Can you guess which one of these is fake?
Of course not, they’re identical!
How about these?
If you paid close enough attention to the second message, you may have noticed the difference in URL hostname.
But… if one is real and one was spoofed, why are both messages in the same conversation? Aren’t they from different senders?
Thing is, for all your phone knows, they were sent by the same sender.
How is this possible?
SMS has a field called sender ID, which is set by the sender, requires no identity verification, and can be any arbitrary short string. This allows anyone to send messages to any number, identifying themselves as whoever they want to impersonate.
And since there’s no sender phone number in the message, your phone can’t tell real and fake messages apart, so it groups them into the same conversation. Ugh.
And how do we fix it?
-
Sender ID should be a function of the sender phone number.
Assuming the integrity of the sender’s carrier, this would protect recipients from malicious senders. Some countries do this↗. -
Phones should warn users of non-verified sender IDs.
If browsers show “not secure” warnings on non-HTTPS sites, and email has spam folders, messaging apps should flag non-verified messages. -
Companies should stop sending URLs over SMS.
If your company sends links over SMS, expect your users to trust any further links they receive, including spoofed ones.
Vote #1 into policy, add #2 to your backlog if you’re an iOS or Android messaging app developer, and stop doing #3 if you are.
