Spoof proof: How the new SMS Sender ID Registry prevents phishing
Phishing remains a huge problem in Singapore, with reported incidents jumping from 16 to 5,020 within four years.
It is the end of the line for SMS scammers in Singapore as Infocomm Media Development Authority (IMDA) rolled out a new SMS Sender ID registry (SSIR) that can block spoof messages "upfront and at source" This means that non inclusion in this new ID registry will automatically prevent spam messages that could be used for phishing.
Legal experts from Rajah and Tann and Drew & Napier LLC told Singapore Business Review that the IMDA-developed registry works better in ensuring businesses and organisations in Singapore are spoof proof as it takes a "more proactive" approach towards phishing.
The previous registry was discontinued on 7 March. It had a "blacklist-based" approach, wherein businesses and organisations would register their SMS sender ID, and a blacklist of lookalike SMS sender IDs would be circulated to SMS aggregators for automatic blocking, according to Lim Chong Kin, head of Telecommunications, Media & Technology Practice at Drew & Napier LLC.
This approach, however, did not work efficiently in preventing phishing scams as it was “confirmation-based" and users still received spoof messages, according to Rajesh Sreenivasan, head of Technology, Media and Communications for Rajah & Tann.
Lim explained that the reason why spoof SMSes were still delivered to some users is that, "potentially suspicious messages originating from non-approved aggregators would still have to be investigated before being added to the blacklist."
"This method relied on businesses and organisations' specifying their protected SMS sender IDs, as well as the approved aggregators authorised to send SMSes on their behalf," Lim added.
"Under the new registry, which adopts a ‘whitelist-based’ approach, companies can register their protected SMS sender IDs against their Unique Entity Number (UEN). Telcos and SMS service providers will be required to check SMS senders against the registry, and SMSes sent under a registered sender ID will be blocked when the sender's details do not match the registry's records," Lim explained.
Motivations for registering
If OCBC losing $13.7m due to phishing scams is not enough reason for businesses to be convinced to jump on board the national registry, Lim told them to at least do it to protect consumers.
"Apart from the financial losses which victims of SMS spoofing and phishing scams may suffer, such scams may also result in the unauthorised collection, use, or disclosure of users' personal data without their consent," Lim explained.
Lim added that businesses who will register in the SSIR will also see a boost in consumer confidence and brand reputation, since the registry will provide them credible protection against the likelihood of their sender IDs being misused in SMS scams.
Sreenivasan, for his part, warned that businesses who wish to use SMS but did not conduct "baseline protection" such as registering at the SSIR can face significant liability when a breach comes up.
"It is a baseline corporate governance requirement for companies to have done this, because, without this registration, you're facing potentially maximum liability for not even doing the minimum to protect your users from that number being spoofed," the Rajah & Tann expert reiterated.
As of April, about 25 organisations have registered about 1,000 protected SMS sender IDs in the registry.
When asked about plans to make the SSIR mandatory, Sreenivasan said doing so would be a "welcome move," and a "necessary next step."
"In Singapore, as in many other countries, businesses often cannot justify the budget for such registrations unless they are statutorily mandated because it incurs costs and companies need to be financially prudent," Sreenivasan said.
“There are some arguments that this may increase the cost of doing business. but I think those arguments are misplaced because the cost is not in any way prohibitive when compared with the potential risk of not using the SSIR," he added.
Strengthening SG’s data protection system
More than helping businesses avoid the risk of financial losses due to phishing, the SSIR also ensures that the trust levels of consumers in Singapore's data protection system remain high, Sreenivasan said.
With a high level of trust from consumers, Singapore is already on its way to becoming a model state for digital trade and digital economy.
"This is part of a larger series of steps that [the] government is taking to maintain and ensure the high cybersecurity trust levels for e-commerce and digital trade in Singapore," he added.