SMISHING LIKELY NOT FROM AGGREGATORS: SIM card registration to address text scams

- Advertisement -

The National Privacy Commission (NPC), together with the local telecom operators, will push for the passage of the proposed SIM (Subscriber Identity Module) Card Registration Act to help address the proliferation of text scams.

This after the agency has initially determined that data aggregators are unlikely the source of the latest smishing messages that include recipient names.

In a virtual press briefing, Leandro Angelo Aguirre, NPC deputy commissioner, said SIM card registration will help curb the rampant text scamming but it will not completely eradicate the problem as scammers might use other technologies.

- Advertisement -spot_img

Representatives from Smart Communications Inc., Globe Telecom Inc. and Dito Telecommunity Corp. have also expressed support for the passage of the bill as it would be easier to identify the source of smishing messages.

Based on NPC’s initial investigation, the data aggregators are unlikely to be the source of the recent wave of targeted smishing messages that specify the recipient’s name.

The NPC, through its Complaints and Investigation Division, has observed from the smishing reports it received  the smishing messages appear to have been sent using specific mobile numbers registered to certain texting services.

As confirmed with the telecommunications companies, smishing messages which are sent using mobile numbers are possible through a phone-to-phone transmission, which is usually coursed through a telco’s regular network and do not pass through data aggregators.

Based on Smart’s close coordination with the Philippine National Police and the National Bureau of Investigation that ran simulation tests on the scam, the culprits may have used a popular e-wallet and an online messaging platform to harvest the names of subscribers.

“Our initial investigation showed that criminals may have acquired or bought the data from different establishments. Then, they ran the mobile numbers on GCash and Viber to get the names of the subscribers and use them on their messages,” said Christopher Paz, NBI chief cybercrime division.

“To clarify, the infrastructure of GCash or any digital wallet has not been compromised. The criminals simply checked the mobile numbers if they are subscribed to the platform. The scammers seem to have found a way to automate the harvesting of names from different sources. Another possible source also are some mobile loan applications that are designed to extract personal information from smartphones where they have been installed,” Angel Redoble, PLDT and Smart chief information security officer, said in statement.

Nonetheless, NPC has been continuously investigating potential sources and root cause of targeted smishing messages, such as patterns in the use of name formats that prospectively match the names of data subjects registered with popular payment applications, mobile wallets and messaging applications.

Further, the NPC is working closely with the telcos in formulating countermeasures against the recent wave of targeted smishing messages.

As a concrete course of action, telcos have blocked identified mobile numbers that sent smishing messages and are continuously blocking messages with malicious URL links associated with smishing.

The NPC said it shall pursue its investigation to its full extent and within the bounds of its mandate to protect the fundamental human right to privacy. Through relevant issuances, it will be compelling entities involved to take firm action in addressing the possible privacy risk brought about by targeted smishing messages.

Meanwhile, the Senate committee will reopen deliberations on the proposed SIM Card Registration Act, which was vetoed by former President Rodrigo Duterte in the last Congress, on September 8.

In the 18th Congress, the proposed SIM Card Registration Act was passed by both houses of Congress but was vetoed by Duterte, who rejected the provision mandating the registration of all SIM cards and social media accounts for the purpose of deterring electronic communication-aided crimes. – Myla Iglesias

Author

Share post: