OpenMarket – May 8, 2020
If people are going to use mobile messaging to interact with their bank, they have to have total confidence in its security.
So it’s essential that banks and other financial services companies know they can make those assurances.
That’s what this post is about: the potential security threats in the mobile messaging world and how to defend against them.
Security of (and through) mobile messaging
CX leaders at banks – and their customers – are probably familiar with what you might call security through mobile messaging.
Two-factor authentication, for example, is a means of proving a customer’s identity and securing their data.
Likewise, SMS messaging can be used to authenticate payments and prevent fraud. Many of us have replied Y (or N) to a text message from the bank after making a purchase.
But what about the security of mobile messaging itself?
Mobile messaging is a world with its own quirks, rules, and plenty of players – the operators, the solutions providers and aggregators, the brands, consumers, support services and more.
There are a few risk factors that are particular to this world.
SIM Swap fraud
When identity thieves call a carrier claiming to be one of your customers, and have their number ported to a new SIM – so the criminal can receive all the customer’s messages.
Fortunately, the carriers have clamped down on this in recent years and put processes in place to minimize risk.
Attacks on the SS7 system
SS7 is the set of protocols that lets phone networks communicate with each other. If an attacker pulls one off, they can potentially reroute text messages. These types of attacks are rare and difficult to pull off. Attackers have to find a way to enter the SMS network AND get hold of usernames and passwords.
Unless the target is extremely high value, they’re unlikely to go to this trouble.
What’s more, operators across the world have awakened to the SS7 threat and have been installing firewalls to protect the network. Illicit messages and suspect patterns can be blocked immediately.
More familiar threats
Many of the biggest threats in the mobile messaging security world are similar to the ones we know from online: things like phishing (or smishing in SMS), spamming, spoofing, identity theft, data theft and virus distribution.
But in general, SMS is a tightly controlled, clean and secure channel.
Richer messaging, stronger security
Something that’s helping brands improve their security is their increased use of rich messaging. In fact it’s one of the reasons for its growing popularity.
Rich messaging formats like Apple Business Chat and RCS messaging for Android are the future of mobile messaging.
They deliver multi-media, app-like experiences straight to your customers’ inboxes. Crucially, they give you a trustworthy way to prove your brand’s identity. Registration of RCS channels are strictly controlled by mobile operators. So it’s almost impossible for fraudsters to ‘spoof’ or imitate messages. Another bit of good news: grey route traffic won’t be possible on rich messaging channels.
The critical role of a secure messaging provider
The truth is, when it comes to mobile messaging, your most important move is to ensure you choose a provider with outstanding security credentials.
You have to know that the protection of your customers and your brand is their priority – and that they can deliver on it.
That means looking for some specific things in a potential messaging provider.
There are more factors to consider than we can fit in this post, so check out our guide to mobile messaging security.
Find out if the provider has ever had a security breach before – and why. A breach shouldn’t necessarily rule that partner out but knowing the context of any breaches could give you useful insights.
Look for certification and standards including:
- PSD2, FINRA
- ISO 27001 (2013) standard
- Certified by BSI (British Standards Institute)
- GDPR addressed and multiple data center locations
Availability, integrity and reliance
To protect your customers from data loss, check that the provider’s platform has high availability. You’ll want to see geographically distributed data centers, so local outages or natural disasters won’t knock out the whole network. The network architecture should be scalable, with no single points of failure or bottlenecks. Look for uptime SLAs of at least 99.99%.
Safeguards to protect personal or sensitive information
Providers should have an effective information security management system (ISMS) that provides clear direction on measures like:
– Identity and access management
– Awareness and training
– Audit and accountability
– Configuration management
– Information security governance
– Incident response
– Security operations
– Media protection
– Personnel security
– Physical and environmental protection
– Risk management
– Security development and acquisition
– Network security
– System and information integrity
Data should be encrypted in transit on external public networks – including the internet – using common industry-accepted encryption ciphers and strengths. It should also be protected at rest, by one or more encryption mechanisms. When connecting to mobile operators, they should use encryption technologies appropriate to the sensitivity of the information they’re transmitting.
Dig a little deeper
Mobile messaging security is a huge topic. If you’d like to do more research, start with The complete guide to mobile messaging security.
Or get in touch – we’d be happy to talk about our own approach to security.