Widespread mobile messaging abuse represents a huge headache for operators, but tackling the problem while promoting the free growth of new revenue-generating communications services over their networks could be an even bigger challenge.
Peggy Anne Salz reports.
The advent of text-messaging has already made mobile devices vulnerable to dictionary-type attacks. But the situation threatens to get out of control as mobile devices become more powerful and networks advance to deliver increasingly advanced messaging services. With what is effectively a broadband connection in their pocket, mobile users will likely be inundated with spam and damaging malicious messages.
Indeed, it was this mix of high-speed connectivity and powerful PCs in the fixed Internet space led to a dramatic increase in the spread of spam — unwanted or solicited messages that account for between 80% and 90% of all Internet email — and concerns are growing that the mobile Internet will go the same way.
It’s difficult to calculate the costs of email spam at a global level, but it’s clear that spam is more than a bother. It drains network and computing resources, demands considerable investments in filtering and security software and causes huge productivity losses to companies everywhere.
A June 2003 report from Radicati Group, a US-based technology market research firm, predicts that email spam will cost companies nearly $198 billion by 2007. A more general study of the problem published by the European Union estimates the worldwide cost to subscribers “in the vicinity of EUR10 billion a year” — and that figure is built on a conservative scenario in which users receive only six messages a day. Most users receive far more spam and waste much more time reading and deleting it.
The frequency of mobile spam — and the damage it causes — makes it much harder to pin down. A recent study by British technology firm Empower Interactive revealed that 65% of European mobile phone users receive at least five spam messages a week.
Meanwhile, Central Europe and Southeast Asia — regions that account for the lion’s share of texting activity, are the most troubled by mobile spam, according to a world-first collaborative study of the problem conducted jointly by the University of St. Gallen in Switzerland and Intrado, a provider of emergency communications services. More than 80% of respondents from those regions reported receiving spam messages at least once in 2004.
So far, spam in the mobile space is more a trickle than a flood. The fact that incoming text messages in Europe are free of charge to the receiver make mobile spam appear a softer issue. This is sure to change once subscribers use more mobile Internet-based services, where incoming traffic is billable.
For the moment, scam, a subset of spam messages that includes fraudulent messages from overseas offering prizes and free vacations, is a much bigger concern. A typical scam message asks recipients to urgently call a Premium Rate Service number (PRS) — numbers that in the UK cost up to £1.50 minute. Other scams cause a PRS connection to be generated via a computer dial-in through a spoofed link. This leads to astronomical phone bills that users must pay.
To stem the concern about the misuse of Premium Rate SMS mobile operators in the UK banded together and launched the Stop Initiative in 2004, making it easier for consumers to stop receiving those services they no longer want. If users find they have unwittingly subscribed to a premium rate service, access to any individual who sends more than 120 VGS mails — messages that allow a maximum of 200KB for text and file attachments — in the space of three hours.
In Spain Vodafone is in the “final testing stage” of a network based anti-spam tool developed by the Vodafone Group in 2001 and slated to roll out to other Vodafone markets in Europe. It is capable of “real-time content filtering based on customer specific profiles” — a key tool in suppressing spam.
Vodafone in the UK has also introduced an initiative to reduce spam, allowing users to forward spam they receive to forward it, free of charge, directly to 87726 or VSPAM on their mobile keypad. Since the introduction, Vodafone reports that “customer complaints on spam have been halved.” The operator also delivers the consolidated VSPAM report to ICSTIS on a daily basis so that it can take regulatory action against spammers.
But it may be that the “biggest stick” operators can wield against spammers is an economic one, observes Tina Southall, Vodafone’s Director of Content Standards.
“We are attempting to make bulk unsolicited communications commercially unviable,” Southall says. Vodafone has taken steps to withhold payment for premium SMS services to spammers linked to its network..
“Spam is also covered in our contracts with third party content providers and, if we find an organization is generating spam, we can cancel their contract.”
