Deploying firewalls and Managed Services is often treated purely as a monetisation exercise. But on top of securing revenues, both of these play a critical role in protecting a network’s subscribers, and consequently its reputation. To make the most of this aspect of mobile network protection, MNOs ought to familiarise themselves with existing regulations, legislation and initiatives, and use these as tools with which to guide their filtering and firewall efforts.
Protecting the value of SMS
One core concern in protecting subscribers is preserving the utility of SMS as channel. An unsecured channel will be more susceptible to fraud and abuse (including spam, perceived or real) which reflects badly on the channel as a whole. Subscribers that experience fraud will be less inclined to trust and use SMS messaging in the future.
MEF reported spam becoming a worryingly common phenomenon – 30% of respondents to a recent survey reported receiving spam. Worse still, SMS has been use to try and steal a quarter of subscribers’ data.
But even if we only focus on things that affect the user experience, like spam, it is still important to carefully curate the SMS messaging channel. Text is an incredibly personal means of communication, and the public and regulators alike are increasingly concerned about data sovereignty.
According to the United Nations Conference on Trade and Development, 66% of countries currently have some kind of legislation protecting citizens’ data, with a further 10% considering draft legislation. In some cases operators will be bound by these regulations, in others there will be an expectation that regulations should protect the subscriber from unwanted messaging. At the very least, there will be a perception that their data has been mishandled if users experience spam and misleading or unwanted messaging. (The EU’s GDPR, for example, stipulates that users must opt in to receiving messages.)
At a high level, then, a poor experience risks devaluing SMS as a channel. And if users become more resistant or unreceptive, enterprises will look for other means to communicate – whether than be resorting to tried-and-trusted email newsletters or experimenting with OTT business messaging options.
This is especially true if we return to fraud. A lot of subscriber-oriented fraud causes real harm, from enabling access to bank accounts to full-on identity theft. According to Interpol, there has even been a rise in cyberattacks against corporate targets starting with phishing and other social manipulation tactics leveraged against employees.
SMS phishing (SMiShing) and fake or manipulated messages are common subset of these frauds. This puts MNOs on the front line of fraud prevention. A UK trial initiative has already seen operators, providers, and government and financial institutions team up to vet, register, and protect SenderIDs in an effort to track down and eliminate fraud.
We can hope that more countries and industries explore the possibilities here, but in the meantime operators can greatly improve their subscriber experience simply by reviewing their firewall settings and blocking rules. Ensuring that message metadata and content conform to established service profiles goes a long way to ensuring the integrity of subscriber data.
SIM farms and subscriber data
This same concern is also motivating industry efforts to clamp down on SIM farms and similar routing bypasses. SIM farms are particularly problematic for all players in the mobile messaging ecosystem. They don’t just undercut MNO’s revenue and undermine security, they also raise serious issues for message providers and enterprises regarding consumer data protection.
The typical SIM farm diverts messages to a piece of hardware containing a number of SIM cards, in order to send messages at on-net rates, bypassing the MNO’s international A2P connections. This naturally raises questions about the security of data being handled by the entity that owns the SIM farm hardware.
Even worse are distributed SIM farms, which work via an app that subscribers can download, and which will pay them to let the app send SMS messages from their phone to other subscribers. This potentially puts users’ data into the hands of anyone who has happened to download an app.
Some legislation, for example GDPR, places a responsibility on those handling data to ensure they safeguard personal data and, crucially, that those they subcontract to or to whom they otherwise transmit that data also comply with these safeguards. This is spelled out in a Mobile Ecosystem Forum whitepaper which looks at the duty of care enterprises, providers, and operators are bound by.
“If users become more resistant or unreceptive to SMS, enterprises will look for other means to communicate.”
Making enterprises – and your messaging providers – aware of their responsibilities regarding user data can, in fact, prove a valuable argument in discouraging them from outsourcing some of their traffic to SIM farms. The reduced costs they can get from avoiding your direct connections won’t look so attractive in the face of possible liabilities.
Furthermore, it is so important to ensure your firewall has comprehensive coverage of your connections, and that its blocking rules are kept as up-to-date as possible. This lets you detect and stop SIM farm traffic, and with some sleuthing you can identify the culprits.
While an MNO might not be liable in all these circumstances, the dangers of poor user experience or even data theft make it important to keep the SMS channel clean.
By viewing SMS as a channel that delivers a particular experience, not a commodity, we can ensure a healthy business. By working together to protect traffic and subscribers, that traffic will continue to grow as enterprises and subscribers alike trust as a reliable line of communication. If we let others abuse it, we lose it.