The purpose of this CXTech Week 19 2022 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech? The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.
You can sign up here to receive the CXTech News and Analysis by email. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.
Following advice, I’m including a small pitch for my consulting services in this newsletter, many readers are unaware I consult. If your need is in telecoms / communications, particularly programmable telecoms / communications; I can help in strategy, marketing, business development, and introductions. I’ve helped companies craft their go-to-market and get to the right people to rapidly enter markets. A common refrain from my clients is, ‘you’re one of the best consultant we’ve worked with.’ I’m an Engineer who’s been independently consulting for a couple of decades, “I know stuff and people” 😉 Contact me here.
Covered this week:
- MetaCert’s UK Smishing Tests
- Link Mobility Stock Drops from 60 to 12 NOK
- Telnyx and Iterable Partner
- Dunning outside the CX domain can be a disaster for telcos?
- The iPod is finally dead
- People, Gossip, and Frivolous Stuff
MetaCert’s UK Smishing Tests
To better understand how criminals can circumvent SMS security controls, MetaCert ran several simulated attacks to check for vulnerabilities. These tests were undertaken without seeking any explicit permission of the vendors used, to ensure MetaCert experienced exactly what any prospective threat actor would discover during their reconnaissance.
Test 1: Using Twilio
MetaCert created an account with Twilio, purchased a UK sending number, created a Python script to send 193 simulated smishing messages. The destination was an iPhone containing a SIM provided by Sky Mobile under their MVNO relationship with O2 UK.
Around halfway through running the test script, MetaCert’s Twilio account was suspended and all outbound messages were blocked. By this time they had sent approximately 100 smishing messages, all sent messages were received on the target phone.
Test 2: Using LocalText
After sending around 50 messages including smishing links their account was suspended. All sent messages were received on the target phone.
Test 3: Rechecking Twilio
They added a random timer between every message to simulate a SIM being used in a handset by a user (i.e. a person-to-person use pattern) to see whether content type detection was being used to suspend accounts.
After sending 54 messages including smishing links their account was suspended. All were received on the target phone.
Looking into the Twilio logs MetaCert observed that 52 messages were sent successfully but the last 2 messages before account suspension were blocked with a Twilio 30004 ‘Message Blocked’ error code (“The destination number you are trying to reach is blocked from receiving this message.”). The Twilio API documentation gave MetaCert the conclusion that this was due to Twilio blocking rather than the destination operator (Sky/O2) which would be expected to have been accompanied by a Twilio 30007 ‘Message filtered’ error code. Likely the two 30004 error was the trigger for our account suspension.
Test 4: SIM origination
To avoid engaging with a SIM farm, MetaCert decided to replicate that functionality using an iPhone connected via iCloud to an Apple MacBook. Configuring the Messages app on MacOS to send via SMS instead of iMessage, they used a Sky Mobile/O2 SIM as the originator of the 193 simulated smishing messages and sent to a BT/EE prepaid SIM in another handset.
After sending approximately 80 messages, MetaCert’s Sky Mobile/O2 SIM was blocked by the mobile operator, however this block was lifted after 24 hours and was not blocked again. MetaCert suspect this suspension was applied due to the number of messages sent and sending frequency.
Sky Mobile/O2 (originator) and BT/EE (destination) did not block any of the 193 simulated smishing messages, all of which were received using this method. The entire test was repeated two days later with the same results.
There is some consumer protection provided by A2P SMS service providers Twilio and TextLocal. This safeguard is simple and reactive but is sufficiently disruptive to drive bad actors onto other methods of sending malicious SMS messages.
The mobile networks tested (Sky Mobile/O2 outbound, BT/EE inbound) had no protection in place to stop smishing messages. There is some basic protection against annoying spam messages and abuse of fair use policies (account suspension due to high-use) but no content filtering or control for Phishing messages.
