In the quest to make the internet accessible by mobile devices, it's easy for cellcos to forget that the risks of getting into the internet business aren't limited to new business models and revenue growth. As clichîÅ’µ as it sounds, the internet is populated by bad guys with an arsenal of tricks and tactics to exploit network vulnerabilities for a variety of reasons, and they don't care what device people use to get online.
And if you think SMS is a safer option, think again. SMS spam isn't as cost-prohibitive to spammers as it used to be, as the popularity of SMS has led to messaging charges dropping below $0.001 in markets like China, and even free of charge in others.
'SMS is becoming so inexpensive that attackers now send spam SMSs en masse just by connecting a valid SIM card to a PC,' says Jamie de Guerre, CTO of messaging security outfit Cloudmark. 'You can buy a valid prepaid SIM, spam anonymously and make a profit.'
Consequently, mobile spam has become distressingly commonplace in North and Southeast Asia. According to Cloudmark stats, Chinese users get up to ten mobile spam messages per day. Some operators in India are looking at spam levels around 30%, even after protocol-level filtering. And in Japan, the current spam problem is expected to get worse as operators open their networks to email-to-SMS and MMS services.
Meanwhile, mobile SMS spam isn't just the nuisance of a cluttered SMS inbox. Mobile spam can also trick unsuspecting users into calling back premium rate numbers, texting premium rate short codes or entering personal information into a phishing site. Some attacks even resort to blackmail, says de Guerre.
'For example, in Japan, some mobile users were sent messages threatening to expose their participation in a dating club unless they went to a certain phishing website to 'unsubscribe',' he says.
Pressure on cellcos
The question of where the responsibility lies for dealing with such attacks remains vague. A survey commissioned by F-Secure in March found that the majority of smartphone users surveyed felt it was up to individual users to secure their handsets. On the other hand, 86% of them also said they'd done nothing to secure their own smartphones - this despite three quarters of them admitting they knew that mobile viruses existed.
However, in Asia some regulators are putting pressure on the cellcos to take charge of the problem and mandating measures to get mobile spam under control, from requiring registration of prepaid users to implementing feedback loops that allow consumers to easily report spam via their mobile. In China, for example, both China Mobile and China Unicom have enabled a system where mobile users can forward suspected spam to an SMS shortcode.
Operators can also implement spam filtering in their SMSC or gateway, says de Guerre.
Either way, he says, cellcos should be proactive in coping with spam, especially with customer complaints of mobile spam on the rise that could not only cause them to switch service providers, but distrust the mobile advertising campaigns that many operators are banking on for new service revenue streams.
'A wait-and-see approach for mobile messaging security is simply not an option,' de Guerre says.