Thursday 4 October 2012

SMS Fraud, Security and GDPR


SMS Fraud and Security


SMS Delivery presents rich pickings for fraudsters, take care who you choose.

Firstly, this is not a technical posting.  There will be no mention of SCCP, IR 70 (well one), SRI, or MAP.  Hopefully the topic is as inclusive as possible and can stimulate debate.

If you're new SMS Fraud, its worth taking a brief step back in time to appreciate the root causes of the exploits that fraudsters use.  See History of SMS on wikipedia.

Whilst some issues have improved the following exploits still result in SMS Fraud:
  • SMS Spamming - See the post which discusses how HLR Lookup is being abused to generate SPAM.
  • SMS Faking - The SMSC sender of a message can deliberately alter the senders address such that the message can appear to come from someone elses SMSC.
  • SMS Spoofing - The SMSC sender of a message can pretend to be a roaming subscriber and send messages that appear to come from the roaming subscriber. 
  • SMS Flooding - This is a little bit like a denial of service attack.  An SMSC could pretend to be someones SMSC then deliberately flood the recipients network.
  • GT Scanning - Deliberate attempt to scan the network for SMSCs that are open and hence more vulnerable to the above threats.
  • SIM Farms - Using a computer connected simultaneously to hundreds of mobile phones sim cards, an application can send bulk sms and exploit operator consumer tariffs for all you can eat SMS per month.
  • SMS Interworking - Mobile operators don't tend to bother charging each other for Person to Person messages that land on their networks unless there is a significant imbalance.  Some companies exploit this by sending what appears to the operator to be Person to Person traffic but its actually commercial SMS.
  • HLR Faking - A fake HLR is set up and genuine HLR Lookups are made by fraudulent party.  IMSI responses are then altered.  Messages are then sent via intermediaries.  Prior to termination the defrauded aggregator looks up fake HLR which sends back altered responses which directs message to unexpected destination.
The IMSI or HLR Lookup is a key link in many of these exploits.  It reveals the crucial addressing information that could then be used and modified to launch an attack.  The impact of an attack can be significant:
  • Incorrect Billing:  Messages sent are billed to the sending party incorrectly.  If the messages are in their millions this has a big impact.
  • Connection Lost:  Senders can be cut-off. If Mobile Operators spot issues their only response is to cut off the connection.  This is bad news if you are sending good traffic and another provider is pretending to be your network and sending spam.
  • Price/Value Erosion: Wholesale price of SMS is eroded, because too many fraudsters sell cheaply in order to distinguish themselves from established SMS providers.  This results in more spam and erodes the value of the SMS Channel.
  • Lack of stability:  Providing global SMS connectivity is tough, Unpredictable changes to coverage makes it harder to deliver consistent services to customer.
The underlying messages here are:
  • If you sell HLR Lookup services, then take care who you are selling to.  The information they reveal could be used against you.  Customers may claim that it is for legitimate routing purpose only.  If this is the case then there are other safer alternatives to sell them.   Alternatives to HLR Lookup that only reveal MCC/MNC.
  • If you are selecting an SMS Provider, look closely at their background.  Things to look for are: well established (10 years or more is a rough guide), not incorporated in a tax haven, long list of known brand references, valid contact details (not just email only).  Don't discount the smaller/newer suppliers, I'm just trying to point out that many fraudsters will appear and then disappear regularly as they liquidate their ill-gotten gains.
If you are interested in stopping SMS Fraud, and want to keep the SMS channel clean in order to have powerful engagement with your customers then please follow my blog, take part and comment, and follow some of the useful links below.
Return to HLR Lookup home page

Tuesday 2 October 2012

Free SMS and HLR Lookup


Free SMS and HLR Lookup


Why you should care about selecting Free SMS services?

Free and discounted offers are tempting and common in SMS Marketing but there is a catch.  You've probably all seen the adverts:
  1. SMS Free SMS
  2. Free SMS to UK
  3. SMS Free Free SMS
  4. Free SMS Messaging
So what is the catch because nothing is for free right?  To understand the answer, you need to appreciate how the supply chain for Bulk SMS works.  All readers who understand the supply chain may want to skip a few paragraphs because I've attempted to explain the supply chain below:

Mobile Operators and SMS Aggregators

Mobile operators worldwide have a wholesale business unit.  Their job is to work with partners to resell the Mobile Operators' services.  If you are a Marketing Agency or Brand delivering a service via SMS it is likely you will connect to your customers through an SMS Aggregator.  The aggregator is likely to be a resale partner of the Mobile Operator.  Each operator will only have a few resell partners due to the complexity of managing too many commercial relationship.

