The Australian government is considering whether it should give telcos the power to block malicious SMS messages en masse.
The move comes after Australia hits a new phase in the SMS scams affecting users for the last quarter.
Last week, we discussed that criminals behind the prolific FluBot SMS cyberattacks have flipped their scam on its head. They have recently been convincing potential victims that they need to install a security update, which is the bot itself.
Home Affairs boss Mike Pezzullo told senate estimates this week the issue is being “looked at…with some urgency”, with discussions underway with Aussie telcos.
Telcos could help block SMS scams
Under the Telecommunications Act Section 313, there might be a possibility for telcos to act as an “authorised blocking agent” on behalf of the government.
What is not clear is whether the existing definition of the “use of carriage service to cause a criminal offence” will be sufficient to empower telcos to act as “blocking agents” to stop scammers.
The case in which telcos may be allowed to do this is if — by allowing someone to click on malicious links — they may be inadvertently facilitating a “criminal offence”.
The latest developments in the SMS scams plaguing Australia
The latest tricks scammers are using showcase the criminals’ willingness to experiment to increase their impact. Recent scam messages have claimed potential victims have “missed parcels”, only for them to be pernicious and dangerous scam messages.
The continually altered messages make reliable identification tricky. However, the malware they contain can only be installed if victims enable the installation of unknown apps. Most of the time, users end up inadvertently trusting these malicious apps.
To date, all webpages on which the malware is located have carried the same sentence. This requests that “if a window appears preventing the installation, select ‘settings’ and enable the installation of unknown apps”.
What consumers can currently do about scams, and where the challenges lie
When it comes to emails, consumers can send them to the ACCC’s Scamwatch, which can move to block the specific ISP address associated.
But what about SMSs?
The question essentially is whether telcos could help automate the pain by blocking scam SMSs at scale.
The challenges, though, come down to distinguishing scam messages from genuine ones. And this is not necessarily an easy task.
The greatest challenge for telecommunications companies is to be able to define the attributes of the SMS message in a way that block[s] the bad ones.
But cyber threat actors’ work is impactful only because they reverse engineer what is real and then imitate it.
In this respect, telcos being given the power to do so en masse may mean they mass block at times useful and important SMS messages.
Fundamentally, it may raise a question about whether telcos have a place to do this or whether consumers need to be better educated.
Alternatively, purchasable third party software could be the way to go, allowing consumers to make the choice themselves.
Earlier this year, Telstra ran a ‘cleaner pipes’ initiative where it blocked up to a half a million calls on busy days.
The telco also piloted a malicious text message blocking service last year to stop impersonation attempts.
The text messaging pilot was not decisive, at times blocking genuine SMSs. This puts into question the entire strategy, and should lead to careful consideration of whether telcos should play this role.