Consumers know all too well that the mobile ecosystem lacks regulation, as many are besieged by daily spam texts imploring them to divulge confidential data, with US consumers receiving 14.1 billion spam texts last month. As a result, the FCC’s efforts are welcomed by every level of the mobile ecosystem, from enterprises to service providers to mobile network operators (MNOs) to consumers. Still, while we all know that the Nigerian prince from the AOL era is not real, SMS fraud is more difficult to prevent than email phishing. So, what do these FCC regulations mean for SMS security?
What FCC Regulations Mean for SMS
The FCC’s regulations focus on preventing consumer-level SMS fraud, setting an important precedent for further regulation that improves consumer trust in SMS. Of course, further SMS regulation would have some monetary benefits at other levels of the mobile ecosystem, such as preventing artificial inflation of traffic, as seen by enterprises like Twitter (totaling $60 million in losses), or helping MNOs improve A2P monetisation. These business benefits are all well and good. But the goal of comprehensive SMS regulations should be to improve consumer trust in SMS.
SMS is ubiquitous due to its utility in A2P business messaging and 2-factor authentication (2FA), whether it’s your Uber Eats order, bank login or a reminder for your dental appointment. Unfortunately, despite their utility, SMS and 2FA remain untrustworthy to most consumers. SMS is the most direct, convenient way for enterprises to reach consumers, yet it’s the least regulated and protected. While the FCC’s regulatory efforts are commendable, there are numerous additional actions the FCC can take to improve consumer trust in SMS. To understand these additional actions, let’s outline some unaddressed problems in the mobile ecosystem today.
Persistent Problems in the Mobile Ecosystem
1. Changing messaging content: Although the FCC is prioritising robocalling regulation, issuing fines totaling $5 million, robotexting is still a big issue. One problem occurs when an aggregator uses different techniques to explore grey termination. One common way is to change specific parameters like sender ID, origin global title and content to make SMS firewall detection more difficult. By changing the original content, fraudsters may mislead the SMS firewall and bypass the detection rules, enabling illegal termination and helping them defraud MNOs. When an aggregator does this, they don’t have to pay the mobile operator, meaning the operator loses money. Then, let’s say the aggregator is trashing 25 percent of the message, but the enterprise is paying for 100 percent of the message. That means the enterprise is also suffering financial losses. Even worse, the consumer doesn’t trust the message as it looks altered, yet the consumer will be able to recognise the activation code and use it to unlock their account. This is a common and effective practice that is, unfortunately, affecting the messaging ecosystem.
2. Changing the communication channel: Another method used to achieve grey termination and bypass SMS firewalls is changing the communication channel without consumer consent, negatively impacting consumer trust and data privacy. Consumers requesting security codes over SMS are getting the same codes via different messaging apps like WhatsApp or Messenger. These apps are not regulated and not protected by mobile networks. They use the public Internet instead. Even if they claim to be encrypted end-to-end, there are no guarantees that moving the message content (security code) from the original media (SMS) to Over-the-Top (OTT) apps (WhatsApp) keeps the data fully protected. Many consumers may not understand that changing the communication channel isn’t just an annoyance; it means their data is compromised.
3. Too many hops between the originator and the consumer: This is a prevalent problem where there are excessive hops between originators and consumers, typically between additional service providers and aggregators. The more hops an SMS message takes from the originator to the consumer, the more likely the message will be altered or exposed because the content generator is further from the MNO. Ideally, we should only have one hop to bring the content generator as close as possible to the MNO. For example, the OTT providers should only use official channels to terminate traffic to MNOs. However, this is unrealistic. So a two-hop rule, similar to international roaming services, could be applied.
What Can the FCC Do?
These FCC regulations constitute important steps toward protecting and regulating the mobile ecosystem. However, these steps are only the beginning. Consumer trust will improve from further regulation of the business messaging landscape, which still feels like the Wild West sometimes. This is where federal bodies can leverage the expertise of international and independent bodies in the telecom space to implement comprehensive regulations. Collaboration is especially crucial, with $3.65 billion lost to SMS fraud in 2021.
Data privacy can be greatly improved by forbidding the changing of content and messaging channels. Additionally, the FCC can reduce the hops between content originators and MNOs by implementing regulations similar to international roaming services. Through these additional steps, the FCC can bolster its efforts to protect the mobile ecosystem to the monetary benefit of mobile operators and enterprises. But, more importantly, these actions will improve consumer trust in one of the most ubiquitous communication channels available, helping enterprises reach consumers safely and directly through a simple text message.