Truth in A2P SMS, Part 3 of 5

In this series we will expose the reality of what’s happening in A2P SMS over the years. We’ll review how the current situation can and will be solved, through mitigations the industry must adopt.

This series is based on extensive research through 2024, it is not a complete exposé. However, the main mechanisms and mitigations are covered.

The First Phase of SIM Farms (2000-2015)

Once carriers sorted out international SMS interconnects, the in-country ‘free’ routes disappeared, the SIM farms were reused for the emerging category of A2P SMS. Farms with 64-128 SIMs could be used, the equipment was available from a number of Chinese vendors. 

The cards used were generally domestic prepaid SIMs. They were bought from many locations, e.g. local supermarkets, in low numbers to avoid suspicion. Once set-up, auto top-up was enabled, and they were used to deliver bulk A2P SMS services.

Operators in some countries noticed this revenue leakage, for example, France and Italy started to require official identities to be presented to buy SIMs. Which is still the case today, in France I recently provided my passport as proof of identity to buy a local SIM.

There were also business post paid SIM card bundles, which required no official ID, just a fake business, this avoided the top-up issue. With greater volumes bulk A2P services were available for free, or at least the first 1000 SMS were free, as they gathered the mobile numbers being used in the campaigns, and sold them onto data brokers. Examples of companies that allegedly provided this type of service in addition to many other SMS services was CardBoardFish, which was bought by Mblox (2014), which was bought by CLX/Sinch (2016).

SIM farms remain in broad use today, many aggregators have an association with SIM farms either with a clandestine division, a group of engineers in a corner somewhere, or a third party special operations group. Exploiting the P2P route remains essential for many aggregators to come close to achieving ‘Twilio-like’ margins.

While carriers have improved their detection of SIM farms, they remain in use today. One interesting technology in use today is SIM applets from Wadaro. The main purpose of SIM QoE (Quality of Experience) is to measure subscribers’ experiences of the networks they are using.

Within the feed is a variety of information that can be analysed to characterise devices, the network and, of course, the subscriber experience. For example, serving cell history, mobile originated SMS & voice call history and prevailing radio received.

When one of Wadaro’s tier-1 customers had a significant problem with SIM Boxes they asked for help. Wadaro delivered a layer of analysis that highlighted patterns in their data that indicated the likelihood that a Subscriber was not a Subscriber but was a card in a SIM Box;

  • Multiple ‘Subscribers’ at a static location connected to the same cell, at the same latitude/longitude and subject to the same prevailing radio.
  • Service consumed was of a single type i.e. mobile terminated calls only throughout a 24 hour period. No mobile originated service.
  • IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity – like a device fingerprint) tumbling to avoid detection by the network, the SIM Box repeatedly swaps IMEIs.
    • Wadaro saw changes in IMEI that did not match the profile of the type of device that would have that IMEI (the Type Allocation Code embedded within the IMEI did not match the handset profile)
    • As the network disabled SIMs thought to be in a SIM Box, the owner (crook) of the box would buy a fresh set of SIMs each day to replace the disabled ones. Wadaro would then disable those SIMs using the ICCID (Integrated Circuit Card Identification number) and IMSI being associated with an already identified IMEI.
    • The only options left is for the crook to reprogram / dump the SIM box or move to an unprotected network.

Check out the TADSummit Innovators podcast with Robert Wakeling of Wadaro.

Non-interworking Agreements and Gray Routes (2005-TODAY)

Early global aggregators brokered deals with small carriers selling them global title leasing, that is an SS7 identity to appear almost like a carrier. Carriers have many unused global titles, this monetized an asset that is part of IR.21 (GSMA Roaming Database). The global titles enabled aggregators to route through smaller carriers. With a few smaller carriers, aggregators could achieve roaming across 200-400 carriers (there were about 650 carriers in those days), which is close enough to global coverage.

Large carriers want to provide excellent global coverage for their customers around the world, and this must include small countries such as Jersey, Channel Islands, Isle of Man, Barbuda in the Caribbean, etc. There is not enough traffic for a bilateral agreement, roaming agreements were put in place, and in some cases AA.19 agreements also put in place to define the pricing for the roaming agreement. But AA.19 agreements took time to roll-out across the industry as the assumption was mutual forgiveness.

When a route did not implement an AA.19 agreement, it is called a non-interworking agreement based on MSUs (Message Signaling Unit) that provides the structure for transporting SMS in an SS7 network. Also known as gray routes because there is no AA.19.

