Protecting SMS Used in Critical Business Processes

On November 9th, 2019, the National Cyber Security Centre (NCSC), which draws expertise from the UK’s GCHQ and CERT-UK, published advice on the use of SMS in critical business processes.  This advice, Protecting SMS Messages used in Critical Business Processes, recommends a number of control measures that can mitigate the risks of SMS attacks. 

Some of the most common and powerful control measures rely on the sharing of mobile network, subscriber, and device information.  For example: 

  • SIM swap or recent Port controls requires mobile operators to share a subscribers’ IMSI. 
  • Roaming status often requires a mobile operator to share that a subscriber is outside their home country. 

In theory, the control measures recommended by the NCSC can significantly reduce the risks.  However, in practice getting access to the data is extremely challenging.  There are a number of reasons for this: 

  • Parts of the SMS industry are still not trusted by mobile operators, creating a culture that is reluctant to share information with the ecosystem. 
  • GDPR requires all businesses in the supply chain to act responsibly and secure subscribers’ personal data, yet many businesses in the SMS ecosystem have more to do to be ready to handle information that can equally pose risk to subscribers as well as protect them. 

XConnect’s mission is to enable data liquidity for those attributes which enact the control measures recommended by the NCSC.  To this end, the supply chain must mature in the following ways: 

  • Deliver data platforms that are secure, scalable and ultra-low latency.   
  • Adopt a robust approach to data protection, including assigning a Data Protection Officer (DPO).
  • Build ecosystem trust through agreeing Industry Standard for data sharing and support the rights of data subjects. 

If you are a mobile operator, SMS service provider or enterprise struggling to deal with any of the issues XConnect raised here, you can contact XConnect’s Market Development Director and Data Protection Office using the following link: Contact Lee Suker.

Latest Posts