FEATURE
Rich Communications Suite: opportunities and threats
Neil Cook
Neil Cook, Cloudmark There is growing concern within the telecoms industry that network operators might be missing the boat. The announcement last year of Apple’s iMessage has added to this concern, as have other Over The Top (OTT) services such as those launched by major players including Skype and Research In Motion (with the popular BlackBerry Messenger). Mobile operators are starting to feel left out. Rich Communications Suite (RCS) might be their salvation, but is it also an opportunity for phishers, fraudsters and spammers?
Changing landscape The messaging and presence communications landscape is rapidly evolving to include a wider variety of providers than ever before. And there is a growing feeling that operators may be left behind, becoming little more than a bit pipe for other companies’ services. This trend has been portrayed by many as presaging the death of SMS as the primary mobile messaging tool, and if such an extreme scenario were to happen, there can be little doubt that operators would struggle to find a revenue stream to replace it. This, however, is not by any means a foregone conclusion. Operators still have one significant advantage in their favour: unlike OTT services which require the user to proactively download and activate the messaging platform or application, SMS capabilities are a standard feature on all mobile phones. This means that, despite the fact that providers such as Apple can boast many millions of users for its iMessage service, this number still pales in comparison to SMS, which remains the most widely used mobile application in the world and one of the most popular communications tools of all time. Today, there are over five billion active
April 2012
mobile connections globally, all with the capability to leverage the SMS service. That’s quite a contender in the messaging stakes.
“A question remains over how operators can successfully leverage the benefits of owning the network to deliver a next-generation messaging platform” Furthermore, it is important to place all recent messaging developments into context. While WhatsApp revealed at the end of last year that over one billion messages are being sent per day via the platform, around 15 billion texts are sent on average every day. While the rapid introduction of OTT messaging services has undoubtedly brought innovation in messaging capabilities, and attractive charging models to boot, these services are also fundamentally fragmenting the wider messaging landscape, something that must be resolved before we can even begin to consider the prospect of OTT overtaking SMS. In addition, a question remains over how operators can successfully leverage the benefits of owning the network to deliver a next-generation messaging
platform. Such a platform would need to deliver tangible added benefits to the end user and allow operators to win back market share from the newer players. This question is more important than ever before, as mobile penetration reaches (and even surpasses) 100% in certain markets. Operators today are faced with declining ARPU and their focus must turn to generating profit from other sources if they are to prosper.
A new approach to messaging RCS has emerged as one potential route for them to do just that. An industry-wide effort, RCS is intended to offer operators a rapidly deployable set of standards-based features they can deliver to subscribers, such as enriched calling (sharing multimedia during a call), enhanced messaging and an enhanced phonebook with presence capabilities. This is an impressive array of functionalities that has the potential to enable mobile owners to communicate and collaborate with greater ease and efficiency than ever before. The recent news that operators in Spain, including Vodafone, Telefónica and Orange, will be the first in the world to commercially launch RCS services in the summer of 2012 should go a long way towards eradicating the ongoing scepticism around whether RCS will ever come to market. Nonetheless, even with this breakthrough development, question marks will surely remain as to whether operators can effectively
Computer Fraud & Security
9
FEATURE compete and match the service delivery – and consumer popularity – of services such as WhatsApp and BlackBerry Messenger. Only time will tell how this will ultimately pan out, but what seems abundantly clear at this point in time is that RCS offers operators a clear route to playing an important role in enabling the evolution of messaging.
Threats to RCS Largely, the success or failure of RCS – as with all consumer services – will depend on the quality of the end-user experience. This will involve ensuring that messages are delivered on time, that coverage is as ubiquitous as possible and that there is no congestion on the network. Importantly, it will also mean ensuring that the communications channel is kept clean from security threats such as phishing, fraud and spam. The fact of the matter is that, while the vast proliferation of new technologies has evolved, so has the cyberthreat landscape. The pilot findings from the GSMA Spam Reporting Service (SRS), powered by Cloudmark, indicated that 70% of subscribers’ reports of messaging threats and misuse are coming from fraudulent financial services, highlighting the growing prevalence of mobile spam and the risks it poses to end users. These findings demonstrate that mobile messaging spam is a pressing issue, especially in Asia, where up to 50% of all SMS traffic is spam, the highest proportion in the world. For operators, it is clear that the consequence of allowing SMS spam to proliferate could hamper their long-term revenue streams. In the same way that email spam has impacted the success of online marketing, the wider mobile value chain may also lose out on the revenue opportunities resulting from a surge in mobile spam, unless the channel can remain free from annoying and malicious activity. As a new channel for spam, there is no doubt at all that criminals and rogue companies will look to exploit the mobile channel. This will be of 10
Computer Fraud & Security
most concern during the initial rollout of the service when spammers would look to test it to its limit, seeking out any potential flaws they can use to send their messages. With RCS offering an enhanced messaging platform that allows users to send messages to both individuals and groups at any given time, the ROI and convenience of the service could be exploited by scammers. Operators must acknowledge this threat if they want to offer innovative services without putting their subscribers at risk of messaging abuse and fraud.
