Jez Goldstone, Director of Customer Security Innovation in the Chief Security Office at Barclays Bank, outlines the contents of a new whitepaper which sheds light on the issue of SMiShing, whereby a phone user is tricked into taking unwanted action or downloading malware via SMS.
Smishing is a big problem across a number of industries. Our customers, and yours, are getting tricked into taking actions by fraudsters.
Because the origin of SMS messages can’t be verified by the recipient, they have no way of knowing what’s legitimate and what’s not.
At Barclays, we wanted to introduce a way for mobiles phones to be able to verify that a message was sent by the legitimate party.
The whitepaper we’ve just published steps through one way to achieve this – in an open, distributed configuration that can be relied on until SMS becomes intrinsically more robust from a security perspective.
To make this solution work, we’ll need buy-in from key industry players – no individual organisation can make this work in isolation.”
In it, we’ve:
- Defined a number of design principles that we hope make sense across the industry.
- Set out to avoid the need for any single central authority that could gain a monopolistic position on the verification of SMSs.
- Avoided any impact on existing SMS traffic.
In the whitepaper, we explore one way to allow a consumer mobile phone to validate the origin of an SMS. It uses widely implemented existing solutions, combined to provide a solution that raises the bar on today’s configurations.
To make this solution work, we’ll need buy-in from key industry players – no individual organisation can make this work in isolation.
We’ve deliberately not attempted to dot every ‘i’ and cross every ‘t’ in the paper because we wanted to start a discussion early and explore your reactions to it. Where there are known gaps in the solution, they’re highlighted in the document.
It would take very little time to build a proof of concept to explore the solution and its implementation could be rolled out with a minor update to consumer handsets.
Our hope is that the proposed solution sparks a discussion among this community (and beyond) on how to control smishing so that practical solutions make their way on to mobiles in the near future.
The whitepaper contains more details – please get in touch to share your thoughts.
MEF’s Future of Messaging Programme
Taking a cross-ecosystem approach, MEF’s Future of Messaging Programme provides a unique opportunity to unite all parties within the mobile messaging ecosystem, to achieve a common goal to promote and accelerate best practices in order to limit fraudulent behaviours and identify new opportunities for mobile messaging.
The self-funded initiative supports all stakeholders to advance and protect the Future of Messaging and is part of MEF’s long-term commitment to advocate industry best practice and good regulation across the mobile ecosystem.