Gray routes remain important to the whole A2P industry, without this mechanism accurate routing would be difficult without API access to routing information. SMS to this day relies on signalling/SS7 based access which is often used for gray routes to ensure the market has accurate routing information

Across the gray routes various commercial models were deployed. For example, Western Europe on the basis of ratio deals: x non interworking SMS = x/10 credit against commercial routes into for example Germany. Various P2A (Person to Application) sources, e.g. sports lines, dating, and betting; generated MO (Mobile Originated) fees were used on a revenue share basis to subsidize international A2P traffic into established commercial routes.

Some of the SMS aggregators know of the existence of routes without an AA.19 agreement and exploit them to send A2P traffic into say Vodafone UK from the small carrier. The traffic is real, its UK banking confirmations. Vodafone UK does not want to block this traffic as it would impact their customers roaming in the remote destination and it appears to be a real banking transaction. So the data is allowed to pass, even though it is outside what would be considered “normal” traffic from the small island nation.

It’s a game of whack-a-mole, the aggregators know the thresholds a carrier operates upon. As long as the leakage is less than say $300k per month, no action is taken. Remember these high risk routes have the most genuine traffic, if the carrier checks with the bank for a transaction confirmation, it will be confirmed as genuine.

SS7 access for aggregators also posed a significant risk as access to such resources exposed critical billing identifiers e.g. Global titles, which could then be manipulated. Resulting in large volumes of traffic that could be billed incorrectly to operators who did not originate the traffic. Access to SS7 connectivity also exposes sensitive subscriber information, such as IMSI (International Mobile Subscriber Identity).

It is claimed some island nation carriers received 20-30% of their revenues through aggregators taking advantage of these non-IW agreements. Normally the revenue share is 10-30%, with 15% being the average. There is complicity with some smaller carriers, or people within the small carrier, and the SMS aggregators.

For some carriers, particularly in Africa, A2P SMS is simply not a concern as the % of revenue is so small, perhaps 2%. The focus is P2P voice/SMS and internet access.

Peak use of this type of situation was 2007/8, over the course of the subsequent decade it’s been in decline as AA.19 agreements have become widely implemented. 

Critically, the aggregators know the thresholds a carrier operates upon. As long as the leakage is less than say $300k per month, no action is taken. Revenue leakage through this method is hundreds of millions each year across carriers, with billions over the past decade.

SIM farms and non-internetworking agreements raises an interesting conundrum, the purchase of these SIMs raises the carrier’s market share in their home market, see example below 27k SIMs from one raid. Which made carrier reaction times slow as the SIM farms raised their market share. We’ve seen recent arrests, for example in Thailand where the Thai Bureau of Narcotics Control Board and the Customs Department found, see CXTech Week 22 2024:

  • 96 SIM boxes
  • 4 STARLINK receivers
  • 27,019 Hong Kong SIM cards
  • 6,770 Thai SIM cards

AA60/63 inter-operator agreements became popular 2011/12 onwards, and remain in operation today.  AA60s and 63s are about MT (Mobile Terminated) and are the first official A2P PRD (permanent reference docs) that the GSMA created specifically so a price could be determined between operators for A2P traffic, or to distinguish between unit charges for P2P and A2P SMS.

Aggregators became more sophisticated in their use of SIM Farms. Using them internationally with spoofing, we’ll explore this in Part 4 of the series.

Articles in this series

Truth in A2P SMS, Part 1 of 5, In the Beginning & Foreign SMSCs. https://blog.tadsummit.com/2024/07/29/truth-in-a2p-sms-part-1/

Truth in A2P SMS, Part 2 of 5, Premium SMS. https://blog.tadsummit.com/2024/08/01/truth-in-a2p-sms-part-2-of-5/

Truth in A2P SMS, Part 3 of 5, First phase of SIM farms & Non-interworking Agreements and Gray Routes. https://blog.tadsummit.com/2024/08/05/truth-in-a2p-sms-part-3/

Truth in A2P SMS, Part 4 of 5. SIM Farms 2.0, AIT, Exclusivity, Control, A2P Revenue Assurance. https://blog.tadsummit.com/2024/08/07/truth-in-a2p-sms-4/

Truth in A2P SMS, Part 5 of 5. Mitigations: SMS Governance / Certification and Published Rates, RCS Fraud, Current Situation. https://blog.tadsummit.com/2024/08/09/truth-in-a2p-sms-3/

6 thoughts on “Truth in A2P SMS, Part 3 of 5”

Leave a Reply

Your email address will not be published. Required fields are marked *