(BY the way – it’s not me – its actually YOU ! )
As an long time Apple iphone user, the iMessage has been an invaluable feature specifically when travelling abroad. Going back a good decade, the original iPhone 3G and its iMessage feature introduced cheap and effective communication between the iPhone and other Apple Mac and iPhone devices at a time when data and SMS charges were so much higher. It was this specific OTP (Over the top) application layer that began to lay the death knell for the humble and quirky SMS by taking advantage of the toll bypass capabilities of the iMessage.
Along comes a new device called an SMS Gateway – a product whose prime purpose was to interface between the old world of the SMS and the increasing digitisation of everything, and reinvigorates the legacy SMS platforms (cost recovered many times over). This opened up a new era of marketing, where a person could also be reached away from their PC – so it wasn’t just email marketing but also SMS marketing.
Here lies the dilemma. As hackers took advantage of email for malicious purposes, it wasn’t long before they did the same with SMS.
My current Apple device was so smart, that I would regularly receive SMS from Apple – the sender would show as “Apple”. The message itself would look just like the screencapture on the left – a small message with a URL that took me to a phishing page.
I decided to turn off the iMessage feature recently – after all with unlimited SMS within my home country, and the use of Skype or Whatsapp for overseas personal and business use, it became irrelevant.
Coincidentally I received this fake SMS, otherwise known as Smishing. The glee for me was that it didn’t show “Apple” as the sender, but an actual number!
There’s nothing to say that the number itself isn’t fake, but herein lies the possibilities – just like DMARC and dmarcian were able to identity the fake emails from the real ones, so we can now begin to validate all SMS originators based on basic credentials of the SMS sender id. SMS spoofing, the use of hijacked numbers has been a hot topic for the last decade – its now time to take action!
The sender id has been extended over the last few years to allow the more efficient functioning of the OTP apps and allowing not just the long telephone number, but a short code such as 12345 or an alphanumeric code such as “Dentists R US”. Not all jurisdictions have applied the standard equally. In Australia, SMS marketing falls within the Spam Act that requires all carriers to have controls in place or authorised senders to some degree.
Android’s SMS Manager and open source core, equally make it just as likely to fall victim to Smishing and SMS spoofing as any Apple device. We’ll wait to see how successful this is but I’m hoping that by turning off iMessage, the message is delivered as an actual SMS and not hidden behind some digital obfuscated code. TBA