A New Urgency: An Open Letter to Mobile Operators on Why Zero Trust is Imperative for SMS Phishing Security
Dear Esteemed Mobile Operators,
As a mobile operator, you find yourself at the forefront of an emerging security challenge, but it’s not a burden you should bear alone. The cybersecurity industry has been slow in equipping you with tools specialized for SMS phishing defense, leaving you in a vulnerable position.
This open letter aims to shed light on the myths and realities surrounding phishing attacks, notably SMS phishing, and outlines why the onus of solving this problem shouldn’t fall squarely on your shoulders.
2021 — Today
In conversations and analyses during 2021, I foresaw two significant developments in the SMS phishing landscape that have, unfortunately, materialized. Last year witnessed the compromise of over 150 major corporations due to SMS phishing attacks on their employees. This included high-profile security vendors such as Cisco, Microsoft, and Okta. Adding to the irony, Twilio employees were also victims of a targeted SMS phishing attack, and their own 2FA app, Authy, proved ineffective in safeguarding them.
Moreover, regulators are taking decisive action by requiring operators to block SMS messages containing web links. And banks are being forced to run TV commercials, explaining how they don’t send links to customers inside SMS messages. This renewed open letter aims to emphasize the urgency of these issues, delve into why Authy and similar MFA solutions are no longer reliable safeguards against phishing, and suggests that adopting a Zero Trust strategy offers a more effective way to implement SMS security.
Shifting the Blame? The Case for Mobile Operators
First, let’s debunk a prevalent myth: the idea that phishing is an ever-changing menace. The core tactics of phishing, which involve deceptive impersonation to fool individuals, have stayed remarkably consistent since their inception in 1996 on the AOL network — where I was personally targeted when hackers impersonated my admin screen name inside emails, chatrooms, and instant messaging. Whether executed through Email, Slack, WhatsApp, RCS, iMessage, Google Search, Twitter, or SMS, the essence of phishing remains the same. The confusion arises not from an evolution in phishing strategies, but rather from the emerging channels that cybercriminals exploit to carry out these deceptive schemes.
For example, as soon as MetaCert’s security service was installed inside virtually every community across the world of crypto in 2017, threat actors moved their attacks to Discord and Telegram, where they remain an ongoing pest because those channels lack basic anti-phishing protection. You see, phishing is the starting point for 90% of all cyberattacks in the world because it’s faster, cheaper, and easier to exploit a human than it is to find and exploit a computer-based system. In other words, when SMS is addressed, criminals will move to unprotected networks or channels rather than try to circumvent effective SMS security controls.
A significant exception to the rule is reverse-proxy phishing. This technique interposes a server between the end-user and the authentic website, capturing the user’s credentials while simultaneously allowing other data to pass through to the legitimate site. This creates an illusion of authenticity and safety. What makes it even more deceptive is its ability to steal app-based 2FA codes, debunking the notion that these apps offer phishing-resistant security. Although more advanced, this technique was first discovered in 2017, making it far from new.
The Current Security Conundrum for Mobile Operators
As an operator, you find yourself in a difficult position when it comes to SMS phishing. Far from being the root cause, you are struggling with an issue that has grown more challenging due to sweeping changes in digital communication behaviors, especially after the events of 2019. The rise in adoption of SMS for parcel deliveries from 2019 to 2020 has inadvertently opened a new avenue for cybercriminals to research and develop their exploits.
The Shortcomings of Sender ID Verification
The notion that sender ID verification can effectively counter SMS phishing is fundamentally misguided. Cybercriminals are well aware that they can circumvent these checks by using regular, consumer-grade SIM cards, which are not subject to identity verification. They further streamline their operations by using SIM banks, allowing for quicker and more efficient mass-messaging campaigns. It’s worth noting that while A2P (Application-to-Person) SMS messages — like those from corporations — can sometimes be tracked based on transmission patterns, P2P (Person-to-Person) messages from individual SIM cards are virtually impossible to scrutinize in the same way, making them a preferred method for attackers.
