We had a last minute schedule change, and Bohdan was willing to jump in at the last minute. This session is based on the conversation we were having about RCS security, as the schedule problem arose.

There is a mixed reaction to RCS, and has little to do with the technology, rather the unthinking hype. Vendors that are responsible for the mess we see in SMS/MMS, or at least lack of action in protecting customers, beat the drum of an unthinking RCS revolution. All they care about is more revenue and shirking responsibility for the problems they cause consumers, businesses, and carriers.

It’s the lack of balance in the industry’s discussion make makes some people roll their eyes in frustration.

RCS has strengths, and will exist in a fragmented messaging world across SMS, MMS, WhatsApp, Viber, iMessage, RCS, and a long tail of other IP messaging services, e.g. Line, WeChat, etc.

So let’s look at some of the potential security issues. Bohdan shared how some vendors are attempting to help brands transition to RCS. However, SMS is mature, so for applications like OTP (One Time Password), it remains quite cheap. Bypasses exist that impact RCS as much as SMS.

Recently, Bohdan discovered virtual SIM boxes, enabling access to the US number space using non-US numbers. Think a gateway hacked into the US SS7 network, running virtual SIMs / eSIMs, to bypass security. And using +52 numbers internationally that redirect to +1.

Businesses need to understand the exposure risks of such a bypass. The SKT hack has made available millions of SIMs open to SIM swap, As they can not physically changed SIMs out fast enough.

Smishing has been extended to RCS and hidden in marketing. So the buttons, call back numbers, or tables activate scripts and code that can compromise the user’s security. Fortunately, its very early days, so the breaches are infrequent and are not reaching the headlines.

However, this is no longer a game for script-kiddies, that is school children having fun hacking. The work is profession, and targeting an ROI.

The double check we perform on receiving an SMS is more important with RCS. Were we expecting such a contact? Accessing my account from a different device (laptop) with biometric authentication with RCS may be advised. To check its authenticity.

In Bohdan’s view the potential risks of RCS will keep SMS running for many years. Until RCS includes the protections we take for granted in email.

As a reminder, some of the protections in email include: scanning email content for “spammy” words and phrases, assessing the reputation of the sender’s IP address or domain, and using rule-based filters that analyze email headers and content for suspicious indicators.

This could be applied to SMS today, but it requires investment. Remember the lack of adoption of Augnet to prevent AIT fraud, https://blog.tadsummit.com/2025/03/26/tadsummit-online-conference-26th-march-augnet-is-alive/. The SMS industry does not act to protect citizens, only themselves.

Here is the David Casem Linkedin post I mentioned on scammers breaking through SMS and impersonating him The post is now at 213 likes, and likely coming up to 100k impressions, SMS fraud is of great interest, Imagine the interest RCS fraud will generate!

Bohdan moved onto how fraudsters are using fake enterprise credentials to create fake verified identities in RCS. KYC faked incorporation documents are available on the dark web for $5-10.

I asked about why we’re not seeing reports on RCS fraud. Bohdan’s response is, the numbers are low, it’s mostly experimentation. Understanding the protections per country / market; where they are strong, and also where there are holes. However, by the end of this year we may see a few breaking into the news,

Is Apple protecting RCS as well as Android? History shows Apple has been forced to play catch-up; in basic SMS spam Apple continues to lag Android.

Bohdan raised the importance of the role carriers play in protecting their RCS customers. Most of the aggregators and hubs are too small. One fine, and they are bankrupt. Carriers need to find a solution that operates at the speed of thought, that is how crooks operate, not an international standards body.

Todate the messaging industry has proven inadequate for protect the carriers’ customers. See David Casem’s post on the failure of TCR. MEF covers its sponsors’ backs, grandma gets robbed yet again, and carriers are left holding the bag. The industry is broken.

Given the relative success of email compared to messaging, perhaps Google is the only viable option? Remove the finger-pointing mess of the SMS industry, and have a single thoat that has a better track record on email.