SMS Network Coverage

Life starts to become complicated as SMS Aggregators expand their coverage.  Direct Connections allow the SMS Aggregator to achieve the best price and quality for their customers but they are not easy obtain.  To achieve global coverage each SMS Aggregator will trade with other aggregators in order to achieve the best price and coverage for their own customers.  Once global coverage is achieved, it becomes difficult to figure out the actual route any SMS travels to reach its final destinations.  At each step, someone takes margin. As well as cost and coverage, quality curiously comes into play, but what does it mean?

SMS Quality

The resulting network derived from aggregators and operators interworking with each other is complex and lurking within are plenty of nasty traps, but they are not always easy to spot.  Some examples are below:
  1. Mobile Number Portability Correction.  To ensure SMS reaches the correct destination you need to know which operator any number belongs.  If you don't correct for number portability, the results can be unpredictable.  Mobile Operators can terminate offnet SMS (SMS sent to numbers not in their network) and charge an extra fee.  Other Mobile Operators and Aggregators will reject the traffic, and some will simply ignore the message.
  2. SMS Anti-Spam Checking. Some aggregators don't check their traffic for SPAM, The following post describes HLR Lookup is abused to generate SMS Spam. In such cases, they risk being cut off by the provider who is handling their outbound traffic.
  3. No Contractual Permission. Some aggregators don't have contractual permission to terminate SMS.  Instead they exploit vulnerabilities in the complex network of connections in order to get traffic delivered in some cases free of charge.  Sounds great doesn't it.  At some point though that vulnerability will be spotted and the loophole closed down.  The following post describes how HLR Lookup is a primary cause of SMS Fraud.

Back to the question, why should you care about Free SMS, or for that matter Low-cost SMS?

I hope you got a feeling for the complexity of the network required to deliver SMS.  The good companies, most have been around for 10 years or more, have lots of experience and tools that enable them to manage cost and quality.  Less mature providers, and dare I say rogue providers, will not have all of the tools and experience and may exploit network vulnerabilities.  The results could be:
  • Your aggregator is cut-off because they are abusing network vulnerabilities.  You've paid your money and the messages never got delivered and the company has then disappeared.
  • Your provider has used your number list to send out their own SPAM.
  • You get a great deal one week from your supplier but the next week they cannot provide you with coverage, so you have to find a more reliable supplier.
  • Your traffic is delivered via a SIM Farm.  These are not direct connections which some providers claim, in most cases the provider is committing fraud.  The post describes other cases of SMS Fraud and Security
No supplier is perfect, and even the best have some issues.  So if you care about your messages make sure that you build a good relationship with your supplier.  SMS is not a commodity, but many think it is.

Survery: is Bulk SMS Marketing a commodity?

If you are interested in keeping SMS as a great marketing and communication tool for business then please follow my blog, get involved and comment, and view the other good internet sources below.





  • GSMA Mobile Spam Code of Practice
  • Mobile Number Portability, alternatives to HLR Lookups with MCC/MNC.

  • Return to HLR Lookup home page


    HLR Lookup, IMSI Lookup and Privacy


    HLR Lookup, IMSI Lookup and Privacy


    IMSI Lookup & HLR Lookup reveals data that needs protecting.

    Firstly, I'm not lawyer, but you don't need to be to understand the issues or consequences of my opinions in this blog.  Hopefully you will have read some of my other posts and got a feel for how companies good and bad are using HLR Lookup, if not please see the links below.
    When you use a HLR Lookup service (or IMSI Lookup Service) , the data returned to you reveals a number of things:
    1. The Mobile Country Code, and Mobile Network (MCC/MNC) of the home operator.
    2. The Master Switching Center (MSC) of network node currently providing a service.
    3. Subscriber Status Code (SSC) of the MSISDN queried.
    This doesn't sound much, but the crucial item is the 2rd and 3rd on the list.  Sometime known as a full IMSI Lookup.  It tells you:
    1. If the user has their phone switched on or off and whether it has been recently activated.
    2. The geographical location of the subscriber to the nearest city, including if the subscriber is roaming abroad.
    There are real applications that are blatant abuses of this data and it is surprising that so many HLR Lookup services are still available today without the full authorisation of the Mobile Operator.

    There are arguably legitimate services that use Subscriber Status and Geo-location, but these services enabled by HLR Lookup are being increasingly restricted by Mobile Operators as they take increasing measures to lock down any Privacy, Security and Fraud issues in their network.  Some examples of these services might be:
    • Mobile Banking - Is the location of the subscribers mobile phone consistent with other status information known about the banks customer?
    • Mobile Vouchers- Encourage your customer to visit your branch when they are nearby. 
    • Managing Mobile Marketing List - does you customer still use the MSISDN provided.
    Please comment on this post if you believe there are other valid use cases or you have any opinions on those used.

    What is good practice?

