Phishing SMS/Emails/Calls

The Cyber Security Agency (CSA) posted an advisory about tech support scammers impersonating CSA officers 7 months ago. A few cybersecurity professional, me included, saw the post and immediately commented either directly on the post or on a copy shared by one of the deputy directors that the impersonation was possible because CSA did not properly set up their DMARC policy. Since then, they have set up a DMARC policy and it is now impossible to impersonate emails from csa.gov.sg.

I was reminded of this incident when I observed the response in the aftermath of the OCBC phishing SMS fiasco. As per this Straits Times article on 17 January, IMDA urged all businesses to sign up on the anti-SMS spoofing registry. As per this Straits Times article on 31 January, some members of public managed to show that it is possible to bypass the registry and spoof as businesses that had already signed up. It seems like our regulators, IMDA and CSA, do not have senior engineers who are intimately familiar with the technical aspects of the technologies they are regulating.

CSA is rather fortunate because emails are a widely understood technology. Every major company runs their own email servers so there are plenty of IT engineers out there who are very familiar with all the inner workings of email. They understand details of all the protocols (IMAP/POP3/SMTP) to do with sending and receiving emails as well as all the security mechanisms (SPF/DKIM/DMARC) to safeguard email from spoofing. They can explain everything that happens from the moment you push the send button all the way until the email arrives in the recipient's inbox. This group of professionals can call CSA out when they observe insecure practices.

Unfortunately, SMS and phone calls are poorly understood technologies. In the past, companies used GSM modems or SMS gateways to send SMS. Nowadays, they may a service like Twilio. Regardless of the method, once the SMS leaves the endpoint, it enters a black box and re-emerges on the other side to reach the recipient. Very few people understand what happens inside that black box and can explain step by step how it works. ISPs are doing source IP spoofing and dropping packets, can something similar be done for calls/SMS? Are international calls/SMS from foreign Telcos routed the same way as local calls/SMSes? Do they come through the same pipe? How about local subscribers that are currently roaming and connected to foreign Telcos? Can those calls/SMSes be differentiated from the spoof calls/SMSes?

Coming from someone without a background in telecommunication technology, Telcos must have a way of determining if a number is in use because you get a recorded voice message telling you that the number is not in use otherwise. Telcos must also have a way of determining if the number is currently connected to a local base station, how else would they be able to make the phone ring and route the call. Both these operations should be possible in less than 3 seconds, which is about the time you take to get a response when dialing a number. Given these 2 assumptions, the following logic should be possible to stop these spam calls. Is it really implementable?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Scenario: +65 9123 4567 dialling in from overseas

if +65 9123 4567 is currently not in use:
    # confirm to be spoofed since number not in use
    telco will terminate call 
else:
    if +65 9123 4567 is currently connected to a base station in Singapore:
        # handphone cannot be located in Singapore and overseas at the same time
        telco will terminate call 
    else:
        # either handphone is located in Singapore but turned off (unlikely in present day) or handphone is overseas and it is a legitimate call
        route the call to the recipient

Perhaps only senior engineers who have worked in Telcos have the answer to those questions. Given the age of SMS/telephony technology, many of those senior engineers may already be retired. Maintenance may have been outsourced and there may be very few people left with that technical expertise. Without an in-depth understanding of the technology, we will not be able to fully block phishing calls/SMSes and our regulators will have to continue what they do best, sending advisory after advisory telling people not to click on links and not to answer calls starting with +65.