Ofcom Rejected More Effective Method of Blocking UK Messaging Scams | ISPreview UK

Original article ISPreview UK:Read More

Earlier this week Ofcom introduced new measures to help UK mobile operators “block, limit and disrupt scammers” from sending messaging scams (here). The changes, while positive, overlooked the fact that the regulator ended up rejecting an already adopted (in other countries) and UK developed fix that would have been more effective, partly due to BT and others complaining that it would be too “onerous“.

The system we’re talking about above is a mandatory, centralised sender-ID registry (aka – A2P sender ID registration). Ofcom’s announcement, if you dig deep enough, recognised that a mandatory sender ID registration for Application-to-Person Messaging (A2P) messages could be an “effective means to tackle messaging scams“.

NOTE: The industry cost of Australia’s mandatory sender ID registration scheme was said to be below 1% of total annual industry revenue, which given the high cost of fraud to consumers, might not be a bad investment.

In short, when a scammer sends you a text message that says it is from your bank or doctor, the word at the top of the screen is not usually checked by anyone. The sender fills in that field, but some countries have decided to clamp down on this by requiring businesses to register the name they send under, which is more effective at stopping an impersonator’s messages (i.e. they can’t use the same name).

Five countries now mandate registration in this way, including Spain, Ireland, India, Singapore and Australia. The countries differ in how they expect operators to respond to messages from unregistered branded senders (some block it outright, while others flag it as suspicious etc.). Singapore’s regulator reported a 64% fall in SMS scams after it adopted this, and they merely marked messages as “Likely-SCAM” for users to decide.

The Sender ID Protection Registry (SIDPR) actually began in Britain in 2019, as a Proof-of-Concept (PoC) that was backed by the National Cyber Security Centre (NCSC), UK Finance and Mobile UK. The funny thing is that SIDPR still exists and is run by the Mobile Ecosystem Forum (MEF), albeit as a voluntary solution that charges brands a fee to sign up (many brands use this to protect their SMS messages, although impersonated texts carry no warning).

Sadly, Ofcom this week opted not to make this mandatory, which would have imposed new regulator-led set-up and ongoing costs on brands. So, Britain built it, found it worked, saw it adopted by other countries and then declined to require the same system itself.

Why did Ofcom reject mandatory sender ID registration?

As usual, there are issues of cost and complexity to consider. BT (EE) said that a sender ID registry system would be “expensive, burdensome, and would reduce the ability of individual providers to tackle new, emerging threats” (they also suggested that such systems have not necessarily reduced the volume of scams immediately). The MEF said that a regulator-run registry would also “require public funding and be slow to design and deploy“, while TechUK stated that mandatory sender ID registries have “proved to be cumbersome and risk disrupting A2P traffic flows“.

On the flip side, consumer magazine Which?, Twilio, CCUK, XConnect and The Campaign Registry broadly seemed to support the idea of a mandatory registry to address the industry’s inconsistent application of anti-fraud measures and create a more reliable source for verifying sender IDs. Finally, VodafoneThree (Vodafone and Three UK) liked the idea but wanted it to be adopted via an industry-led model, rather than through the government or regulator.

Ofcom’s Statement

We recognise these comments and, in line with our consultation position, we believe that there would be significant up front and ongoing costs associated with both registering IDs and maintaining a registry. Charging models for a registry could vary, such as charging businesses directly when registering IDs, or charging mobile operators and aggregators to register IDs on behalf of their customers.

Where the costs are charged to companies registering IDs, this is likely to increase costs for aggregators and/or the business end-users that use A2P mobile messaging. These costs could particularly affect small and medium sized businesses, which would have to register to use a sender ID even though they are not likely to be spoofed by scammers. Anybody responsible for setting up and maintaining the registry would generate costs in administering a sender ID registry that people and businesses would ultimately bear. We therefore consider that this approach would represent a more significant intervention than our measures to prevent alphanumeric sender IDs from being abused.

At this stage, although we consider such an approach could be an effective way to meet our objective, our view is that we can achieve our objective through the other, less onerous A2P measures set out above. These include requirements for parties onboarding new business senders to check the alphanumeric sender IDs that they intend to use against the legitimate business purposes described in KYC checks, and the maintenance of policies by mobile operators in relation to the use of certain protected or generic alphanumeric IDs and the use of special alphanumeric characters.

Ofcom does clearly recognise that such a registry, even though they’ve rejected the system, could make it “harder for criminals to use alphanumeric sender IDs” by requiring them to be registered centrally before they can be used, with proof that each sender ID is being used for legitimate purposes.

As a result, the regulator has left the door open for them to potentially return to this idea in the future, but for now it’s being left to gather dust on the regulator’s shelf of ideas. Just don’t be surprised if, once scammers adapt to the regulator’s preferred solutions, we end up back here again to consider it once more in the future

However, if Ofcom does ever revive the idea, then we suspect they might end up preferring an industry-led solution to help balance against the cost of implementation by network operators.

What Ofcom has done is more considered than a refusal. It accepts the registry could work — it says so in terms — and judges it can reach the same place by a lighter route. That’s a legitimate call. The open question is whether the lighter route is lighter for everyone, or only for the businesses that would have had to register,” said Peter — founder of Tutela Digitalis (independent fraud education).

Recent Posts