    It is not easy for the Mobile Operator to provide these services legitimately.  It would require mechanisms to manage the opt-in of subscribers and the organisations authorised to have the information about them.  Until such mechanisms are in place then mobile operators are forced to take a tough stance on the availability of this data.  Consequently, if you use this information for what you think are legitimate services, then work hard with your supplier to maintain the supply.  However, securing the supply of information may be beyond your combined powers and at some point you could get cut off.  Perhaps a more robust approach is to work with your suppliers to find an alternate approach to solving your problem.  

    Mobile Marketing, SPAM, HLR Lookup


    Mobile Marketing, SPAM and HLR Lookup 


    Using HLR Lookup to Improve your SMS Mobile Marketing

    Marketing via SMS email is big business. In 2011, Informa reported that worldwide nearly $12 billion was spent on these initiatives. We've all experienced email spam. SMS spam takes it to a new level being much more intrusive. Lisa Peterson describes in her blog on mobile privacy, for the first time in history many consumers now have a connected device with them nearly 24x7. This always-on connectivity is tempting to charlatans and as a result there is a growing amount of mobile spam. The increasing volume of unwanted text messages risks damaging an otherwise excellent channel for brands to engage with their customers.

    Today, SMS spam is a less common than Internet spam. One factor in this is cost. In general, it costs more money to send an SMS compared to an email. This has kept many spammers at bay. For this same reason, it has also kept many SMS marketing campaigns in the draft folder. There is good and bad news for brands on this front.

    There are ways to significantly reduce the cost of SMS marketing, but some are short term and not necessarily good solutions in the long run.  The bad news is that as cost becomes less of a deterrent the industry has to impose other measures to prevent mobile spamming. I’ll be discussing this more in a future post on SMS Fraud and Security.

    This post focuses on HLR Lookup, sometimes known as an IMSI Lookup, which some SMS Marketing companies use to improve their SMS Mobile Marketing.

    The HLR contains essential details on the mobile subscriber such as the subscriber’s current mobile operator, whether the number active, and the mobile subscriber’s status which says if the subscriber is active or roaming on a foreign network. Performing HLR Lookup for each of your MSISDNs to create a clean telemarketing list can significantly reduce the cost of executing a SMS marketing campaign.

    For example, if a number is not active you wouldn't waste money sending a marketing message. If the subscriber is out of the country, the message is likely to cost you significantly more – an important fact to know.  Making an HLR Lookup standard prior to sending requested SMS messages sounds like a legitimate thing to do, right?  A little upfront intelligence can help you make better business decisions.

    How Spammers Abuse HLR Lookup

    Unfortunately, some spammers have recognised the value of an HLR Lookup. By sending a sequential list of mobile numbers to an HLR Lookup service you are able to remove all the numbers that are not active, and the spammer is able to build a valuable telemarketing list. To avoid raising suspicions, they may split their request across multiple operators and re-order their requests. It is even possible that you might stumble across these lists. Be warned the penalties and damage to your brand are severe for SMS spam.  

    Best Practices for SMS Mobile Marketing  

    The GSMA, CTIA and OMA and many others have introduced guidelines designed to protect operators and consumers from mobile spam. Privacy by design is an industry methodology used to build privacy into any mobile solution. For marketers here are a few key items to consider:
    1. Consumer Opt-in Law: Are the marketing opt-in laws strong enough in your country to keep the SMS marketing channel clean and does the regulator offer services to help you comply?
    2. Double opt-in: Did you receive an affirmative response for both of your opt-in notices to your contact. Remember a non-answer doesn’t mean yes.
    3. Keep it current: If you haven't had a response from your prospect or client for over 12 months, should they be on your marketing list? Check the guidelines from your local industry association to ensure you know how often they recommend requesting updated approval from your SMS subscribers.
    4. Check and Double Check: What checks did you make to ensure the list was built legitimately? Are you sure you have the necessary approvals from the contact? 
    5. Make it simple and clear. Be sure your contacts know how to remove themselves. It should be as easy as replying “unsubscribe”. 
    Remember the reason SMS marketing is so valuable is the same reason an unwanted SMS marketing message can be so damaging.

    HLR Lookup worries Mobile Operators

    Mobile  operators are worried about HLR Lookup for a number of reasons.  I don't go into details in this post, but you can find more details in the other posts listed below:
    Mobile Operators do use filtering techniques to spot abuse and terminate access but the spammers move on to use smarter techniques, and so the war continues.  The problem is that legitimate uses suffer since the operator has to enforce tougher measures to counter the SMS Spam.  Availability of HLR Lookup services is still surprisingly high, but there is also clear evidence of Mobile Operators working hard to close loopholes and protect their networks.


    Stop SMS Spam

    If you are interested in stopping SMS Spam, and want to keep the SMS channel clean in order to have powerful engagement with your customers then please follow my blog, take part and comment.

    You may find the GSMA Spam Reporting Service interesting.  Simply forward your spam message to 7726 (SPAM) or 33700

    You may also find some of the other links useful.
    Return to home page