Targeting and Eliminating Unlawful Text Messages
CG Docket No. 21-402
In an age where communication technology is advancing rapidly, the Federal Communications Commission (FCC) has been actively working to protect consumers from unwanted and potentially harmful text messages, including robo-texts. Below we will explain the implications and requirements of FCC's Rule and Order 23-21 concerning robo-texts, focusing on common attack vectors, and the methods used to mitigate risk and ensure operator compliance.
Understanding Rule and Order 23-21
The FCC's Rule and Order 23-21was accepted and released on September 27, 2023, to address the rising issue of unsolicited text messages that inundate our mobile devices. These robo-texts are not only annoying but can also be used for malicious purposes, such as scams, phishing attacks, or spreading malware.
Illegal robo-text messages are now causing problems similar to illegal robocalls, including privacy invasion and fraud. The FCC has observed an increase in such texts, with reports from the Consumer Advisory Committee (CAC) highlighting various fraudulent tactics. CTIA (Cellular Telecommunications Industry Association) has also noted a significant rise in the number of spam texts blocked by wireless providers, growing from 1.4 billion in 2015 to 14 billion in 2020. While the App Association has reported a surge in automated text messages, increasing from 1 billion in July 2021 to 12 billion in June 2022.
Under Rule and Order 23-21, the FCC outlines guidelines and regulations that all MNOs (mobile network operators) and service providers must follow to combat this growing problem. Failure to comply may result in hefty fines and legal consequences, making it essential for all stakeholders to take these rules seriously.
Common Attack Vectors
Robo-texts can be sent using a variety of methods, making them a formidable challenge to combat. Some common attack vectors include:
Spoofing
Attackers often impersonate legitimate entities, making it difficult for consumers to distinguish between a legitimate message and a fraudulent one.
Phishing
Robo-texts are frequently used to trick recipients into divulging personal information or clicking on malicious links, leading to identity theft or malware infections.
Spam Campaigns
Mass distribution of unwanted messages can overwhelm consumers and disrupt their daily lives.
Malware Distribution
Attackers may use robo-texts to deliver malware to unsuspecting users, compromising their devices and data.
FCC Sought Comment on 3 Proposed Rulemakings
- Mandatory blocking of texts claiming to be from invalid, unallocated, or unused numbers or those already on the Do-Not-Originate (DNO) list.
- Applying caller ID authentication requirements to text messages.
- Mitigating erroneous blocking.
FCC Adopted 2 of the 3 Proposed Rulemakings
Mandatory blocking of texts claiming to be from invalid, unallocated, or unused numbers or on the DNO list.- A DNO list is defined only as “a reasonable DNO list.”
- The Industry Traceback Group (ITG) is a widely used and accepted list.
- The need for a DNO list depends on the functioning of the MNO network and individual messaging platform. If you can block out erroneous texts without a DNO list, then you are in compliance.
- Mandates that a single point of contact must be identified per operator or contractor for resolution of problems.
- Although this process may be time-consuming, the FCC has eliminated any specific timeline for removing a user from the list, which is beneficial for MNOs
- Those seeking to be removed from blocking must provide “documented, objective evidence of blocking.”
What’s Next: Further Notice of Proposed Rulemaking
Seeking further comment on authentication.- Authorization of messaging is still under review.
- We anticipate an FCC ruling on this within the next 12-18 months once we have established an appropriate methodology.
- The FCC is working on establishing a centralized DNO list to streamline operations and they are seeking suggestions on how to accomplish this. We expect this effort to also take 12-18 months to address the challenges of adding individuals to the DNO list.
- The do not call (DNC) list would be applied to A2P messaging (vs DNO).
- We have minimal concerns about the implementation of this idea, as it is a binary list – so either you receive A2P calls, or you do not. It's important to note that in messaging, services like 2FA which are classified as A2P messaging remain a beneficial and useful tool for subscribers and consumers.
- This affects aggregators more than infrastructure vendors or MNOs.
- The way it works now, an opt-in is for brand communications, not necessarily for the particular channel.
- The FCC is exploring an opt-in by channel instead of one opt-in per brand communication.
In Summary: How can Interop Technologies help?
The FCC's Rule and Order 23-21 represent a significant step forward in protecting consumers from the onslaught of robo-texts. While these rules are relatively manageable, there is a possibility of more demanding regulations in the future. Implementing new features also depends greatly on the type of platform.
“In general, we do not believe that a DNO list is necessary for Interop Technologies’ hosted customers, while our turnkey customers will need to be evaluated on a case-by-case basis," said Steve Zitnik, EVP and CTO for Interop Technologies. “For MNO customers utilizing Interop Technologies messaging platform who need DNO functionality, it will be offered as an add-on option.”
The battle against these intrusive and potentially harmful messages is an ongoing one. Operators, service providers, and consumers must work together to stay ahead of evolving attack vectors, implement robust mitigation strategies, and ensure compliance with FCC regulations. By doing so, we can foster a safer and more secure mobile communication ecosystem for everyone.
Zitnik discussed this topic at the CCA (Competitive Carriers Association) Annual Convention in Atlanta on October 19, 2023. If you would like to view a recording of the keynote presentation, click here.