« SMS Scam ( 1 ) Explain this, Maxis | Main | SMS Scam ( 3 ): Let the suffering fools speak »

SMS Scam ( 2 ): It's an organised white-collar crime

READ THIS SERIES if you are a mobile user!

Teaser: 3xxxx short code and SMS scam
SMS Scam ( 1 ): Explain this, Maxis
SMS Scam ( 2 ): It's an organised white-collar crime
SMS Scam ( 3 ): The bad boys... Celcos? CPs? MCMC?

First and foremost, SMS scam is a crime punishable under Malaysia law.

There are precedents of punitive actions taken against rogue SMS-delivered Content Providers evident from industry regulator MCMC's reprimand against fraudulent operators. I will give chronology on this later.

Now, let's try to understand how SMS scams operate, and determine whether the celcos, who allow the scam operators to use their conduits and bill the mobile users 'legitimately', have a sentry to prevent such scams from happening -- technically and business model-wise.

Screenshots was informed that, April 9, 2007, MCMC dispatched a letter to Sandip Das, Morten Lundal and Shazali Ramli -- the CEOs of Maxis (Malaysian Mobile Services Sdn Bhd), DiGi and Celcom, respectively -- in response to consumer complaints on fraudulent SMS Mobile Content Services, particularly on the issues of SMS Spoofing and Short Code Masking.

A copy of the letter was obtained by Screenshots recently.

Modus operandi

Let me share with you a simple diagram to illustrate the modus operandi how multiple parties are involved in the SMS scam.

SMS_spoof.jpg

The modus operandi of the SMS scam is schematically rather simple.

  1. The Celco will allocate a short code, or a group of short codes, to the CP.

  2. Each CP can acquire a number of short codes for various services/brands.

  3. Mobilephone users are charged based on the SMS message received on the handset, or what is generically termed as mobile terminated (MT), where the SMS text landed on your mobile terminal.

  4. There is no way for the mobilephone user to refuse receiving the SMS-delivered content as long as it is sent by the CP through the Celco.

  5. Links via SS7 (Signalling System Number 7) connections is the main methodology to enable Fake MOs or SMS-Spoofing to take place throigh the Celco's network.

It's OK if you don't understand the diagram as I will get industry regulator MCMC's experts to address your ignoramus.

3xxxx short code & MO Spoofing

MCMC stated that, based on the numerous complaints it received, the issue involved mobile users who claimed they are being charged for services/content which they have NEVER subscribed ot purchased.

However, MCMC also added that investigation by the Celcos, or the Public Cellular Service (PCS) providers, revealed that there are mobile-originated (MOs) requested from the consumers' mobilephones to the short code belonging to the Celco's external Content Providers (CPs).

In layman's term, all those mobile users who claimed to have been scammed, and billed, have themselves to blame as the Celcos argued that it was the mobile users themselves who had requested, or purchased, such SMS-delivered content, particularly via the 3xxxx short code. The term MO refers to the operator lingo to mean Mobilephone-Originated request/purchase, The argument from the Celco's is taken to mean that NOBODY can make the decision to buy a CP's content/service except the mobile user who holds the 'scammed' handset.

To this, MCMC stated in April 9 letter that "IT IS POSSIBLE" that some unidentified parties could have generated fake MOs to LEGALLY subscribe subscribers, or initiate FAKE SUBSCRIBER REQUEST for its services via the international gateway -- bypassing the Celco's SMSC and onward to the ECPA/CMP for 'legitimate billing' that is shared between the Celco and the CP.

In the letter to the three CEOs, MCMC also expressed its grave concerns on this act of STEALING as many innocent subscribers as have been affected.

More importantly, MCMC emphasised that it is WORST for PREPAID SUBSCRIBERS who may have not realised that they are being charged since there is no itemised billing for cross-checking. (Screenshots understands that, at the moment, only DiGi provides online itemised billing for prepaid subscribers -- an industry practice for public accountability the Maxis and Celcom have hitherto failed to benchmark themselves against their smallest peer in Malaysia.)

It is understood that, prior to the April 9 letter, MCMC has held investigations and discussions with the Celcos and their CPs.

