At MEF Connects Cyber Security, John Kennedy, Head of Pre-Sales at AdaptiveMobile Security, shared insights gained over his 30 year career. John took viewers on a journey through time, examining the past, present and future of security using his ‘time machine’ to hop through the landscape of mobile technology. Here are his highlights…
What were the top spam texts in 2012?
As we hopped into our ‘Time Machine’ to 10 years ago, we shared top five spam threats back in 2012. In the UK and globally SMS Spammers were plaguing mobile networks with unwanted Spam. Some were scams, some were phishing others were growth hacking. The top spam campaigns were:
Unfortunately, there wasn’t a cohesive response to this by the mobile ecosystem and these spam campaigns continued and undermined public trust in the SMS channel.
Have we solved the curse of mobile spam, phishing and smishing?
Now, back into the ‘time machine’ and we jump to 2021. How much has changed? Technology progress has been huge in 10 years, so we must have solved it right? Wrong. We can swap two digits from 2012 to 2021 and reissue the press release and not much has changed. Spam has persisted and prevailed and possibly got worse and the individual impact and loss has possibly worsened.
SMS Spam has persisted and prevailed
Spam seems to have defeated us with an onslaught of scams including recent: Package Delivery Scams and Banking Scams. It is very much in the public domain, with the recent Royal Mail scams in the UK, we saw operators and law enforcement cooperate and arrests were made of the gangs behind the attacks. However, there many attacks that went undetected!
Delivery Text Scams
The parcel delivery text scams use social engineering to con consumers, there is a word for this type of behavior, called ‘illusory correlation’ where you connect two unrelated events in your mind. You are waiting for a parcel, get the fake notification, relax your caution as you think it is for your actual delivery and click on the malicious link.
What is the mobile ecosystem doing to prevent SPAM and protect consumers?
Operator brands themselves are being targeted and oftentimes the customer feedback loop is not working quickly enough for the operators to shut down the attacks. We have seen successes in certain geographies such as North America and Canada which we will discuss later but overall, the Mobile Ecosystem can do better to stop these attacks.
How has messaging security changed?
The attacks of the 00’s came primarily from SIM banks. That still goes on but now sending messages is even more accessible and programmatic. You can send messages cheaply and in high volumes, using APIs via a cloud service messaging provider. Even more importantly, you can also vary the content being sent, so it’s more personalized. The ‘call-to-action’ URL can vary too, using a URL shortening service and this varied content makes it more difficult from a security point of view to identify malicious campaigns or attacks. Many technologies will miss this and not be able to identify that they are coming from the same source.
Another change is the increasing consumer demand is for a mobile first approach. We see in many regions banking is gone from laptop to mobile. Companies are responding with mobile first strategies. More and more household brands are using mobile messaging to communicate with customers. It’s a profitable business for those involved in the SMS messaging industry. This makes it more important than ever to protect the SMS communications channel and maintain consumer trust.
Who is responsible for messaging security?
Mobile network operators
Currently mobile network operators are not held accountable for providing a security service. The brand that has been ‘hijacked’ normally gets mentioned in the media so the bank or the parcel company, generally it’s not the operator that gets the public blame.
There are many involved in delivery of the message, but the operator is closest contractually to the customer so there is a role there to be explored around spam control to protect customers. That’s why we evangelize to operators about the benefits of putting Spam control into the network.
Communications platform as a service (CPaaS)
The CPaaS sector has been growing rapidly both scaling themselves and enabling enterprises to grow. These cloud-based messaging providers are revolutionizing communications. It’s now cheap and easy to sign up to use APIs to send messages into the ecosystem.
There is an argument that more mobile security advances could be made in this sector, with more due diligence on ‘Know-Your-Customer’ (KYC) processes upon customer sign up.
Government and Communication Regulators
Regulators have been slow to respond and we haven’t seen an effective global move from regulators to improve the situation for consumers. Privacy laws and GDPR are often used as an excuse for inaction on mobile security. This leads to an imbalanced playing field to tackle attackers, fraudsters can use any technology they desire but for operators, once the data is inside the network have their hands tied in many jurisdictions. Their ability to do certain in-depth data analysis to better secure consumers is hampered due to privacy laws in certain jurisdictions. Also, there’s not really a culture of sharing intelligence between operators in the same way it is done in the cyber security industry.
In North America, we do see improvements with the introduction of 10DLC and The Campaign Registry. Both American and Canadian operators take customer satisfaction and the blocking of spam very seriously. The uptake of the 7726 service is strong. However, is more the exception than the norm in the global mobile security landscape.
Are mobile security vendors doing enough to stop Spam?
The issue has been with us so long people get exhausted talking about it and most of the security vendors are a fraction of the size of their customers with limited time to lobby and get involved with regulators. We do continue to educate and share our security insights with the wider mobile community, but as a business there is also a focus on sales and customer satisfaction.
The business case for SMS Protection
What operators and CPaaS want to buy from vendors, ultimately drives the technology agenda and product road map for security vendors. Generally, monetization has been the primary driver and sales focus for the past decade. Monetization is a well-recognized activity; firewalls are installed to block grey routes and maximize A2P revenues.
What is the difference between Spam Protection and Monetization?
Many people think spam filter and monetization filter are the same things and whilst there is a degree of overlap, there is a different feature set for both. SPAM and smishing have a ‘call-to-action’ which is a shortened URL. To secure against SPAM and Smishing, we must take the URL and process it, go to the domain and collect the “who is” information from the data base and come up with a reputation score for that site and feedback into decision making process. It a complex process at scale.
Monetization is less complicated; we generally know what brand messages look like and we can quickly identify that traffic when it comes into operator network from a grey route. Our customers want to get a better idea of the category of messages are they 2FA, invitations from finance or entertainment etc. Once they can be categorized, the messages can be treated differently and operators and CPaaS can decide on how they will route it, when to send it or indeed how to charge for it.
Solving Messaging and Revenue Protection
Messaging protection and Revenue protection are different issues and if you try to solve them both in the same place with the same process, the monetization features and filters will often get prioritized due to the commercial models. If you really want to address SMS Spam, you need to focus on SPAM primarily and not think that it can be dealt with in same place and with same processes as monetization and grey route prevention. Now, we see the consolidation of security vendors with CPaaS, we need to consider if that will improve or dilute their security focus? Economics driving towards monetization and not better technology for preventing SPAM.
Mobile Security Predictions for 2031 and beyond
- SPAM and message security issues are unlikely to vanish 100%, there is too much money to be made.
- It takes effort and focus to stop SPAM, who invests?
- Industry initiatives improve integrity of the delivery chain
- Brands clearly identify themselves and their campaigns in registries
- The Campaign Registry for 10DLC in USA is now live!
- TRAI (India) opt-in preferences using blockchain
- The principles of KYC are applied to senders
- Harmonisation of privacy legislation across regions
- Greater oversight of enterprise mobile devices and threats
- STIX/TAXII model for threat exchange
- Regulators enforce best practice to protect consumers
- And who knows what Apple/Google will do…
And a key takeaway, if we are hopping into the time travel machine; we must also remember NEVER – set the time travel clock to 2020!
This post originally appeared on the AdaptiveMobile Security Blog and is republished with kind permission