What steps can you take to fend off fraudsters using faking to avoid SMS charges?
Global title faking in SMS is still a massive headache for mobile network operators (MNOs). Our last blog explained how this kind of international revenue share fraud costs large MNOs millions of dollars each month.
How can MNOs stop these losses? Don’t worry. There are ways to disrupt SMS faking, and we’ll get into them in this blog post. The first step is to look at how this kind of fraud works. Join us as we get technical on the details and highlight possible solutions!
How does global title faking in SMS work?
SMS faking takes advantage of the multiple steps needed to send an SMS:
On the first leg (known as the SRI_SM), fraudsters use the international C7 network to send a message to the victim MNO’s home location register (HLR) asking: Does this MSISDN (the mobile number) exist and, if so, is it your customer? During this leg, the originator must include their actual sending address to get the information needed. This real sender address is held in the SCCP layer of the SRI_SM.
On the second leg, the recipient MNO replies, flagging where the customer is so the message can be routed correctly.
On the third leg (the Forward_SM), the fraudster replaces their sending address with a faked or third party’s address. Now it looks like the SMS is sent from someone else via a different carrier.
Because SMS is billed on this third leg and their actual address isn’t attached to the SMS anymore, the fraudster avoids paying for the traffic and gets a third party to pick up the tab.
Let's assume the fraudster uses an unsuspecting MNO’s sender address: The MNO terminating the SMS will then invoice an MNO who had no part in delivering that SMS. The innocent MNO then refuses to pay the bill leaving the MNO terminating the SMS with the check.
How to spot signs of SMS faking
The most efficient (and popular) way to spot SMS faking is to monitor incoming SMS traffic patterns and routes, then investigate any suspicious activity. For example, a spike in the number of SRI_SM received from a specific origin could point to a faking attack.
Operators should compare the number of SRI_SM messages received with the number of Forward_SM messages received from each SMS center or network. The ratio shouldn’t be more than 2.5 SRI_SM for every Forward_SM. If it is, this could mean the SMS center or network is being used for SMS faking.
On the other hand, if there are far fewer SRI_SM messages than Forward_SM messages, it could point to the network or center being manipulated by a fraudster to hide where the SMS traffic began.
If an MNO finds a suspicious pattern, they’ll need to manually check if the sender address information in the SCCP layer of the SRI_SM matches what’s in the related Forward_SM.
If there are differences, the MNO should block the Forward_SM associated with the suspect SRI_SM and urgently contact the actual SMS originator to investigate the address held in the SRI_SM and identify the fraudster.
Other parties in the chain won’t know about the fraud until they get a massive bill. So it’s up to the recipient MNO terminating the fake traffic to step in.
Spotting SMS faking and dealing with it takes a long time and uses precious resources. In fact, the GSM Association offers more than 10 recommendations in its “SMS SS7 Fraud Prevention” guide.
Unfortunately, even today, many MNOs don't have an automated solution to deal with SMS faking. Because it comes to light after an invoice is generated, it’s almost impossible to find the culprit - traces often disappear after a few days or weeks because of data retention policies.
Luckily MNOs can rely on vendor solutions to identify and block faking efficiently.
At Sinch, we help combat many types of faking, including global title faking, in real-time with the Sinch SMS Firewall. Our fully-fledged SMS protection software solution helps defend P2P traffic links from a broad range of fraud and spam.
Sinch also helps MNOs tackle global title faking with our Suspect Faking Alerts service. Sinch's P2P hub monitors Forward_SM responses without associated SRI_SM, and when a spike is detected, we alert the MNOs Network Operation Center so they can investigate, identify, and stop the fraud.
If you’d like to learn more about how networks can be exposed to SMS fraud and how Sinch can help, get in touch to speak to one of our experts.
