New changes to Australia’s telecommunications interception laws aim to stop the malicious SMS phishing campaigns that have marked 2021.
We recently wrote about the potential legal changes as the Australian government considered considering whether to give telcos the power to block malicious SMS messages en masse.
The move came after Australia hit a new phase in the SMS scams affecting users for the last quarter.
Now, Home affairs minister Karen Andrews and communications minister Paul Fletcher have joined Telstra CEO Andy Penn and Optus’ regulatory lead Andrew Sheridan to announce a new measure.
The Telecommunications (Interception and Access) Act allows regulations to be made that can give effect to the legislation, as long as they aren’t inconsistent with it.
A change to those regulations allows interception of a communication by a carrier’s employee “for the purposes of identifying and blocking malicious SMS messages”.
This is now a factor that a court must take into account when determining if the action is “reasonably necessary.”
What is a malicious SMS campaign, and why are telcos and the govt keen to “go to war” on it?
A malicious SMS message is defined as one that “contains a link or a telephone number” and is meant to mislead the recipient into using that link or number, with them “likely to suffer detriment as a result.”
The context is the massive proliferation of scam SMS campaigns this year, which the government believes undermines public confidence in communications from businesses and government
In the government’s view:
It is now almost impossible to identify whether a message is a scam or not, especially when scammers can spoof telephone numbers or make them appear to be sent from a legitimate and trusted organisation.
The Explanatory Memorandum to the legislation said that Home Affairs had consulted with “parts of the telecommunications industry” as well as other departments and agencies.
When telcos can block SMS phishing campaigns
The memorandum sets out scenarios when interception can support tackling malicious text messages, including scanning SMS content for URL addresses and matching them against trusted URLs associated with the sender.
If there is a mismatch, the message won’t be delivered. Setting up the system may require sampling of SMS messages or reviewing messages stored on a telco’s equipment after they have been delivered.
At yesterday’s press conference Andrews cited the rise of Flubot malware as a key issue the changes are meant to address.
Fletcher noted other efforts to combat phone-based scams, including the Communications Alliance developed code aimed at reducing scam calls and an earlier effort to block SMS phishing messages that blocked thousands of texts attempting to impersonate the federal government.
Telstra runs pilot to see if SMS phishing can be stopped
Telstra CEO Penn yesterday revealed that Telstra is running a pilot that is using scam messages sent to its employees to train a system to better identify them.
The telco has also stood up a small technical team to review suspect messages, with sender and recipient details removed.
The pilot will be expanded to family and friends of Telstra’s employees over the coming month, with the aim of rolling out the system to customers early next year as part of the telco’s broader ‘Cleaner Pipes’ initiative.
The Telstra CEO said that the changes by the government would allow the telco to get access to a much richer set of data to train its algorithms.
Sheridan said that the changes will give Optus “much greater flexibility to block criminals from targeting Australians” and allow it to “unlock the power and capability of technology such as artificial intelligence to really get on the front foot against these criminal gangs, many of which reside overseas.”
Will the telcos be successful in their anti-SMS phishing efforts?
We’ve mentioned previously that the greatest challenge for telecommunications companies is to be able to define the attributes of the SMS message in a way that block[s] the bad ones.
But cyber threat actors’ work is impactful only because they reverse engineer what is real and then imitate it.
It remains to be seen whether these pilots are successful. In our view, a lot rides on their efficacy, and it is far from a given that this is the right way to tackle this complex phishing issue.