The Limits of AI in Detecting SMS Phishing
In a nutshell, phishing messages are designed to mimic legitimate ones, making it impossible for AI to distinguish between the two. For a more in-depth analysis on the shortcomings of AI in detecting phishing URLs, you can explore my industry insights here.
New Regulations are impacting SMS revenue
In response to rising SMS phishing incidents and mounting consumer complaints since 2019, regulators across the globe are taking decisive action. For instance:
- The Philippines’ NTC has directed mobile operators to block web links in SMS messages.
- In the United States, the FCC is strengthening rules on SMS phishing in response to a notable increase in consumer complaints.
- In Malaysia, telecom companies like Celcom, Digi, Maxis, and U-Mobile are following MCMC guidelines to block SMS messages containing links.
- As recent as July 2023, in Australia, Infobip and Sinch were put on formal notice for their failure to protect Australian subscribers from SMS phishing threats.
These actions highlight regulators’ dedication to consumer safety, but they also have an unintended consequence. They impact SMS revenue for operators and impose solutions that I have proven to be ineffective and unreliable, especially in a world where “do not send links” and “do not open links” are not a long-term answer.
The intent of regulatory action is commendable. However, a more nuanced and informed approach could significantly improve the effectiveness of these measures. While urgency is understandable, efficacy is equally important. Operators shouldn’t have to shoulder unfair responsibilities for issues that demand an a solution from the cybersecurity industry. To arrive at more targeted and effective measures, regulators would do well to engage a wider range of informed perspectives, including cybersecurity experts who specialize in anti-social engineering, who can offer a well-rounded view of the challenges and possible solutions.
The Limits of Reporting Suspicious SMS for Security
Asking subscribers to report suspicious SMS messages might benefit operators from the perspective of knowing how bad the problem potentially is, but it serves absolutely no purpose when it comes to subscriber protection. Classifying a URL as dangerous after it has been used in an attack or campaign is akin to closing the barn door after the horse has bolted.
By the time an SMS is reported as suspicious or dangerous, criminals have already caused maximum harm and have either gone on vacation or swapped their phishing URL for a new one.
The Future of SMS Phishing Security: Zero Trust as a Guiding Principle
While it may seem that the cybersecurity sector has been reluctant to offer solutions for SMS phishing, consider another angle. The capability to test the efficacy of these protective measures with a single SMS could deter big players like Palo Alto Networks, ProofPoint, and Cisco from entering the market. Why haven’t they offered a solution yet? The security market for SMS is likely to be bigger than that of Email Security.
Going forward, it’s reasonable to expect the security industry to shift its focus toward creating security protocols inspired by Zero Trust — the gold standard in cybersecurity. Traditional approaches, which rely on threat intelligence, are inadequate for handling deceptive URLs or web links in phishing attacks.
In the SMS phishing context, the Zero Trust model acts like a kill switch. It dictates that each message with a link should be considered a potential threat and allowed through the network only after the web link is verified as legitimate. If we can’t determine the legitimacy of the sender or message content, we must focus on the call to action — the link!
In Summary…
It’s been four years since SMS phishing became a significant issue, and SMS firewalls and Sender ID checking haven’t sufficed. It’s time to explore a new avenue. Zero Trust offers a compelling framework to tackle this growing threat. You’re not alone in this journey, but you do have an opportunity to be a part of a transformative solution.
For a practical look at what a Zero Trust strategy could mean for SMS security, take a look at the video demo I recorded below for my first open letter in 2021. Much has evolved since then, so feel free to reach out if you’re interested in implementing protective measures for your subscribers and business customers.
Operators that safeguard businesses and government agencies from targeted phishing attacks aren’t just allies — they are strategic partners essential for securing sensitive data and ensuring operational continuity
I appreciate you taking the time to read through my letter. Let’s elevate SMS to be the premier and most secure channel for businesses and governments to foster relationships with mobile users. After all, aside from voice, it’s the only service that’s universally accessible on mobile devices.
Best wishes,
Paul 🤓
P.S. If you’d like to continue the conversation, don’t hesitate to reach out directly or through a mutual acquaintance. My lines of communication are always open.
