How to manage SMS risks this holiday season
December 14, 2009
Rohit Mehra is director of product marketing at Syniverse Technologies
By Rohit Mehra
The holiday season is fill swing, and businesses are leveraging every possible communication channel to attract new customers and retain existing ones.
Growth in one particular channel – the mobile channel – has been so impressive even in today’s tough economic climate that more marketers than ever before are looking to the medium as an incremental component of their customer outreach strategies.
Banks, financial institutions, airlines, retailers and large consumer brands are all exploring how to better reach their customers through mobile messaging.
Unfortunately, because of security concerns, some businesses simply dismiss this significant avenue of customer communication outright.
One common fear pertains to hackers gaining remote access to mobile phones because of what businesses saw or experienced over the last decade when user devices, networks and the Internet were targeted by bad guys attempting fraud, financial gain or other illegal activities. For mobile messaging, this is a minor risk.
The diversity of mobile handsets and operating systems in use today makes it difficult for attackers to target every mobile user, so the chances of major malware and virus attacks are still relatively low.
Another concern voiced by mobile security analysts points to lost or missing mobile devices as the biggest vulnerability. A lost mobile device, though, is a lot less dangerous than a lost wallet or credit card.
The reality is that most consumer-oriented mobile messaging applications today are relatively safe.
Just as they do with any decision, businesses must be aware of possible vulnerabilities and understand what they can do to reduce protect themselves and their customers as they roll out their text message campaigns.
Protection against SMS spoofing
Very similar to the online vulnerability, SMS spoofing is the act of sending a cosmetically valid SMS text message but disguising the sender to hide the true origin of the message and, in some cases, pretending that the message originated from a different source.
An attacker can falsify caller ID information to gain access to confidential information or gain unwanted access.
With no available form of authentication, text message recipients are forced to determine whether or not to trust the source of a message they receive based solely on their own individual judgments.
Although programs are available to help reveal information about spoofed SMS messages and help manage abuse, they are not widely used by the general public.
So how can consumers and marketers protect themselves against these attacks?
A number of approaches are available, including using a single-factor authentication such as caller ID or implementing a second-factor authentication based on the use case of the transaction involved.
In some mobile marketing use cases, instances, a single-factor authentication is adequate. For others, it may not provide enough security.
Marketers should evaluate their SMS programs from a thorough risk and vulnerability perspective. In all cases, they should ensure that applications avoid sending complete account numbers, which could reveal more personal information than necessary.
SMiShing: Phishing via SMS
SMiShing is the abbreviated term for SMS phishing – an attack that uses SMS to facilitate bogus requests for personal information.
As is the case with online phishing, the goal is to trick a victim into disclosing sensitive personal information or downloading malware through a text message.
To help protect customers against these kinds of vulnerabilities, marketers, corporations and wireless carriers should implement consumer education programs.
Banks have set an excellent example of how to educate their account holders about email phishing attacks.
In most cases, these programs repeatedly reinforce that the banking institution will not be asking them for personal information via email. The same programs and messages now need to extend to mobile and SMS communications.
Transaction and fraud protection
Another way to protect customers is by implementing a text alert program. These have emerged as a popular notification and confirmation tool for all types of transactions and status updates.
Unlike email alerts that are delivered to smartphones and other data-enabled devices, SMS alerts can be delivered to virtually all mobile phones.
Two-way actionable alerts using SMS are also becoming popular in marketing and advertising, as they are delivered to enrolled customers and can include embedded links for customer responses and actions.
Suggested best practice
The key to best practice in mobile messaging security is simple: balance user experience and security protection.
For example, using caller ID for authentication may be adequate for some use cases and applications. For others, it may not provide adequate security.
Security-related initiatives for mobile messaging include:
• Deploying a layered security framework to protect online and mobile messaging applications
• Ensuring third-party application providers for mobile marketing use a software development lifecycle process that includes security at each stage of development
• Matching the use case with the security requirements
• Continuing to focus on educating the mobile user on security dos and don’ts
• Using SMS alerts as a tool for fraud protection
DRIVEN BY Generations X and Y as well as the power and popularity of social networking, mobile messaging has seen tremendous volume growth over the last few years. This is especially true during the holiday season as text messaging volumes typically see significantly increases.
Once you examine how your customers use their mobile services, educate them about potential security vulnerabilities and use SMS alerts for fraud protection, it is the perfect time of the year to launch a message-based mobile marketing campaign.
Rohit Mehra is director of product marketing at Syniverse Technologies, Tampa, FL. Reach him at .