The immediate solution MCMC proposed is to prevent any Fake MOs and SMS Spoofing from recurring. As such, the Celcos and their CPs are to block incoming MOs from the International gateway to the 3xxxx short codes belonging to the CPs.

3xxxx & Short Code Masking

In the April 9 letter, MCMC also drew the attention of the three Celcos' CEOs to the issue of Short Code Masking.

For those unniitiated to the CPs' lingo, 'Short Code Masking' is a term used to describe the instance where a 5-digit short code such as 3xxxx, or a regular mobile phone number, is NOT displayed when a text message originating from this source is received on the mobilephone. Instead, the actual number is masked, or hidden, and is displayed as a word, or as a different number.

Currently, short code masking is possible where the CP sends the text message to a mobile customer using international gateway, added MCMC.

As such, MCMC said it has evaluated the advantages and disadvantages of allowing the CPs to mask their short codes. MCMC concluded that the potential of abuse is HIGH as it is difficult to detect fraudulent CPs.

How do the rogue CPs fraud the flaws in the Celco's SMS model, you may ask.

Oneof the ways, according to MCMC, is for a CP to abuse the ability to mask a short code, or a mobilephone number, by MASQUERADING AS ANOTHER CP and by sending damaging information in the text of themessage.

For mobile users, they will not be able to reply to a short code masked as a name and thus, you and I -- the mobile users -- will not be able to terminate a service nor will we be able to request the CP to stop sending us the so-called "marketing messages" by typing "STOP" or "OUT" respectively.

Now you see, how potent is the potential abuse by the rogue CPs. And MCMC did see that.

For the record, MCMC has stated in black-and-white to the three CEOs that it "will no longer allow PCS providers (the Celcos) or the CPs to do the short code masking for mobile content service provided by any 5-digit short code, or regular mobilephone number".

However, MCMC has a caveat in that the Celcos are allowed to mask the short code using their company name ONLY in broadcasting messages to theIr OWN SUBSCRIBERS.

Now, those were the MCMC imperatives dated April 9.

Maxis has to explain why 11 days after the MCMC directive to the three CEOs, I was still billed RM4.00 by MT&T for an SMS content dated April 20 that I didn't subscribe to nor receive on my MT?

Does Maxis know that I only have contractual service agreement with the 012 Celco. and not its external CP like MT&T?

Or the entire Celco operators network -- from the biggest to the smallest -- have openly defied MCMC despite the April 9 letter issued to their CEOs? Is MCMC really toothless?

There are accomplices to crime. Watch this space, Mr MCMC!

Posted by Jeff Ooi on May 17, 2007 11:23 AM |

TrackBack

TrackBack URL for this entry:
http://www.jeffooi.com/mt32/mt-tb.cgi/1613

Comments

it is a wide known fact that most unsolicited SMSes hit Maxis lines. While CELCOM lines suffer the least.

Posted by: cicakman [TypeKey Profile Page] | May 17, 2007 01:19 PM

my wife's Digi Prepaid was deducted for >RM90 during the World Cup season in which she received two SMSes everyday, each costing RM4. If not for the drastic drop in her prepaid balance, we would not have noticed the scam. Complaining via Digi hotline proved to be futile as they claimed that my wife has subscribed to such service voluntarily and adviced her to use the 'STOP' sms which of course does not work. Digi claimed they are not responsible for this scam and can only give us the support number of the third party involved. After numerous calls and a formal complain letter to Digi and a threat of bringing them to Consumer Tribunal, we finally got back our money. Not only that, to our surprise, we also got a cheque from the third party company who is involved.

Posted by: draco [TypeKey Profile Page] | May 17, 2007 02:20 PM

Very interesting indeed. Just like burglars who use the backdoor.

On a lighter note, is this our own SMSgate with our own Woodward & Bernstein like investigation ? Is there also a 'Deep Throat' ?

Awaiting further developments.

