3rd March 2020
By Neil Downing
Recently, a couple of announcements have come into the market that give some hope for the future of SMS, specifically with regard to its continued role with the evolution of newer technologies such as Rich Communication Services (RCS).
Interestingly, both of them come from titans in our industry, who have historically slightly different takes on the rollout of RCS, namely Apple and Google. Let’s look at them one at a time:
Google who are by far the most public exponent of RCS, have recently launched a verified SMS product to add to their range. It is intended to combat one of the most common types of SMS-related fraud, widely known as phishing. A phishing attack normally means that as a consumer, you receive a message that at first glance appears to be from a genuine institution but is actually a fake wanting you to typically click on a link and supply information to a bogus website. Verified SMS works by asking the real Enterprise companies to register with Google, and then when your Google Messages app on your phone receives an SMS message it is able to check and give a guarantee that the message has indeed come from who you think it has. Clearly, with an operating system as widespread as Android this is a significant step to making SMS more secure for a large percentage of the World’s Smartphone users, but it also says to us that even RCS’s most vocal patron can also see the role that SMS is still to play.
Apple have also made an announcement that is very interesting in this space, which is a proposal to standardise the format of SMS messages that contain One-Time Passwords (OTPs). Again this is designed to reduce or eliminate Phishing as an attack vector, by embedding a URL in all messages, that can be easily checked by the device to determine that the website the user is being directed to belongs to the organisation who claims to have sent the message. What makes this interesting is that for some time now the industry have been speculating whether Apple are going to announce support for RCS in their iPhone platform, and whilst this makes no statement on that one way or another, clearly in Apple we see another tech giant that does not see SMS dying out any time soon, and believes that investing in solving one of the main security weaknesses of it to be a good thing.
It’s always useful and welcome when we see these types of organisation leading the charge to improve security, which from a TMT Analysis perspective we are always striving to do, but it also contains a note of caution. Whilst both of these approaches help to stop the phishing style of attack, users of SMS as a 2-factor authentication mechanism are still vulnerable so so-called Account Takeover fraud, where fraudsters assume control of a victims mobile telephone and therefore intercept the legitimate messages as they come to you. For this reason, we continue to push forward and expand our Verify ATP product set, that helps organisation spot Account Takeover in all of its forms, whether it’s so-called SIM Swap, device swap or malicious call forwarding.
When you combine the two, there is real potential that SMS can continue to provide an easy-to-use, cost-effective and ubiquitous platform for years to come.
Neil Downing is the VP of Products at TMT Analysis.
Google Verified SMS: https://developers.google.com/business-communications/verified-sms
Apple standard SMS OTP format: https://github.com/WebKit/explainers/tree/master/sms-one-time-code-format