SMS spoofing
Encyclopedia
SMS spoofing is a relatively new technology which uses the short message service
Short message service
Short Message Service is a text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices...

 (SMS), available on most mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...

s and personal digital assistant
Personal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...

s, to set who the message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, product).

How SMS spoofing is carried out

SMS Spoofing occurs when a sender manipulates address information. Often it is done in order to impersonate a user that has roamed onto a foreign network and is submitting messages to the home network. Frequently, these messages are addressed to destinations outside the home network – with the home SMSC essentially being “hijacked” to send messages into other networks.

The impact of this activity is threefold:
  1. The home network can incur termination charges caused by the delivery of these messages to interconnect partners. This is a quantifiable revenue leakage.
  2. These messages can be of concern to interconnect partners. Their customers may complain about being spammed, or the content of the messages may be politically sensitive. Interconnect partners may threaten to cut off the home network unless a remedy is implemented. Home subscribers will be unable to send messages into these networks.
  3. While fraudsters normally used spoofed-identities to send messages, there is a risk that these identities may match those of real home subscribers. The risk therefore emerges, that genuine subscribers may be billed for roaming messages they did not send. If this situation occurs, the integrity of the home operator’s billing process may be compromised, with potentially huge impact on the brand. This is a major churn risk.


The legitimate use cases for SMS spoofing include:
  1. A sender transmits an SMS message from an online computer network for lower more competitive pricing, and for the ease of data entry from a full size console. They must spoof their own number in order to properly identify themselves.
  2. A sender does not have a mobile phone, and they need to send an SMS from a number that they have provided the receiver in advance as a means to activate an account.
  3. A sender adopts the default network gateway identifier provided by an online service, in order to send an anonymous sms, rather than specifying a number of their own choosing.


An SMS Spoofing attack is often first detected by an increase in the number of SMS errors encountered during a bill-run. These errors are caused by the spoofed subscriber identities. Operators can respond by blocking different source addresses in their Gateway-MSCs, but fraudsters can change addresses easily to by-pass these measures. If fraudsters move to using source addresses at a major interconnect partner, it may become unfeasible to block these addresses, due to the potential impact on normal interconnect services.

Legality

In 2007, The UK premium rate regulator, PhonepayPlus (formerly ICSTIS) concluded a public consultation on anonymous SMS, in which they stated they were not averse to the operation of such services. However, from 2008 PhonePayPlus are introducing new regulation covering anonymous SMS which will require anonymous SMS service providers to send a follow-up message to the recipient stating that a spoofed SMS has been sent to them, and operate a complaints helpline. It is illegal in Australia.

Protecting users from SMS spoofing

If a user can prove that their SMS sessions have been spoofed, they should contact both law enforcement and their cellular provider, who should be able to track where the SMS messages were actually sent from. A user may also modify the phone's settings so that only messages from authorized numbers are allowed. This is not always effective since hackers could be impersonating the user's friends as well.

Examples of SMS spoofing

  • Messages sent from Google are sent with the Sender ID "Google".

  • Skype sends messages from its users with the mobile number they registered with. Note that when a user attempts to "reply" to the SMS, the local system may or may not allow the replying message to be sent through to the spoofed "origin."

  • A user who does not have a mobile phone attempts to sign up for a Foxytag account, which requires an SMS from a phone number that the user registers with. A dynamically assigned number from an anonymous SMS service will not work because the user is not given the dynamic number in advance to register with.


The Asian School of Cyber Laws (Pune) recently conducted experiments in SMS spoofing at the national and international level. They were able to successfully spoof SMS messages and make them appear to come from other people's cellular phones. These people were using GSM
Global System for Mobile Communications
GSM , is a standard set developed by the European Telecommunications Standards Institute to describe technologies for second generation digital cellular networks...

 based cellular phone services in various parts of India and other Asian as well as African countries.

Sammer Mehra discovered a security vulnerability when sending a spoofed SMS message to F
F
F is the sixth letter in the basic modern Latin alphabet.-History:The origin of ⟨f⟩ is the Semitic letter vâv that represented a sound like or . Graphically, it originally probably depicted either a hook or a club...

.Facebook used the SMS originator to authenticate the user. Sammer used hoaxMail to spoof the SMS message and therefore could trick Twitter to post the message on the victim's Twitter page.

At the moment there are many websites offering the service to send spoofed text messages. Examples of capabilities and information about the legal rules can be found in the terms and conditions (eg. SMS Spoofing Terms ). You will find answers to frequently asked questions, whether it is legal, how it works, etc.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK