The use of Short Message Services (SMS) for enterprise messaging has grown in popularity in recent years. While the most common instance of sending an SMS message is a message between two mobile devices (or person-to-person), businesses have also begun to integrate SMS into their customer and employee communication systems. These application-to-person messages are generally run through shortcodes where high volume and throughput SMS messaging is possible. We are often asked questions regarding the security of SMS messaging in an enterprise environment for example:

  • How do I prevent my systems from sending messages which users may mistake as SPAM?
  • Can an SMS be ‘spoofed’ so that the FROM appears from a false entity?
  • Can an SMSC or SMS Gateway suffer from a DDoS attack?
  • Can trojans or viruses be delivered over SMS?
  • Can information sent in an SMS be intercepted in the airwaves before it reaches the mobile device?

SMS Security Concerns Answered:

How do I prevent my systems or employees from sending messages users may consider SPAM?

There are both federal laws and industry guidelines that must be followed in order to communicate over the SMS channel. These regulations and guidelines, along with a set of best practices, create a framework for providing users with choice, consent and the ability to opt-out. These behavioral deterrents protect against bad actors abusing the communication channel and infringing the privacy of a user. There are many knowledgeable people in the industry who can guide a company through the intricacies of SMS regulations. Connecting an enterprise system directly to an SMS aggregator will require that you learn these regulations and apply them in practice.

There are risks to connecting directly to an aggregator or carrier. You may wonder if you received accurate information regarding staying compliant with the law? Did that information get applied in practice? Do your developers or subcontractors have access to your shortcode or aggregation credentials? Do you have restrictions on access to your subscriber data? Do you have restrictions on what internal systems can trigger messages?  Do you have protections against system errors? There are a handful of SMS platforms that were developed to ensure compliance with these regulations and coordinate communication between different enterprise systems. These SMS platforms act as a buffer between your internal systems, developers or users and the aggregators. Therefore the two ways to ensure compliance is by either investing in enough resources to build your own internal solution or by leveraging an SMS platform specializing in this type of expertise.

Can an SMS be ‘spoofed’ so that the FROM appears from a false entity?

SMS spoofing and SMS phishing is when someone sends an SMS where the SMS is altered to look like it’s from a false origin. This can mislead people into giving up sensitive information. Although difficult, it is possible to spoof the ‘From’ field if you are using a longcode. However if the customer replies to your SMS, their message will not be sent back to the spoofer. If you are using a shortcode, it is extremely rare to find spoofing or phishing. Shortcodes are registered and highly regulated. Any message can be tracked either back to the owner of the shortcode or to the connection which the message came from.  Ways to protect your customers from spoofed SMS messages is to have some form of authentication such as two way SMS, PIN reply, or a web link to a password protected page. By doing any of these methods you can ensure that your customers do not release information to spoofers.

Can an SMSC or SMS Gateway suffer from a DDoS attack?

A Denial of Service attack (DOS) is an attack that tries to make a machine or a network resource unavailable by overloading it with requests.  These attacks are most likely to happen to machines with public IP addresses, not private messaging networks. If the DDOS attack is successful it can significantly slow down systems and applications. Most short message service centers (SMSC) are programmed to ignore such public HTTP requests and some even have extra security implemented to stop these attacks from affecting their servers. Since much of the SMS communication network happens behind VPNs there is little risk for disruption or breach.

Can trojans or viruses be delivered over SMS?

A trojan or a virus is a third party application that is installed on a device and will steal information or trigger communications which are not authorized. Today the popular mobile OSes require programmers to digitally sign certificates to compile and install their applications. This steps ensure authenticity. Additionally, many devices will only install applications from a particular app store (ie. Apple). Many device platforms will ask a users permission during installation to access certain device resources and data. Since an SMS message can contain only 160 characters, it is also impossible to deliver a Virus within the SMS message but it is possible to deliver a link to a virus application. It has been shown that an MMS can deliver a virus but it will not automatically be installed without user action. Most MMS messaging platform and carrier networks will check for certain file types and will not allow application files that can contain a virus. It is important that you distribute your applications over legitimate channels such as Play Store, Blackberry World, Amazon and Apple’s App Store so your customers do not get fooled into thinking it may be available outside of legitimate channels.

Can information sent in an SMS be intercepted in the airwaves before it reaches the mobile device?

Once an SMS is sent it does not leave the carriers network until it is delivered to the intended handset. The servers sending the messages require the incoming and outgoing messages to be sent over a dedicated VPN or through HTTPS over SSH and require the messages to be encrypted. Messages traveling between the cell tower and the mobile handset are encrypted. That said, the encryption used in GSM has been cracked and a sophisticated hacker could obtain sensitive or confidential data. It safe, but not 100% secure. MMS on the other hand leverages can use an additional layer of HTTPS encryption so when the data is transmitted to the device it would not be able to be decrypted if it was sniffed. It is unknown whether all carriers utilize HTTPS for MMS.