MetaCert believes it’s possible to detect SPAM vs Phishing because spam messages contain the same phrases that can be picked up with simple rules and a little AI. Phishing messages however, avoid any form of sender ID checks, and they contain the very same phrases as legitimate messages from banks and brands. This leaves the Phishing URLs – Paul, who led the technical and acceptance testing at O2 UK where he helped to launch SMS and MMS infrastructure and services, says that operators are unable to stop phishing messages because the URLs can’t be detected by security companies, let alone SMS Firewalls that are designed for revenue protection and analytics.
There are two primary methods being used at present to send smishing messages:
- SIMs being used in ‘SIM farms’ or ‘SIM boxes’. Suppliers offering SIM farm connectivity as a service openly advertise on LinkedIn and other platforms.
- SIMs being used in consumer devices which have been compromised with malware such as Flubot.
While the tests are not conclusive, it does appear zero trust is necessary to protect customers. Please contact Paul Walsh to see the full set of results and how MetaCert can help protect customers from smsishing.
We’ve covered some of Link Mobility’s acquisitions in the CXTech newsletters, here you can see how busy they’ve been on the M&A front. They’re sort of a roll-up of roll-ups.
Over he passed 14 months their stock has dropped from 60 to 12 NOK. Of course money is made when stocks go up and down, it’s just a matter of timing. But this is a significant fall from its IPO and all the unicorn claims.
The reason for the drop is analysts realized they’re an SMS aggregator, not Twilio. Plus there’s a load of integration work still to do across the businesses. Hence the consensus is though revenues are meeting expectations, growth in revenue and earnings is unlikely to accelerate, and is seen as below average.
I pointed this out in the Simple Programmable Communications Model the confusion between Applications (Twilio) and Aggregation (Link Mobility).
Iterable is a customer activation platform that helps brands (Zillow, DoorDash, Calm, Box) deliver slick experiences at scale, has seen marketers embrace global messaging—with SMS adoption among their customers increasing 42% in the last year, and MMS adoption growing by 54%. As its customers continue to leverage messaging in new ways, such as time-sensitive alerts and offer campaigns, media-rich loyalty and reactivation programs, and abandoned cart recovery triggers, Iterable selected Telnyx as a preferred messaging provider.
Dunning is the process of communicating with customers about overdue amounts and getting them to pay what’s owed. In the above article a customer nightmare is shared from Australia.
The customer communications experience needs joined up thinking. Check out FICO, which does much in fraud and collections, but delivers an integration solution across the customer lifecycle.
They’re a customer of many aggregators, using voice and SMS, with the communications services and customer insights across many industries, for example healthcare and telecoms. The comms bit is a tiny piece of the overall solution, and there’s much more the programmable communications industry can do to help the likes of FICO across compliance and insights, but more on that soon.
My first MP3 player was a Rio in the late ’90s, it was a bit crap. The last mp3 player I owned was an iPod Touch back in 2008/2009, it was really a cheap iPhone (used VoIP) before the iPhone became available. After that, the mobile phone became my mp3 player and for the passed 5 years its a music streaming service.
On Tuesday of this week, Apple said it would continue selling the seventh-generation iPod touch “while supplies last” — a quiet confirmation that the age of the iPod may finally be over.
That got me looking at this article from 2009, Apple App Store: Don’t Forget the iPod Touch is in the Numbers. Its funny reading my recommendations from 2009, bloody obvious in hindsight!
People, Gossip, and Frivolous Stuff
Congratulations to Jesus Cruz Manjavacas for being promoted to Mobile Services and Applications Manager at PLAY.
Owen Sullivan is now Director Software Engineering at Workday. I’ve known Owen since the on-device portal days of Cibenix, nearly 2 decades ago.
Stefan Ålund is now Product Director at M – Volvo Car Mobility. I’ve know Stefan since his Ericsson days.
Stefan Marti is now Scrum Master VoIP Core & Services at Swisscom.
Jarkko Vehviläinen is now Senior Account Executive at SUSE!
Hashem Sharrab is now Chief Business Development Officer at Innovative Transformation Ltd. I’ve known Hashem since his Mobily days when we’d meet up at one Informa event or another around the world 🙂
Jonathan Grant is now Consultant at KOIOS Master Data.
Yamazaki Takefumi is now Senior Manager at NTT Advanced Technology Corp.