Last week the Mobile Ecosystem Forum (MEF) announced that Ireland and Singapore have emulated Britain by adopting their own versions of an anti-SMS fraud registry that MEF piloted in the UK. However, the news prompted an unusually public dispute about the extent to which MEF’s SMS SenderID Protection Registry has reduced smishing for British phone users. Per MEF, the UK registry…
…significantly reduces the impact of Smishing & Spoofing by SMS. In the UK, many major banks and Government brands are currently being protected with 352 trusted SenderIDs registered to date. Over 1500 unauthorised variants are being blocked on an ever-growing list, including 300 senderIDs relating to the Government’s Coronavirus campaign.
Government agencies… are participating in this ecosystem wide anti-fraud solution which is supported by BT/EE, O2, Three and Vodafone, along with the UK’s leading message providers including BT’s Smart Messaging Business, Commify, Dynamic Mobile Billing, Firetext, Fonix Mobile, IMImobile, Infobip/OpenMarket, mGage, Reach-Interactive, Sinch, TeleSign, Twilio and Vonage.
Dario Betti, CEO of the Mobile Ecosystem Forum (pictured left) spoke with pride about the success of the UK registry.
There are millions of faked SMS sent by fraudsters trying to steal passwords every day. We need to help consumers and organisations fight back. Thanks to the collective efforts of the British mobile industry MEF has managed to show a way: a Registry for SMS message headers. The fight against fraudsters is a relentless one, it will never stop. But we are happy to celebrate one successful tool created in the UK.
The Ireland SenderID Protection Registry went live on July 1 with the support of Ireland’s three mobile operators plus a variety of merchants, government agencies, banks, retailers, utilities and the Irish National Cyber Security Centre. Singapore’s SenderID Protection Registry was launched August 2, and MEF says they expect more countries to implement SenderID registries. MEF reported that:
The cross-stakeholder working group has seen a significant drop in fraudulent messages being sent to the UK consumers of the participating merchants.
This led to a glowing write-up by E&T, the magazine of the Institution of Engineering and Technology (IET). The headline for their article implied that the registry would lead to the ‘eradication’ of smishing and SMS spoofing. The article also went on to claim the UK registry is used to block fraudulent SMS messages sent using ordinary SIM cards.
…scammers also send messages in bulk using ‘SIM farms’ that utilise normal SIM cards as used in mobile phones. These SIM farms are devices that operate several SIM cards at a time and can be programmed to exploit the ‘Unlimited Text’ capabilities offered on consumer tariffs – despite being in breach of the T&Cs of use for such consumer offerings. Messages sent from these devices can be easily identified and blocked by the Registry as they always originate from a regular mobile number, rather than from a merchant or brand using alphabetic characters.
However, Stuart Mitchell of global messaging provider Sinch publicly rebuked the IET for making inaccurate claims. Mitchell took to LinkedIn to voice his frustrations with professionals that fail to clarify the limitations of anti-fraud systems. On the specific point as to whether MEF’s registry enabled the blocking of fraudulent messages from SIM farms, Mitchell wrote:
This is 100% wrong. There is ZERO ability for protected sender IDs to allow a mobile operator to identify and block messages from a SIM farm. There is an argument that it allows subscribers to identify when a SIM farm is being used and they can then block that number but this is an endless (and frankly pointless) game of whack-a-mole as each sending number (MSISDN) is only used once. If this were true, SIM farm smishing would have been eliminated in the UK months ago: however it still continues at an alarming rate.
Mitchell also criticized the assertion that there had been “a significant drop in fraudulent messages” in the UK, though perhaps he was unaware that E&T had lifted the quote directly from MEF’s announcement. Mitchell argued the claim as originally worded may have an element of truth to it, but that it gave a misleading impression about the total extent of messaging fraud.
It may be true that the working group has seen far fewer bad actors trying to use legitimate routes with spoofed sender IDs intended to trick recipients but that doesn’t mean the overall volumes of smishing traffic has decreased at all. As the last link in the chain, only the mobile operators can determine whether the total volume of smishing has reduced and… there are no tools today which allow them to measure how much smishing is sent to their subscribers.
Mitchell did describe the UK’s SenderID Protection Registry as “a very useful service” and this is consistent with Sinch’s support for the registry in practice. However, the thrust of Mitchell’s argument was that “sender ID protection is not enough”. This argument was continued by Paul Walsh, CEO and founder of anti-smishing business MetaCert (pictured right) via several comments to Mitchell’s LinkedIn post.
I have proven to the MEF, GSMA and a number of UK operators, that Sender ID won’t stop a single SMS Phishing message of substance – ZERO (0). There’s only one question that matters:
If this didn’t stop SMS phishing in the UK, and it still doesn’t stop SMS Phishing in the UK today, why is it being rolled out across more countries?
Walsh is a relative hardliner about smishing, and he can often be found responding to Mitchell’s social media activity with arguments for a ‘zero trust’ approach to hyperlinks in SMS messages. MetaCert sells technology that could prevent recipients from following hyperlinks in text messages unless those links are also recorded on a pre-approved list. Walsh insisted that MEF’s approach is a distraction that will delay the adoption of techniques that would prevent smishing.
The people of Ireland and Singapore now have MEF to thank, for putting a delay on a proper solution that works. I’m not ok with this overpromising in the security space, it’s what leads to a false sense of confidence – leading to a compromise.
It’s also a waste of money on everyones part. The amount of money being spent on this could be better invested in solving this problem.
Walsh reiterated Mitchell’s point about nobody knowing whether initiatives to reduce messaging fraud are successful because nobody is currently able to measure the number of fraudulent messages received by end users.
…no operator has any knowledge, data or tools to measure the success of anything related to phishing. Nothing. No vendor can do it either. When I say this, some roll their eyes.
I have no dog in this fight, except to reiterate my own point of view that risk management will only improve if it is based on robust data. It would be wise of MEF to share the statistics that show there has been a reduction in fraudulent messages, even if this data also reveals the limits of the protection offered by SenderID registries. Walsh’s criticisms are valuable, but he can also offer more. Expenditure that cannot be justified may be wasted, so Walsh and others had best devise some way of usefully evaluating the performance of anti-smishing initiatives, no matter how difficult this task is. It is true that we do not know what we do not know, and fraudsters take advantage of our ignorance. That is why we should treat our ignorance not as an inviolable necessity, but as a reason to always strive to learn more.
Dario Betti will participate in a panel discussion about SMS fraud at RAG London 2021 on Thursday, September 30. Look here to learn more about RAG London 2021 and its agenda.