“The opportunity to drive revenue streams from new services will only be achieved if the current high level of consumer trust and immediacy in the mobile channel is maintained” One particular area where RCS could present a strong opportunity to spammers lies in how the service will be initially charged. Operators will no doubt want to launch RCS with a splash and get as many subscribers as possible using the new services from the outset. The tried and tested means of doing this will be to offer mobile subscribers special, reduced-cost tariffs for RCS in order to encourage use. This could easily create a situation where it becomes cheaper for spammers to send messages via RCS than the traditional SMS channel. If operators look to provide a gateway between SMS and RCS services, this could make the situation even worse as spammers could hide within RCS services and use this as a haven for sending messages over SMS. Perhaps most alarming of all, however, is the fact that RCS works on a one-tomany basis, meaning that spam can be sent to many thousands of handsets at once, as is the case with email. SMS, on the other hand, allows users to send messages to multiple recipients, but the message gets sent multiple times to the network, once for each recipient. This process would make it much more
scalable and cost-effective for spammers to send through the RCS channel.
Keeping it clean As RCS evolves, it is vital that this ubiquitous channel of communications is safeguarded. Only by keeping the SMS channel clean and maintaining its intimate and personal nature will subscribers be willing to migrate to new services such as RCS. For operators, it is also clear that the consequence of allowing mobile threats to proliferate could harm their bottom line. The opportunity to drive revenue streams from new services that capitalise on the growing consumption of content via mobile will only be achieved if the current high level of consumer trust and immediacy in the mobile channel is maintained.
“Network-level solutions are able to block malicious mobile messages before they are sent to the device” In many respects, 2012 marks the year in which cyber-thieves will truly begin to move away from targeted phishing attacks via email, to mobile messaging. In order to cope with such an increase in attacks, initiatives will need to be established, maintained and sustained. While the techniques used in email security can be applied to a wide range of mobile devices, one fundamental difference is to be noted. Whereas desktop and email systems can be protected by applications that continually run in the background, completely undetected by the end user, mobile technology is incapable of doing the same. In order to effectively defend against mobile messaging attacks, an application would need to continuously run on a mobile device, which would radically impact the battery life of that device. This makes providing such applications extremely challenging, and means that they are unlikely to be widely deployed to consumer devices. April 2012
FEATURE In-network security solutions will need to be provided in order to control mobilebased attacks.
Data-driven analysis The GSMA Spam Reporting Service (SRS) can assist in overcoming such a predicament. Through its provision of data-driven analysis, the GSMA SRS solution can provide operators with greater visibility of their networks and the attack trends affecting them, enabling them to understand the nature and methods of attack and quantify their volume and impact to develop more efficient security strategies. The GSMA SRS solution also enables operators to share this information with their peers within the operator community, helping to build a more collaborative defence against attackers. In addition, solutions that enable operators to combat everevolving messaging threats with advanced mobile anti-virus, subscriber behaviour analysis (eg, anti-bullying and antispam) as well as subscriber preference capabilities, will prove vital, particularly when deployed in combination with the analytic information that services such as the GSMA SRS solution provide. Such solutions work because they provide messaging threat protection in the network infrastructure, rather than on the device. This is much more effective in stopping spam, phishing and
messaging attacks from infecting devices than device-based solutions. Networklevel solutions are able to block malicious mobile messages before they are sent to the device, preventing the messages from ever arriving at the device in the first place. This has several benefits: 1. The ability to protect multiple device types. 2. The ability to provide protection without user involvement. 3. Having protection provided without device manufacturer or operating system vendor involvement. 4. Immediately protecting all subscribers upon deployment. This type of protection requires a relatively advanced solution to be in place in the mobile network infrastructure. We will see this become more and more common as a means to protect against attacks of this nature in the coming months and years and it will play a vital role in ensuring that existing mobile messaging services, as well as new services such as RCS, remain clean for end users. Ultimately, the network insight provided from a combination of mobile malware identification and prevention tools, real-time intelligence on ‘bad’ senders and links, content control for spam detection and prevention and anti-bullying functionalities such as blacklisting, can enable operators to effectively address this issue and help ensure RCS is a success.
Conclusion RCS has the potential to offer operators a way of maintaining a foothold in the messaging space. It could deliver new and even richer ways for subscribers to communicate and collaborate through their mobile devices, while generating significant revenue streams for the operators that deliver them. For it to be a success, however, operators need to address the security of the channel from the outset, ensuring that spam or malicious emails are stopped before they get to the subscribers. In doing so, RCS will generate and maintain trust from end users and enable it to live up to its full potential.
About the author Neil Cook is the head of technology services for EMEA at Cloudmark, a company that provides a collaborative spam filtration network for stopping abusive messages across email, mobile and social networking infrastructures. Cloudmark currently protects more than 850 million mailboxes for more than 100 service providers around the world. Based in the UK, Cook is a seasoned expert on issues of fixed line and mobile messaging security. He has more than 16 years experience in large-scale service provider messaging and directory solutions, with particular expertise in mobile and next-generation converged services.
SCADA: a critical vulnerability Danny Bradbury, freelance journalist Are we at risk of a system meltdown of Hollywood proportions? A recent presentation highlighting critical vulnerabilities in some of our most popular industrial control systems suggests so. Project Basecamp, a vulnerability assessment exercise carried out by security firm Digital Bond, assessed levels of security in Supervisory Control And Data Acquisition (SCADA) products. It found them badly wanting. April 2012
Danny Bradbury
Researchers scanned Programmable Logic Controllers (PLCs) from General Electric, Schneider Electric, Koyo, A-B Quality and SEL.1 A sixth company’s controller, Control Systems’ SCADApack, failed early on during testing. GE’s device Computer Fraud & Security
11