How Insecure Is SMS?

The abuse of SMS messaging services receives much more attention than previously, and there are reasons to believe this has led to a reduction of fraud. On the other hand, customer complaints and news stories reveal severe ongoing problems with scam SMS messages. The public is also increasingly aware that sending one time passwords via SMS is the most dangerous form of two factor authentication, despite the financial services sector placing increased reliance upon SMS when they have been warned not to. Given the mixed messages (pun intended) I thought it would be worthwhile to briefly summarize some important measures and key challenges for SMS security.

Putting a Value on SMS Fraud

The figures supplied by participants in the RAG RAFM Survey extrapolated to USD1.62bn of messaging fraud per year. This figure is in the middle of industry estimates, though there was considerable variance in the amount of messaging fraud reported by respondents, with many asserting fraud rates for their business were 100 times higher than the average, whilst others said this kind of fraud did not impact them.

A January 2021 report by Mobilesquared estimated that A2P SMS gray routing cost the industry USD13.7bn per annum between 2010 and 2019, and forecast that 23% of A2P SMS, worth USD7.7bn per annum, will be sent via gray routes between 2020 and 2024. These figures might be considered an upper bound as the costs were calculated using the rates that would have been charged if all the gray-routed traffic had been carried by legitimate routes instead.

Global RAFM testing business Araxxe sent 3 million separate test messages across 106 countries and extrapolated from the results to conclude A2P SMS bypass was worth EUR492mn (USD583mn) during 2020. They found mobile network operators on each continent receiving upwards of 30 percent of traffic through gray routes. Infection rates for SMS aggregators were often unacceptably high, with the worst having a gray traffic infection rate of 98%. Despite the startling numbers, Araxxe’s calculations appear relatively conservative and their global loss figures may hence be considered a lower bound.

Widespread Failure to Implement Firewalls

Cellusys, specialist providers of firewalls for telecoms networks, commissioned a study in late 2020 that found 53% of mobile operators reported a ‘high’ frequency of SMS spam attacks. Nevertheless, many telcos had not implemented adequate firewalls, as corroborated by the Mobilesquared research which found that 38% of mobile network operators are not currently protected by SMS firewalls. The industry appears to be steadily investing in firewalls, but Mobilesquared still forecast that 28% of mobile network operators would not have an SMS firewall by 2024.

Increased Interest in Controls over the Origin of Messages

A growing number of countries are tackling the most common scams by blocking SMS messages that appear to come from government agencies or large enterprises but which lack authentication from those bodies. Perhaps the most advanced example is India’s distributed ledger for unsolicited commercial communications (UCC); Indian telcos are required to block any A2P SMS messages not on the UCC safelist. Indian businesses and other organizations must both confirm their identity and provide templates for the messages they will send, with the result that any message that deviates from the templates will be blocked, even if the origin is genuine. The scale of India’s ambition was reflected in the number of organizations that had not added themselves and their SMS templates to the safelist in advance of filters being turned on, with the result that filters had to be temporarily turned off again to allow organizations more time to submit their details. Nevertheless, even these teething troubles will likely inform how other countries will adopt similar controls.

Circling the Wagons When Reputations Are Threatened

Telcos have suffered a lot of criticism for two kinds of vulnerabilities that lead to the interception of SMS messages and hence the compromising of the user’s security.

  • There have been multiple reports of high-end hackers exploiting the lack of security for SS7 signaling in order to obtain passwords so they can raid bank accounts or otherwise spy on phone users.
  • At the low end of crime, SIM swapping is often claimed to be too easy, and is usually motivated by a criminal’s desire to receive their victim’s SMS messages in order to take control of other online accounts.

The mix of legitimate and exaggerated criticism has made it difficult for telcos to perform a mea culpa when merited, whilst robustly defending themselves when there are genuine reasons to find balance in the imposition of controls, as is the case when seeking to only place reasonable burdens on customers replacing a lost SIM. Journalists prefer to write stories when they can attack well-known brands of mobile operators and show less interest in explaining the vulnerabilities of industry suppliers, as illustrated by the reporting of a new form of SMS hijacking made possible by weak controls surrounding the modification of routing data maintained by NetNumber.

Why Not Authenticate Every SMS Message?

The technical progress made in adding cryptographically secure digital certificates to voice calls via the STIR/SHAKEN protocols has begged a question about whether a similar approach could be made to work for SMS messages. This would involve a signature, associated with the specific user, being appended to the message when it is created. Each signature can then be verified by the telco responsible for presenting it to the recipient; the certificate is checked with a centralized coordinating body to ensure the real source is the same as the apparent source. Considerable effort needs to be put into creating the governance bodies and technical infrastructure required to create, transmit and check certificates, but if this is being created for voice calls then there would be less of an overhead when extending the approach for SMS messages. Perhaps the key technical challenge would involve finding a suitable way to transmit a sufficiently condensed certificate from the origin to the destination.

In the Meantime

Technological solutions to prevent the various abuses of SMS messages are appealing, but it will be some years before they are fully realized and comprehensively implemented. Responsible businesses can voluntarily take action to curtail bad actors by following the advice of the Mobile Ecosystem Forum (MEF). They should adhere to the MEF Business SMS Code of Conduct and implement the recommendations in the MEF Business SMS Fraud Framework.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.