In this series we will expose the reality of what’s happening in A2P SMS. We’ll review how the current situation can and will be solved through mitigations the industry must adopt.
This series is based on extensive research through 2024, it is not a complete exposé. However, the main mechanisms and mitigations are covered.
SIM Farms 2.0, AIT (Artificially Inflated Traffic), Firewalls, Exclusivity, and Beyond (2015 – TODAY)
SIM Farms 2.0 are international SIM farms, see recent example in the previous post in this series from Thailand. A simple example is thousands of UK SIMs are used in Belgium for traffic into France with spoofing to make it look like German traffic.
Just like the Thai example was Hong Kong SIMs operating in Thailand for traffic somewhere the authorities did not discover / disclose. The numbers are spoofed, the content appears valid, the game starts to become too complex for the carriers to follow, and they cede control of SMS to “experts.”
Aggregators present themselves as the experts, with a subjective, one-sided story on the thefts and risks the carrier and their customers are being subjected to. Hence the rise of aggregator firewall deployments and A2P exclusive deals. It’s a protection racket. The aggregator now has open CDR (Call/Communication Detail Record) access to the carrier and can engineer the traffic as required.
Take an example of a small carrier who normally sees $1.2M monthly in A2P traffic. With AIT the aggregator can claim they can more than double the carrier’s revenues from all the web brands (Facebook, Google, Meta, Amazon, etc.), by bringing their traffic to the carrier. Well, we’ve seen the outcome of this, the brands have moved to other forms of transport, such as email (that shows how bad things have become).
We’ve seen cold-contact emails proposing SMS generated traffic partnerships with a list of brands with OTP (One Time Passcode) they can use. It’s AIT as a Service (AITaaS). The knowledge has become widely available.
AIT has been around for quite some time. In 2005 Telenor Pakistan was one of the first applications of AIT to quickly ramp up the network and claimed subscribers. Using SIM farms for SMS and calling.
And today carriers are considering aggregators for the Camara Network API aggregation! 5G network availability is 10-15% in many countries. No developer will use Network APIs for such low availability. Private 5G like private 4G/LTE can use provisioning and statistical multiplexing for high capacity use cases. It works. I remain saddened by Ericsson, Nokia, Vonage, and all the shills and sycophants refusal to engage in an open discussion on Network APIs. Its a repeat of OneAPI.
I would like to give some in the A2P ecosystem a clean bill of health, they try, but because the ecosystem has refused to implement SMS governance / certification, A2P revenue assurance, and published pricing, there will always be fraudulent traffic. It does not need to be this way.
Taking Back Control
A2P Messaging product manager for EE, Kevin Britt, revealed in a Linkedin post that starting from 10th July 2024, the operator will block all banking and logistics-based SMS unless it’s submitted via a single dedicated A2P Trusted bind.
The move will allow BT to implement more aggressive and robust blocking controls with the comfort of having no false positives.
Britt urged businesses to make sure they speak to their supplier to check they are prepared as a bespoke setup could be required.
He said that Commify, Infobip, Sinch, Stour Marine, Twilio, Vonage, and Webex CPaaS Solutions firms have confirmed they are ready for the change,
The move comes as Britt says BT has seen an 83% reduction in A2P SMS smishing on its network since March 2023.
Britt commended fellow BT employees and partners:
- law enforcement actions supported by colleagues dedicated to investigating and mitigating smishing;
- bespoke firewall developed by BT’s Messaging Operations team; and
- the SMS partners who comply with the Code of Conduct that BT introduced in September 2023.
Some of the key commitments in the anti-smishing code that BT introduced last year include:
- blocking messages where the Sender ID includes one of a series of words often exploited by scammers, such as ‘bank’, ‘caution’ and ‘package’;
- restricting who may use names associated with specific reputable organizations, such as ‘Mastercard’, ‘Student Loans Company’ or ‘Uber’;
- limiting the special characters permitted in a Sender ID to eliminate the risk of criminals using lookalike characters to mimic genuine organizations;
- blocking messages from numeric IDs that do not begin with a UK dial code;
- blocking short codes that do not follow permitted formats; and
- blocking suspected spam or fraudulent URLs included within the body of a message.
From my perspective the combination of picking the right partners, creating a traffic light warning system (openness in publishing who is on the naughty list to your partner ecosystem – and yes even some of those listed partners could be in the naughty list), adding liquidated damages clauses to agreements and implementing sender ID registry in combination provide critical protections around BT’s firewall, not a third party’s.
Sending spam to a carrier is a breach of contract, we must find a way to encourage the implementation of SMS governance / certification, and liquidated damages looks as good as any.
A firewall can be good or bad, depending on the situation. In the bad old days firewalls came with revenue targets. Rather, BT owns and operates its firewall for the benefit of their customers.
Kevin is, in my opinion, an impressive ‘poacher turned gamekeeper’. Creating a template for the carriers, and the industry should celebrate BT’s success.
A2P Revenue Assurance
Over the past ten years carriers have become increasingly reliant on aggregators to help address the problem of A2P fraud. Given the complexity of number spoofing across numerous international AA60/63 inter-operator agreements.
This path has not always led to successful outcomes. Given the rise of AIT (Artificially Inflated Traffic) to the point brands have moved to other forms of transport, such as email (that shows how bad things have become) and passkeys.
An international group of ‘poachers turned gamekeepers’ will now perform an external, silent evaluation over one month of popular use cases from 30 to 40 brands that are driven by both bots and people. No internal network access is required.
They will deliver a quantified status report across the use cases on the extent of revenue leakage. After which, optionally, a plan can be created to remove those sources, and protect against further leakage. No internal network access is required, the carrier has full operational control.
This new category of protecting A2P revenues and taking back control is proving A2P revenue assurance meets market needs. It’s not just for carriers, you could use this for evaluating downstream aggregators as well. Imagine if such results were published for the whole industry, like the OpenSignal reports on 5G network performance. Accountability in A2P SMS is essential, not hiding on the SS7 network using gray routes to spam to people.
If you’re ignoring this A2P SMS series, or covering up or enabling the spamming of the general public, you must ask yourself one question, “Are we the bad guys?’ Spamming the elderly, children, the tired , overworked, or distracted is simply beyond inappropriate behaviour in telecommunications, it should be criminal.
Articles in this series
Truth in A2P SMS, Part 1 of 5, In the Beginning & Foreign SMSCs. https://blog.tadsummit.com/2024/07/29/truth-in-a2p-sms-part-1/
Truth in A2P SMS, Part 2 of 5, Premium SMS. https://blog.tadsummit.com/2024/08/01/truth-in-a2p-sms-part-2-of-5/
Truth in A2P SMS, Part 3 of 5, First phase of SIM farms & Non-interworking Agreements and Gray Routes. https://blog.tadsummit.com/2024/08/05/truth-in-a2p-sms-part-3/
Truth in A2P SMS, Part 4 of 5. SIM Farms 2.0, AIT, Exclusivity, Control, A2P Revenue Assurance. https://blog.tadsummit.com/2024/08/07/truth-in-a2p-sms-4/
Truth in A2P SMS, Part 5 of 5. Mitigations: SMS Governance / Certification and Published Rates, RCS Fraud, Current Situation. https://blog.tadsummit.com/2024/08/09/truth-in-a2p-sms-3/
4 thoughts on “Truth in A2P SMS, Part 4 of 5”