Last week I posted a note about TynTec’s new secure SMS services for the banking and financial services sector. The post received quite a lot of comments questionning the technology, so I contacted TynTec’s Manuela Marques to ask her to read the comments and email me a response.
I’m delighted that she took the time to do so:
First of all, thanks for the comments posted in the blog. Secondly, I have to say that there is no ‘PR bull†in what we are saying: having SS7 connectivity as TynTec has makes a huge difference to the so called ‘aggregatorsâ€Â, tier 1 or not. It is important to know here the clear difference between an SMS provider who operates through aggregation and through SS7.
Aggregators route SMS messages by using the infrastructure and SS7 signaling of mobile operators through several direct connections. These agreements with mobile operators are needed to have access into the SS7 connectivity, what is fundamental to route not only SMS, but several types of mobile data. The connections between aggregators and mobile operators are made on an individual basis, increasing complexity and cost, as well as creating a hassle in terms of control and visibility in message routing.
Aggregators route SMS messages into and out of the operator’s SMS infrastructure (SMS-Centre), and from there only the operator has visibility and control over the message. This means that aggregators can guarantee the delivery of messages only till the operator’s SMS-Centre, not the mobile device. Operator’s SMS-Centres tend to, however, perform delays and/or lose messages, not being able to guarantee delivery of messages nor providing Service Level Agreements (SLA) for a high quality SMS routing. Therefore, aggregators cannot guarantee delivery of messages.
For mission-critical corporate applications, such mobile banking, it is important to combine the flexibility of an independent service provider with SS7 access. TynTec has access to SS7 through its partnerships with Manx Telecom (Isle of Man), Digicel (Jamaica) and Alands Mobiltelefon (Finland), as well as having a proprietary SMS-Centre to route the messages. TynTec is able to keep control and visibility from end-to-end, because it uses no third parties in the delivery process.
SS7 access is mandatory to provide reliability, security and scalability for mobile business applications as it is necessary to route corporate data in a secure way and to ensure its delivery. Therefore, as mobile banking requires a high level of reliability and confidentiality, TynTec provides a high level service, guaranteeing delivery of messages and secure path between sender and recipient.
For more information on our services, please visit our website at www.tyntec.com
Best regards,
Manuela
TynTec Ltd.
—–
Manuela, thanks for taking the time to write this response.
This still doesn’t address my concern. Lets go with an example…
HSBC decide to let people bank via SMS
They sound out emails / news letters / branch billboards, tv ads etc telling customers that they can now do banking via SMS…
I go to textanonymous.com or similar and send out messages to HSBC customers saying “To confirm your banking by SMS system, please send your account number and password to XXXXXX”
I can send this message as though it came from “HSBC BANKING” and I would bet that most customers would buy it straight away.
This opens doors for HUGE phishing scams. Remember that the reply can be forwarded by email to the scammers thus making it quite easy to become un tracable.
I still think that at the moment anyone who got a message like that would go “ooo thats odd, best ring the bank” but once they are told BY THE BANK that it will start happening, they will just accept it “as is” and send their info…
Even the people who are normally more vigilant with emails etc would probably be got by this as its a lot rarer to see a NAME not in your phone book appear on a text….
Anywho.. this is just one of my concerns. I have no issues with how secure their tech is, just how easy it is to fake it and steal using public knowledge.
Having read both the PR release for this piece of news and the comments from this blog I would like to mediate on the matter.
I do feel that it is unfair to comment on TynTec’s delightful news as ‘PR bull’, something more constructive would be more appropriate.
I do wonder if they have something in their connection to the signalling system 7 (SS7) network that may provide this additional quality and security (they do quote “TynTec’s unique technology infrastructure”).
It is not unknown for phreaking of the SS7 connections and IN platforms. Maybe they have some technical architecture that offers more capbility than is used even by the mobile operators. It is also not unheard of for DDOS attacks (denial of service) to be made against both the SMSC (and thus) the SS7 connection, maybe they have enough capability to withstand these as well. From my experience the mobile operators seem to suffer from poor service just related to high levels of SMS activity – probably not enough boxes handling the SMSC function, I digress……
I presume from TynTec’s business their customer is the corporate and financial/banking sector and therefore without getting into the high level technical nuances of the SS7 and intelligent platform architectures, the message (PR) they want to give these prospective customers is that they are focussed on providing a solution to them which gives direct access into this network along with the fringe benefits of security, reliability, audit trails and TynTec costs to match.
I would propose they target this message more directly to the specific market sector they wish to entertain with their commercial service rather than use a general web PR distribution.
I would also hope that more care and attention is paid to the use of such terms as
– Enterprise-quality SMS operator
– Banking grade tool [a finger?]
– Banking Grade [software for numbers that goes wrong just like Windows]
– mission-critical corporate applications [applications regularly abused/broken/avoided by the employees]
These terms are (to paraphrase Ewan) ARSE. They are just as bad as mobile companies using terms ‘Carrier grade’ and ‘zero fault tolerance’.
Ha Haa. If this goes on I will propose we have a BullS–T Bingo quiz every week with a pick of the worst terms used in the PR and giving your own thoughts on what the terms mean.
Mind you, I am mission critical. I am carrier grade (around the waist only), I am internet startup quality (we work more hours, days, years, for zero pay than anybody), but I am not fault tolerant.
And our current mobile platform serves 3 million customers – it’s cosmic sherbet flavoured quality grade platform.
Until we digress again on another urgent matter of mobile centric, 3G mega license funded, IP disruptive, VOIP kicking, walled garden hating SMS related discussion…
Bye for now.
Since when is using an SMS message service – mission critical. If the bank wants to create happy warm feelings in the customer they should call the customer directly and say “hello customer, we have a mission critical issue to discuss with you”.
Just like the mobile operators do…….. Oh, I forgot they don’t. They give you a phone, a SIM card and a telephone number but how many times has your mobile operator called you ever? And if they did, did they know your name?
I think that’s why the mobile operators want to create social networks so they can find out who the customers are. Good idea, maybe then they will stop spending all that money on corporate branding and useless TV advertising.
I’ll take back the comment about PR bull I made as Tyntec are lovely, lovely people really. However, I still stand by the fact that SMS is *not* secure.
Unless you’re paranoid and have automatic keylock and a PIN on your phone, what’s to stop someone picking it up and reading your texts? Nothing. Even if you have all of these, there’s ways around it.
Then we move to the mobile network operators. I can think of a number of cases in the past few years where employees at the networks have got up to mischief and accessed subscribers voicemails, personal records, and all sorts. Those are the ones that make it into the news – I’m sure there’s plenty more that don’t.
There’s one way and one way only to make SMS secure. Encrypt the message, and make sure only the person who receives it could possibly ever decrypt it. However, encryption is reversable – Alan Turing and co managed to crack Enigma using the same processing power as my washing machine, so it’s only a matter of time before the kids can crack any encryption the bank chose to use on your SMS.