Regular readers will know Commsrisk has long warned about the inevitable international spread of portable ‘SMS blaster’ radio devices that send fraudulent messages to any mobile phone within range. The principle remains the same, whether the device is described as an IMSI-catcher, an SMS blaster or a false base station, and whether it is carried inside a motor vehicle that circles suburban streets or in the backpack of somebody walking through shopping malls. Signals sent to mobile phones within range lead them to downgrade their connection to 2G, and then an SMS is transmitted directly to the phone that may otherwise have been blocked by a genuine network provider, perhaps because it contains the URL of a phishing website. We know all this; the general population of most countries have yet to be informed. Readers will need to decide for themselves why the authorities in their country may not have raised consumer awareness of the risk. However, somebody in the UK will finally have to start talking publicly about it, after the City of London Police announced on Friday the arrest of two people suspected of sending smishing messages using this kind of equipment.
Officers have made two arrests in connection with an investigation into the use of a “text message blaster”, believed to have been used to send thousands of smishing messages, posing as banks and other official organisations, to members of the public.
In what is thought to be the first of its kind in the UK, an illegitimate telephone mast is believed to have been used as an “SMS blaster” to send messages that bypass mobile phone networks’ systems in place to block suspicious text messages.
We know where the arrests were made, but not where the SMS blaster was used.
One arrest was made on 9 May in Manchester and on 23 May, a further arrest was made in London.
Huayong Xu, 32, of Alton Road, Croydon was charged on 23 May with possession of articles for use in fraud and was remanded in custody. He will appear at Inner London Crown Court on 26 June. The other arrested person was bailed.
Incredibly, no other details were provided. There was no mention of how many people received the smishing messages sent by this device, or where the device was used. Nothing was said about the content of the messages, so people can tell if they received one. No advice was given to people who may already have been duped by one of the messages into sharing their personal data. In stark contrast with the authorities in France and Norway, both of which mitigated the impact of similar criminal operations by sharing essential information with the public, the strategy adopted in the UK seems to be to say little and hope nobody notices the true scale of the threat our societies now face.
The absence of any useful advice to the public about this case sits in stark contrast to month after month of talk about the UK supposedly having a national strategy to tackle fraud. The issue with this fraud is not the extent to which one device was used before it was identified, but the extreme difficulty of finding any devices of this type. Other countries are talking openly about the need to prevent the import of SMS blasters, but the UK authorities can only offer the same old bland platitudes about the private and public sector needing to work together to protect the public. The private sector does not decide if import bans will be imposed on dangerous equipment with no legitimate use. Only the UK comms regulator, Ofcom, gets to decide how to impose rules for licensing radio equipment. Public servants need to do better than always trying to shift responsibility to the private sector every time that phone crimes occur. Some kinds of crime demand decisive action by the police, regulators, customs officials, and other employees of the state. The use of SMS blasters to send smishing messages is one of those crimes.
A national strategy for combating fraud is useless if it does not anticipate new ways of committing fraud. The British authorities have no excuse for being unprepared in this instance, because the same SMS blaster smishing techniques have previously been identified in many other countries, including neighboring France. Its prevalence in East Asia is doubtless connected to Chinese organized crime, but criminals do not care about national borders or ethnic differences. Either gangs will transport the same techniques to new countries, or gangs in other countries will copy those techniques. It is only a matter of time before SMS blasters are used to defraud victims in every country. Waiting for the ‘first of its kind’ is no excuse. The threat is coming. In fact, it may have arrived long ago, although nobody was checking for it.