Posted by: PeterP [TypeKey Profile Page] | May 17, 2007 02:32 PM

recently, i requested Maxis to stop sending me all short code sms ..this somehow impact my maybank2u tac as well ...i called Maxis to unblock only M2U tac and they managed to do that ..
after one months ...maxis called me that they cannot do that ...either block or unblock everything ..i asked why ..no solid asnwer was given ...
it's took few rounds of ding dong between me and 123 and finally they agreed to allow only tac sms to come in ...
but lately ..i started to received junk sms again ...

time to dial 123 again.

Posted by: shay_aaron [TypeKey Profile Page] | May 17, 2007 04:06 PM

For Digi user to register in order to read the itemised billing online, you just need to enter you mobile number and a security answer. The account PIN number will SMS to your phone.

Anyone interested about further followup from the net, just google the those unscrupulous content provider name and the keyword "SMS scam".

And the best part of the search, screenshot story come on top of it.

Posted by: moo_t [TypeKey Profile Page] | May 17, 2007 04:50 PM

I am a Hotlink user and i have been scammed by this Macro K company 3 times in April. First few attempt to resolve it using the Hotlink Helpline was useless as they give me lame excuses such as this is between me and the ECP, the ECP are not under their control, have to make police report etc etc.

Don't give up. Make noise untill they take you seriously. I went to their Maxis Centre in Cheras and gave them hell. After 2 weeks, the money was refunded to me.

Posted by: hokc77 [TypeKey Profile Page] | May 17, 2007 06:41 PM

This is a nice piece, in fact to add further, SMS fraud is its now commonly known is devided to Spoof & Fake where primariyly concentrates on Mobile Oriented SMS and the other Mobile terminated.

GSM Association has actually presented a white paper on this some time back and they are some very good solutions and ironically, i'm currently working with a middle eastern operator to integrate a fraud solution for both Spoof & Fake.

Perhaps in Malaysia, we need a little more push in order to force operators to go for a well establish fraud system. In fact, SMS revenue is soo good, operators usually make up all their cost within just months, given that SMSC costs are anywhere between RM 2 to 4 Mil for a network of the size of Maxis or Celcom.

So it wouldnt cost them much to add a fraud prevention system, which cost a fraction of this cost! But as always, operators tend not to spend money on service that do not generate revenue.

Perhaps with some push from MCMC, they will invest on this.

Posted by: goks [TypeKey Profile Page] | May 17, 2007 06:43 PM

BTW, the celco also benefit from the scam. My friend in the SMS business told me the celco got between 30-50% of the SMS charges collected from the CP. I have to call Maxis (123) at least 5 times and once to MCMC to get the unwanted SMS blocked.

Posted by: mmpng [TypeKey Profile Page] | May 17, 2007 06:43 PM

Any information on these CPs? We need an address and names of owners who are responsible for spam-charging us!

Posted by: mob1900 [TypeKey Profile Page] | May 17, 2007 10:40 PM

Hi Jeff,

You may want to read this and this http://malaysianwireless.blogspot.com/2007/03/mcmc-acts-on-11-mobile-content-services.html

MCMC took action on 11 mobile content services providers 2 months ago.

Note: Macro Kiosk is on the list(Macro Kiosk is listed on BM)

Posted by: scamboy [TypeKey Profile Page] | May 18, 2007 01:38 AM

Reported still doing it ah? Must be really lucrative lah this scam!

MCMC on it or something as they seem so powerless to stop these ppl?

Posted by: mack [TypeKey Profile Page] | May 18, 2007 10:21 AM

Goks,

Just curious, what would it cost the Telco's to implement a fake/spoof MO system? You mentioned a "fraction" of the RM 2-4 Mil.. but how big is the denomintor are we talking here?

Nav

ps: when am i getting that beer you owe me? ;)

Posted by: Nav [TypeKey Profile Page] | May 18, 2007 07:18 PM

Nav,

no commercial's on public domain :) hahaha soon...i should be moving back to Malaysia 1st week of June..ironically the last projects i had to close was for Spoof/Fake :)...so it was funny that Jeff brings this up now!

Goks, let's have teh tarik with Nav. Timing couldn't be more perfect.

Posted by: goks [TypeKey Profile Page] | May 20, 2007 04:39 PM

INTERNET does not operate in a legal vacuum.
Read this before you post a comment in this blog!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)