Who’s Calling? Who’s Texting? Assessing Sender ID Validation (Part 2)

Indemnity: Client hereby indemnifies and holds Photographer harmless against any and all liabilities, claims, and expenses, including reasonable attorney's fees, arising from its use of Photographer's work. Client assumes insurer's liability (a) to indemnify Photographer for all loss, damage, or misuse of any photographs. Client understands and accepts that photographs may not have model releases and assumes all liabilty use of photographs.

This post first appeared in D!gitalist on October 3, 2019.

Part 2 of the 3-part “Fighting Robocalls” series presenting a comprehensive assessment of sender ID validation in mobile messaging

In Part 1 of this series, we focused on trends to mitigate robocalls in voice communications and began to look into efforts to cut down on unwanted text messages. Here, we’ll examine sender IDs in text messaging.

We have alphanumeric sender IDs

We should touch on alphanumeric sender IDs for SMS (typically, up to a combination of 11 letters and numbers). These are supported in over 100 countries, but they are challenging. First, a subscriber cannot reply to an alphanumeric sender ID – such as to opt-out. Consequently, many subscribers (and even mobile operators) may blacklist all content from a particular alphanumeric sender ID. Many countries require registration of the alphanumeric sender ID prior to usage, which helps with the unknown sender/spam problems. Still, alphanumeric sender IDs are useful for certain types of use cases whereby a response or even an opt-out may not be required, such as receiving two-factor authentication (2FA) codes or high-value alerts.

But we also have “long-code” sender IDs

Another problematic issue is that businesses can also use regular phone numbers (we call these long codes) as sender IDs in messaging. And that complicates things quite a bit. First, many businesses do make use of long codes, and that makes them harder to identify and verify. Secondly, as in the voice world, long codes can be spoofed. It is well understood that long codes are the favorite of spammers across the world. In fact, many make use of thousands of long codes at a time to deliver unsolicited SMSes. Fortunately, much of the SMS traffic flows through various messaging hubs, and spam control is taken very seriously with hundreds of millions of spam messages blocked by ecosystem players each month. Consequently, very little spam actually reaches consumers.

Not all countries allow commercial or business/brand-originated long codes. Until recently, that was the case in the United States; however, long-code-originated business SMS had been prevalent, albeit unsanctioned, for many years. In early 2017, the new CTIA Messaging Principles and Best Practices guideline was released and put into effect. The primary change is that this will codify the ability to send A2P traffic (e.g., business SMS) using long codes. A more recent version of this document was published in summer 2019, which further differentiates between P2P and A2P traffic. U.S.-based mobile operators have been working with messaging hubs to finally put into place the appropriate guidelines and best practices to manage this traffic. As of this writing, that is certainly not complete, but the latest guidelines provide more visibility.

In other countries, long-code-originated business SMS has been around for a couple of decades. While it has been problematic in the past, many countries and mobile operators are starting to gain the upper hand with spam, utilizing such tools as SMS firewalls, termination fees, and more registration and regulation of business sender IDs.

The key benefits of long codes as a sender ID is that they are inexpensive and enable small and midsize businesses to leverage the SMS messaging channel. It essentially levels the playing field, and that is good for the industry as a whole. Unfortunately, long codes remain a key vector for spam and phishing to propagate through the ecosystem. Additionally, as in the example shown, there is nothing to indicate that this message legitimately came from Uber. Now, it just so happens that I was logging into an Uber website when this code was sent (and Uber indicated it was sending me this code), so I had reasonable assurance that the message I received was from Uber. But from this example you see, in general, the main issue with long codes. What if Uber used other long codes for other types of notifications? Can I be sure it is Uber (or any other legit business)?

In Part 3 of this series, we’ll examine next-generation trends.