Sunday, February 01, 2009
Are cell phone carriers complicit in SMS phishing?
by Larry Geller
Our cell phones are ringing this weekend with multiple phishing messages about our (nonexistent) Aloha Federal Credit Union account. Although they are fake, we still have to pay for incoming SMS messages, and it’s annoying when they arrive in middle of the night.
So I reported them to our cell phone carrier, and learned that the “short code” the messages came from can’t be blocked because they are invalid. They did not say they can do anything about the messages.
Sooner or later, someone with an account at Aloha FCU (or any of the other phishing targets) will respond, and their money will be lost. So it’s reasonable to think that the phone companies would be concerned. On the other hand, they make 15-20 cents per message, and these days, the economy is tough and all that… so they may have no interest in reducing the number of SMS messages they process.
But look how easy it would be to stop these messages, anyway: block any SMS message coming from an invalid short code.
Short codes are expensive-to-set-up abbreviated codes that companies contract for. A legitimate one is traceable. But my point is that the cell phone companies are making it possible for these messages to go through. Unlike Internet spam, the cell phone carriers have more control over the messages they carry, from what I understand of the system.
I’m going to see if I can find someone at the FCC who might know more about this on Monday, when their office is open.
The other possibility is to only charge the sender. Obviously if the sender is being charged and its being charged to an invalid code, its not only electronic theft but I'm sure at some point it would cut into profits that would mysteriously give phone companies an incentive to stop it. In every other third world country, the sender or caller pays for the transaction.