http://www.ranetcommons.

net

Authentication of SMS

Weaver Technical and Project Notes from RANET

Author: K. Sponberg, IEPAS Program Manager, UCAR JOSS, sponberg ‘at’ joss.ucar.edu
Date: December 23, 2009

One of the limitations of mobile text messaging, when used for public dissemination of
information, is its inability to easily authenticate the sender of the message. By this I mean it is
possible for someone to spoof a mobile number and message, such that to the recipient the faked
message appears to originate from your organization. It is important to address authentication
issues to prevent falsified information being distributed by a third party, as well as to maintain
the ‘authoritative voice’ / public trust of a forecast office or watch provider. Quite often mobile
systems used by the hydro-meteorological community for dissemination of text messages rely
on a carrier SMSC (SMS Center) or the gateway of a commercial SMS reseller. When routing
information through these centers or gateways, there is not a dedicated short code or series of
mobile numbers from which a message is sent. Or more to the point the dedicated number
is often shared among other groups using the same center and gateway. As a result the end
recipient of the message cannot reliably look at the number from which the message was sent
to verify its authenticity. Even if your mobile system is tied to a unique short code or number,
it is still possible for a third party to spoof the number. This requires a little more technical
acumen to pull off, but it is still entirely possible. Spoofing of phone numbers is illegal in many
countries, but even so, it has to be reasoned that someone wishing to release a false forecast, or
worse yet, a fake warning, will not be terribly concerned about such laws.

For RANET and some country projects authentication has become a concern even though we
do not have an example of a false warning or forecast being sent. There are some examples of rumors about
warnings and disasters spreading via SMS, but these have more often been through ‘gossip’ and not a direct
attempt to impersonate a watch provider or forecasting office. Unfortunately there is no easy solution to the
potential problem. At the end of the day, verifying the authenticity of a message will be the responsibility of the
recipient. However, there are a few actions you can take to make verification of messages easier.

Cross Post Messages To Other Communication Channels

The first and easiest way to support authentication is to ensure the message of the SMS is also publicly posted
to a website, sent in an e-mail, or available through other existing messaging channels. In many cases this
is something most forecast offices and watch providers do as part of existing operations. Forecasts and alert
messages are routinely posted to a website, made available as RSS feeds, and sent out via e-mail. While you
may make these other formats available, it is a good practice to remind subscribers or the public where to go
(online or elsewhere) to see if the message they received has been actually released by your organization.

A variation of this technique is to include a short URL or verification code in your SMS that recipients can use
to directly link to an online copy of the original text. This too, however, can be spoofed if users are not diligent
about examining the URL and/or domain name of the website they are visiting. It would not be difficult for
someone to copy the look and feel of your website and to cross post the faked message. Presumably the faked
SMS would contain a link to the faked web site. But for recipients without without web enabled phones or
general web access, this may be of little value anyway.

This document was prepared by the IEPAS and RANET program lead under award number – NA06OAR4310119 from the National Oceanic and Atmospheric Administration, U.S. Department of Commerce.
The statements, findings, conclusions, and recommendations are those of the author(s) and do not necessarily reflect the views of the National Oceanic and Atmospheric Administration or the Department
of Commerce. Base support for RANET is provided by the USAID Office of US Foreign Disaster Assistance (OFDA) and the NOAA NWS. It is administered by the UCAR Joint Office for Scientific Support.
Significant funding and in-kind support is provided by a number of national weather services, donor agencies, and the communities with which RANET works.
Allow Verification Via SMS Request

Another possibility is to allow SMS recipients to request that your system resend them the latest message. In
this scenario a subscriber receives a forecast, alert, or other message. If she suspects the information is faked,
she can send an SMS request to your system for the most recent message to be resent to her mobile device. If
the messages do not match, then the recipient knows to be suspect of the original SMS. Even if your short
code/number is spoofed, a user can directly poll your servers via text message to get the latest and correct
information. An added benefit of this technique is that over time you can log the typical number of resend
requests. If such requests abnormally peak, then an alert can be set up to help your staff proactively track the
situation and squeltch any potentially falsified information.

Setting up this sort of two-way, on-demand system will require some additional investment, if you do not
already have the capacity. Aside from writing scripts to handle the requests, you will either need to have a
dedicated line to receive requests, and/or you will need to lease a dedicated number through an SMS gateway
or carrier SMSC. Of course your messaging costs will increase as well; particularly if your subscribers are
routinely requesting a verification message.

Assign PINs

When looking at our own system, as well as others, we came to realize that most systems disseminating SMS
are at least loosely subscriber based. Each person receiving a weather forecast or warning has signed up for
the service either directly from their mobile phone, by sending an e-mail request, or by completing an online
registration form. We can take advantage of such subscriber based systems by assigning or allowing users to
select a unique Personal Identification Number (PIN). When sending out messages to the user, the PIN can then
be included at the beginning of the message. If the recipient does not see or receive a message with his PIN,
then the he knows that the message may be faked.

Conceptually this sort of authentication is the most immediate and requires the least alteration in system design.
But of course it is still entirely dependent upon the recipient watching for the PIN. Again, the user is ultimately
responsible for verification.

Use of Unique Coding and Format

A less technical approach is to simply ensure your text messages contain some formatting of consistent headers,
order in which information is presented, punctuation, etc. Similarly, as you are likely to use abbreviations or
codes to squeeze information into a 160 character limit, purposefully use abbreviations, codes, or even unique
terminology; so long as this does not affect the clarity or readability of a message. While a third party could
easily copy your formats and styling, using this technique will add one more barrier, and it will provide a simple
cue to the recipient that the message is potentially faked if the formatting does not follow that from previous
messages.

Caveats

Using a few of these techniques in your messaging systems should greatly improve the ability of your recipients
to authenticate messages. Still, it is not impenetrable, and moreover educating your message recipients on how
to authenticate a message is likely the best defense.

One caveat of importance, however, is that before employing such techniques, make sure your operational
procedures and automation work without fail. For instance if you are cross-posting messages sent out as SMS
to a website and RSS feed, it is imperitative that the automation which sends the SMS also immediately posts
the information to these other communication channels. If an update to a website fails or is delayed, then users
seeking to verify a message or additional information may incorrectly assume a real message they received in an
SMS is faked. Similarly, a script that fails to include a PIN or respond to a user request to resend the message
could also cause confusion. Redundancy is good in public dissemination systems until it causes unmanageable
complexity.

*****