高清福利片

Are you tired of receiving SMS scams pretending to be from Australia Post, the tax office, MyGov and banks? You鈥檙e not alone. Each year, thousands of Australians fall victim听. And losses听听in recent years.

In 2022 SMS scam losses exceeded A$28 million, which is nearly triple the amount from 2021. This year they鈥檝e already reached A$4 million 鈥� more than the 2020 total. These figures are probably much higher if you include unreported losses, as victims often won鈥檛 speak up due to shame and social stigma.

Last month, the federal government announced plans to fight SMS-based scams by implementing an SMS sender ID registry. Under this system, organisations that want to SMS customers will first have to register their sender ID with a government body.

What kinds of scams would the proposed registry help prevent? And is it too little, too late?

One of the more concerning types of SMS scams is when fraudulent messages creep into legitimate message threads, making it difficult to differentiate between a听.

SMS is an older technology that lacks many modern security features, including end-to-end encryption and origin authentication (which lets you verify whether a message is sent by the claimed sender). The absence of the latter is the reason we see highly believable scams like the one below.

There are two main types of SMS:

• peer-to-peer (P2P) is what most people use to send messages to friends and family

• application-to-person (A2P) is a way for companies to send messages in bulk through the use of a web portal or application.

The problem with A2P messaging is that applications can be used to enter any text or number (or combination) in the sender ID field 鈥� and the recipient鈥檚 phone uses this sender ID to group messages into threads.

In the example above, the scammer would have simply needed to write 鈥淎NZ鈥� in the sender ID field for their fraudulent message to show up in the real message thread with ANZ. And, of course, they could still impersonate ANZ even if no previous legitimate thread existed, in which case it would show up in a new thread.

Web portals and apps offering A2P services generally don鈥檛 do their due diligence and check whether a sender is the actual owner of the sender ID they鈥檙e using. There are also no requirements for telecom companies to verify this.

Moreover, telecom providers generally can鈥檛 block scam SMS messages due to how difficult it is to distinguish them from genuine messages.

Last year the Australian Communications and Media Authority introduced听听for the telecom industry to combat SMS scams by tracing and blocking them. The Reducing Scam Calls and Scam Short Messages Industry Code required providers to share threat intelligence about scams and report them to authorities.

In January, A2P texting solutions company Modica听听for failing to comply with the rules.听听Modica didn鈥檛 have proper procedures to verify the legitimacy of text-based SMS sender IDs, which allowed scammers to reach many mobile users in Australia.

Although ACMA鈥檚 code is useful, it鈥檚 challenging to identify all A2P providers who aren鈥檛 following it. More action was needed.

In February, the听听ACMA to explore establishing an SMS sender ID registry. This would essentially be a whitelist of all alphanumeric sender IDs that can be legitimately used in Australia (such as 鈥淎NZ鈥�, 鈥淭20WorldCup鈥� or 鈥淯ber鈥�).

Any company wanting to use a sender ID would have to provide identification and register it. This way, telecom providers could refer to the registry and block suspicious messages at the network level 鈥� allowing an extra defence in case A2P providers don鈥檛 do their due diligence (or become compromised).

It鈥檚 not yet decided what identification details an Australia registry would collect, but these could include sender numbers associated with an organisation, and/or a list of A2P providers they use.

So, if there are messages being sent by 鈥淎NZ鈥� from a number that ANZ hasn鈥檛 registered, or through an A2P provider ANZ hasn鈥檛 nominated, the telecom provider could then flag these as scams.

An SMS sender ID registry would be a positive step, but arguably long overdue and sluggishly taken. The听听补苍诲听听have had similar systems in place since 2018 and last year, respectively. But there鈥檚 no clear timeline for Australia. Decision makers must act quickly, bearing in mind that adoption by telecom providers will take time.

An SMS sender ID registry will reduce company impersonation, but it won鈥檛 prevent all SMS scams. Scammers can still use regular sender numbers for scams such as the 鈥溾�� scam.

Also, as SMS security comes under increased scrutiny, bad actors may shift to messaging apps such as WhatsApp or Viber, in which case regulatory control will be challenging.

These apps are often end-to-end encrypted, which makes it very difficult for regulators and service providers to detect and block scams sent through them. So even once a registry is established, whenever that may be, users will need to听remain alert.

This article was originally published in The Conversation 补蝉听Dr Suranga Seneviratne is a lecturer in security and privacy in mobile systems, and Professor Carol Hsu researches security management and programs.

听