However, if the party delivering unsolicited content is using another network on another network, then tracing spam back to the source can be a much more difficult task.
“Spammers (in the fixed space) are becoming more inventive and launching attacks from networks in countries such as China where there are no laws to stop it,” explains Richard Cox, chief information officer at Spamhaus.org, an international spam watchdog headquartered in London.
Indeed, spam spreads faster than authorities can stop it. “In almost every case that we’ve found, where we’ve identified what a spammer is doing and shown he is breaking the United States laws, we see the FBI throwing up their hands at the legal red tape,” Cox says.
“If you think how hard it is (for the authorities) to cope with the US-Canada border, (spam originating in) China is an immense problem.”
To provide a more effective enforcement framework the OECD formed a task force on spam in June 2004 and launched an Anti-Spam “Toolkit,” which aims to provide member and non-member countries with policy orientation and support in their fight against spam. The OECD has also begun a dialogue with APEC (Asia-Pacific Economic Cooperation), the premier forum for facilitating economic growth, cooperation, trade and investment in the Asia-Pacific region, to discuss activities to combat spam together.
But the battle against spam is a tough one. There is a pressing need to draw a distinction between malicious code and simply unwanted messages. After all, one user’s spam, might be interpreted as another user’s advertising. To help draw the line, and boost the potential of mobile commerce, mobile advertising companies and agencies have developed codes of conduct. The Mobile Marketing Association, for example, established privacy guidelines for its members in 2001, committing those companies to send wireless advertising only to those mobile phone users who opt-in for it.
However, operators must also tread a fine line between providing their subscribers with the services they ask for, and protecting minors and those who do not wish to subscribe to adult services, for example.
Subscriber opt-in mechanisms are limited in this scenario, notes Vodafone’s Southall. To this end, in the UK Vodafone has introduced a far more complex approach built on age verification solutions and content filtering.
Last year it became the first operator to launch “Content Control,” a barring and filtering mechanism which prevents under age users from access content such as gambling, erotic content, chat and dating services. It is now the default option on all Vodafone phones and those who want to access restricted content must register and provide proof they are over 18. “We have taken responsibility for not just our content, but for conetnt available over the mobile internet and from third party providers,” Southill adds.
Threats and solutions
While the mobile industry searches for solutions to guard against the onslaught on mobile spam many software companies urge operators to keep a more watchful eye on the viruses they can carry.
The connectivity of mobile devices, and their ability to cross pollinate networks with malicious code, in the form of viruses, worms, and Trojans, means that even a little spam in the network can create big problems. For this reason, many security analysts argue that operators should adopt a multi-layered defence strategy to protection from messaging abuse. Protecting the edge of the network first is the most effective and most efficient defence strategy. The second phase is a layer of content filtering applications, protecting for viruses, adult content, spam and other threats that may slip by the edge filters. And lastly, operators must provide end-users with the ability to set personal preferences and utilise tools for the management of spam- or virus-infected content.
McAfee AVERT, the security software company’s Anti-virus and Vulnerability Emergency Response Team, reports that mobile viruses and vulnerabilities are quickly becoming the predominant threat affecting the mobile Internet. It reported more than 1,000 vulnerabilities in the first quarter of 2005, roughly 6% more than the same period the previous year. It’s not that hackers aren’t trying. AVERT logged more than 200,000 reports of various exploits attacking various vulnerabilities.
“We’ve seen a 20% increase of malware-related threats between 2004 and 2005 — and anticipate that these numbers will stay at the higher rate of growth for the immediate future,” observes Vincent Gullotto, vice president of McAfee AVERT. “In the first quarter of 2005, the rise in unwanted programs has greatly surpassed what was noted in the first quarter of 2004.”
In this already charged climate, the emergence last year of the Cabir and Mosquito mobile viruses presents a worrying new threat to mobile consumers, and creates an added burden to operators seeking to profit from messaging and other mobile data services.
