OCBC Scam: Exposing the Roles of Third Party SMS Aggregators in SMS Phishing

TLDR: Third Party SMS Aggregators Allow for Scammers to Send Scam SMS Phishing Messages to Singaporeans.
how sms works
By now, you must have seen many examples of the SMS phishing scams and screenshots of spoof messages.
even more malicious smishing
While we are looking for a solution to stop the SMS phishing scam, it's important to understand in detail how it actually works.
I will show how the scam messages were sent and what exactly is going wrong with our system.
Hopefully, this will allow us to work towards a solution to reduce SMS phishing scams.

How does SMS sending work?

We can understand how SMS work by looking at things from three angles - from the perspectives of a normal sender, a company and a scammer.

1. Normal Senders

normal users sms flow
Normal senders are just you and me. We send SMS from our phones to the telcos enroute to end users. Nothing fancy here.

2. Organisations & Companies

companies sms flow
Organisations & companies make use of third party SMS aggregator services to send messages through their services.
You might have heard of Twilio. They are one such company that provides these SMS services. These companies are able to tell the telcos to send a SMS to us.
So in general, companies, such as OCBC, don't directly interface with the telcos. They communicate with the third party SMS aggregators, telling them the target phone number and the SMS message they would like to send.
Interestingly enough, it is also at this point that companies provide something called a senderId. It changes the sender name of a SMS, which is how you can receive text with the name "OCBC" even though you didn't have that name in your contacts.

3. Scammers

scammers sms flow
Lastly, how do scammers send the SMS to us? Well, this is the important part. They make use of the same third party aggregators to send the SMS..
How did the scammers send text with the name OCBC? Remember the senderId field? Well, scammers make use of that too.
Basically they just tell the SMS aggregators to send the message with the name OCBC. And what do you know, the SMS aggregators pass it along to the telcos and the scam messages reach our phone without any verfication process.
Not only does it show up with the sender name OCBC, the scam messages are also grouped into the same channel as the real OCBC messages.

Was this how the scammers did it?

To be fair, there's no concrete evidence the scammers use them.
But this is exactly how I was able to use the services and send the scam SMS messages to different phone numbers.

This sounds bad

Is it easy enough to send scam messages? Yes, it is very, very simple. Worryingly simple.
Why on earth could these third parties send custom senderIds to telcos without any checks? Well, I'm not sure too - this is an opaque process to outsiders.
Perhaps there is already some regulation in place that is not enforced by the SMS aggregators?
We don't know.
But right now, it looks like we are asking third party SMS providers to check themselves. Insert obligatory meme here.
Ownself Check Ownself

Why didn't Singapore do anything then to patch this?

In a forum letter, IMDA revealed there was a registry protection program that asks companies to register names which can then be restricted from use by the hackers.
This was started in August last year. Singpost, Lazada and DBS were examples of companies which have registered on this program.
Unfortunately, this registry protection just does not work at the moment!
I tried and noticed spoof messages were able to be sent from DBS, DBS Bank, Singpost and Lazada. Notice all these names should by right be on the registry protection.
Does The IMDA Protection Registry Work
This is also independently verified by other testers and journalists. Thanks to @ImStillDissin on twitter for verifying on the 20th Jan 2022.
ImStillDissin

Registry Details are not Clear

It is also unclear at which stage of the process does this registry "block" scam messages. Indeed, details of this registry has been weirdly vague.
Continuing to ask companies to join a registry that does not work is not a good look too.
I know many questions have been addressed to IMDA. Hopefully there's some clarity on this soon, so we can regain trust in the SMS services.

So should we blame third party SMS aggregators for the SMS phishing scams?

Yes and no.
Firstly, more should have been done to stop the scammers from sending the messages with the name of OCBC.
But, they could argue that it is not their responsibility, since there was no regulation for them to have oversight.

So what now?

It is tragic that an eye popping $8.5 million was stolen from right under our noses. We must not let this continue.
One possible solution is to regulate these third party SMS aggregators such that registration is required for companies to send messages with a certain name.
Example, Grab has to apply to have their SMS be sent with the name “GRAB”. Upon verification by authorities, the company now has the ability to do it. No one else is allowed to send SMS with that name.
what we propose to stop the SMS phishing scam
By default, all other sender names are not allowed to be set. Any new SMS sender names must go through a verification process before it can be used.
This also mean that the responsibility now lies on the third party SMS aggregators to build an authentication and white list service, mapping sender names to authorized companies.
If aggregators do not perform due diligence and allow for the sending of phishing SMSes, then penalties can be introduced.
Indeed, it is not unlike solutions adopted in 51 other countries to regulate this. Mandatory registration is required for third party SMS aggregators to use a custom sender name. Many more countries, in fact, outright ban third party aggregators from changing senderIds.

Petition

There is a petition to ask IMDA to exercise greater regulation around this process of authenticating sender names. It's asking for a layer of checks and balances that is enforced by regulatory bodies.
Whether it can be built on top of the "registry protection program" or it must be something new remains to be seen.
It will require significant effort. But of course, the important thing is to stop potential future scams from happening.
If you had read to the end and found the article useful, feel free to share this on social media by copying the shortened link here.
https://cpt-sg.link/3rd-party-sms-exposed
By sharing more awareness, we will be able to reduce the amount of scams happening in our country.
Subscribe to my telegram channel (anonymously) to get updates when I post.
IMDA Is Vulnerable to SMS Phishing & The Protection Registry Does Not Work
Previous
An Update on the SMS Phishing Sender Id Spoof Vulnerability
Next