Thanks to eCommerce, we live in an era of package delivery. Needless to say, all senders want the right degree of security for their parcels. They might wish to keep the contents secret from couriers and potential interceptors. Or they might be dispatching something fragile and want the packaging to be robust. Whatever the basic rule stands: the level of protection must be right for the specific use case.
We can say the same thing about mobile message delivery.
In the last ten years, SMS has emerged as arguably the most important tool for corporate communications. Text is reliable, easily understood, affordable and ubiquitous. So much of our day-to-day lives depend on it.
So how can the industry protect the SMS channel and keep it safe from bad actors?
Who’s looking at your messages?
One obvious answer is to encrypt messages so they cannot be read by fraudsters. But in reality, the dangers that stem from unauthorised reading are mostly theoretical. For the gravest dangers, encryption does not help. Consider, for example, smishing – phishing messages that trick recipients into revealing sensitive data. Since the fraudsters are sending these messages, encryption is no help here.
For enterprise customers, another pressing concern is the risk of exposure to third parties as a message ‘hops’ multiple times en route to the operator.
At every hop the message is logged, processed and stored by various intermediaries, which gives their employees access to the data. This is a particular problem for enterprises sending sensitive information via text in verticals such as banking. So the real risk here is the non-delivery of important messages and fraudsters imitating real messages in order to phish/smish.
But there are good reasons to inspect messages. Operators will deploy firewalls to reduce spam and smishing to protect their subscribers. Also, they need to be sure where the messages come from in order to invoice accurately (e.g. national or international rate).
As for message service providers, their main concern is compliance. They have no real reason to invest in security or protection besides the need to comply with regulation, customer or MNO requirements. Their priority is reliable traffic flow and minimal cost.
Understand the risks
All of the above means that SMS messages are never 100 percent private. Instead, they are logged across several servers – and they might be stored in plain text with no encryption (although the connections between the servers are generally encrypted).
So how should brands approach this risk? Well, they must consider how many hops are involved in message delivery, how long service providers and/or MNOs store their messages and which employees have access to the data. They must also ensure they understand data protection regulations in the countries involved – and abide by the rules at all times.
Once they have a good understanding of the risks, enterprises should then weigh up their desire for security/privacy against ease of setup, cost and data transfer speeds. They have three basic options: plain message, SSL/TLS or VPN.
Let’s go on a deeper dive…
In a plain message scenario, there is no security parameter involved. Due to this lack of security, it’s easy to set up a plain message. Delivery is fast and the chance of unexpected technical trouble is low. This is, therefore, how the A2P SMS industry transmits most of its messages among each other while only the connections to enterprises or MNOs are often VPN or SSL/TLS encrypted.
Messaging via SSL/TLS
SSL (Secure Socket Layers) and TLS (Transport Layer Security) are cryptographic protocols that authenticate the connection and encrypt data when moving data over the Internet. In fact, you are reading this text now that has been sent to you via a secure SSL/TLS connection. In an SMS scenario, the sender side encrypts data and the receiving party decrypts it to access the details. The process requires a certificate, which can be procured from an authenticated source. When the connection is made, the certificate is authenticated. This means the two parties can exchange packets with confidentiality and integrity.
SSL/TLS text transfers are secure, but the increased complexity and, therefore, risk also depends upon the platform – whether it is built in SSL/TLS or done via proxy servers and if it can be self-managed or if an external party is needed to maintain.
In a VPN scenario, servers effectively establish a private network, which exists as a kind of tunnel within a public network. The sender and recipient can communicate securely via this node/tunnel without any risk of access by external intruders.
However, preventing the interception of messages is only one part of the story. VPN also supports anonymity and privacy. This is critical. In many enterprise messaging scenarios, the ability to hide identity, user, IP address and passwords is paramount.
So, what’s the most common suite of protocols used by VPNs? For messaging providers, it’s Internet Protocol Security. IPSec VPN serves to authenticate and encrypt the packets being exchanged between two points. It uses different hashing and encryption algorithms to provide confidentiality and integrity.
IPSec VPN works in two phases:
· Phase 1: Build a secure tunnel.
· Phase 2: Communicate data securely within the tunnel.
The drawbacks? Well, VPN is slower because data transfer goes across extra nodes (for example, WAN and LAN interfaces). Also, if the VPN goes down then all the connections go down with it. There is no redundancy. Building in redundancy, therefore, requires an extra VPN – a complicated and expensive process.
Make sure your security fits the use case
As the above overview shows, message security is a complex issue with many aspects to consider. Clarity helps. The industry can start by thinking about the content of its messages and which channel it is using. SMS is probably one of them. It can then consider the trade-offs between speed, cost, robustness and security. For example, banking traffic probably needs encryption, while other enterprise messages might run without security but have GDPR requirements. Governments meanwhile can limit exposure by imposing the requirements that the messages have to stay within the country at all times.
GTC can be your trusted partner in these decisions. We can advise on SSL/TLS or procuring and renewing certificates from authentic sources. We can also help our customers establish VPN connections with platform providers and third parties. Aside from security issues, we can advise more generally on how to choose the right messaging partner for coverage, commercials and service levels.
Global Telco Consult (GTC) is a trusted independent business messaging consultancy with deep domain knowledge in application-to-person (A2P) services. GTC provides tailor-made messaging strategies to enterprises, messaging service providers, operators and voice carriers. We have expertise in multiple messaging channels such as RCS, Viber, WhatsApp, Telegram and SMS for the wholesale and retail industry.
GTC supports its customers from market strategy through service launch, running the operations and supporting sales and procurement. The company started in 2016 with a mission to guide operators and telcos to embrace new and exciting opportunities and make the most out of business messaging. For more information or industry insights, browse through our blog page or follow us on LinkedIn.