issue with Robo Calling & STIR/SHAKEN on the voice side. Sender ID spoofing: What I don't understand yet, if MNOs & Brands are serious about protecting subscribers, first thing comes to mind is why MNOs don't programmatically check with the brand if this message really came from them or not? Doesn't a simple HTTP lookup and response before the message is finally routed to the customer should take care of that. Brands should have no problem exposing such an API to the operators to perform this check. Voice - Spoofed caller ids: Again, first thing comes to mind is MNOs should also be ablw to check with each other if this number is really dialing B number. I would be keen to hear your opinion if you think this basic design could be effective or not?
Transformative Business Leader | Revenue Architecture & GTM Strategy | Digital Identity | Telco API Monetization | Enterprise & Carrier Ecosystems
4ySender ID registry solves many problems our industry faced but phishing at its core are less than effective.
Stuart; I do not actually see this as a rant and normally I'm fairly defensive over the Registry as I have been involved since day one! I agree there are some clear errors in the article, particularly the one you highlight regarding SIM traffic - SIM generated traffic is not even slightly deterred by the Registry and all parties involved are aware of this. Measuring the reduction in Phishing can be done by the MNO's in what I would say is a moderately accurate manner as they can use benchmarks of complaints sent to 7726, group these as unique campaigns of attack etc. then monitor to see if the complaints go up/down as measures are implemented. They can make some fair assumptions that each attack of x-scale generates y-complaints. One thing we should not overlook as an industry is the investment by a majority of the Operators; in the roughly two and a half years since the Registry launched I'm aware of multiple technology and process deployments across the UK and IE by Operators. Not details I wish to disclose on a public forum as it's their business, but these are effective tools in combatting SIM based, and other, attacks and will undoubtedly drive down SIM based volumes over the coming months and years too.