“Whilst the real world impact of these viruses was minimal — Cabir was only a ‘proof of concept’ virus, and the Mosquito Trojan gained only limited consumer exposure — the threat they represent is nevertheless real, imminent, and an issue that the mobile communications industry as a whole needs to address in a concerted and structured fashion,” observes David Staas, director of development of Anti-Abuse Technologies, Openwave Systems.
Some clever operators are turning a problem into an opportunity and providing security services as a new kind of value-add. T-Mobile, for example, last spring sealed a deal with F-Secure, a provider of anti-virus software, to make its Mobile Anti-Virus service available through the T-Mobile t-zones portal for download to Symbian Series 60 smartphones. Users can download the antivirus client over the air directly to the phone. After the free trial period users can subscribe to the service directly from the phone at a cost of EUR1.95 for each month of update service.
“Security and a high standard of quality for our applications and services is a key element of our competitiveness,” explains Thomas Breitbach, T-Mobile vice president of Product and Application Security. However, Breitbach concedes that there’s only so much operators can do. “At the end of the day a huge part of the problem and much the solution lies with subscribers,” he says. “They must be aware that the mobile phone is a lot like a PC and they must be equally cautious about downloading content and programs to their devices.”
Indeed, a greater awareness of the potential danger would have stemmed the spread of malware linked to the Mosquito Trojan last year. After all, illegal copies of the game displayed several tell-tale messages of mischief that users should have suspected immediately including a message on start-up, “This version has been cracked by SODDOM BIN LOADER No rights reserved. Pirate copies are illegal and offenders will have lotz of phun!!!”
Future dangers?
So far, the industry has been spared a major mobile virus outbreak — a development that leads many cynics to believe the danger has been over-hyped.
WDSGlobal, a support firm that handles around 100,000 calls every month on behalf of handset makers and operators including Nokia, T-Mobile, Orange and Sony-Ericsson, reports that less than 10 of 275,000 support calls fielded by the firm in the first three months of 2005 were related to security. But other companies warn this could be the calm before a storm that rages across the global mobile market. Granted only four of the 14 known mobile viruses are known to attack data on phones, but the real problem could emerge where users don’t expect it, argues Chris White, Product Management Director at Avalanche Mobile, a global developer of network-based SMS management technologies.
High on his radar are vulnerabilities in technologies such as Bluetooth, Wi-Fi and voice over IP.
In the case of Bluetooth, reports show confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some Bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the phone’s IMEI.
“Sure, there’s a simple way of dealing with it, just turn off the Bluetooth capability on your phone,” White says.
“But having it turned off all the time sort of defeats the object of having the technology in the first place.”
Another problem looming on the horizon is Evil Twins — identical wireless networks that pretend to be trustworthy Wi-Fi connections to the Internet offered at coffee shops, airports and hotels. These also threaten to corrupt laptops and steal sensitive information. Since fraudsters can set up an evil twin network using only a laptop and an ordinary Wi-Fi card, it’s not yet clear what the scope of the threat or the damage done to data could be.
The advance of mobile VOIP could create a new nuisance: telemarketing. “By using voice systems, there’s a potential there to really reduce costs in terms of tele-marketing,” White adds. “You could end up with banks of tele-marketing people sitting in a third world sweat-shop, churning out calls to mobile phone users around the world.”
Against this backdrop, Mark Sunner, Chief Technology Officer of MessageLabs, a provider of managed email security services for businesses based in the UK, believes operators will need to take more responsibility for the communications resource they provide.
Just as water companies don’t require consumers to boil their water, mobile operators shouldn’t put the burden on users to make sure their content and services are clean and clear of malicious spam and viruses, he says.
“It’s very logical to deal with the problem of sewage, for example, upstream. You wouldn’t expect filtering to be done at the end-point by consumers.” It’s a specialist task for developers and engineers and leaving it to users opens the door to greater problems.
