Someone is SMS spamming citizens with my Ufone number - Advice Required

[Fouad Bajwa]

Dear TGP Members,

I am facing a very devastating issue with my Ufone cell number 0333-4661290.

This number was was switched off for the past week as I was travelling
in Europe
(my air travel boarding pass stubs and visa is available as evidence
as well as minutes of meetings in Geneva and Barrister Zahid Jamil was
also present).
I have had this cell number from the very beginning in 2004 as
personal basic cell number. Now it is causing me severe trouble on the
UFONE network.

As I arrived last night, this afternoon I received a phone call from
Karachi from an official at Honda Atlas Mr. Rehan Khan who complained
that he was receiving very obnoxious SMS's from my Ufone number
including valentine messages, ghazals and ridiculously outrageous
comments on the current situation of the country. This was a breach of
his privacy and severe disturbance due to the volume of incoming
messages from my number.

After apologizing with him for this unknown inconvenience and sharing
with him my details and that he could reference my information online
as well as visit me in Lahore any time for clarification and
convincing him that it wasn't me who was doing this, I assured him
that this issue will be investigated as soon as possible and I will
keep him up to date of the results.

This is both treachery of the network and illegal misuse by both
spammers and people destroying the reputation of these cell companies
as well as causing severe mental stress to users. What is the solution
to this. How can we get PTA to implement controls on these companies
to protect their consumers? What should I do?

In terms of Ufone, there should be some immediate check and balance by
the company enforcing systems to protect consumer privacy as I will
otherwise approach

In an effort to find a possible solution, I am also requesting Mr.
Naveed (PTA) and Mr. Ammar Jaffery (FIA) to look into this issue in
order to help me. If there are any Ufone managers on this list, kindly
help advise me here to resolve this issue that is causing both pain to
me and other users. If you call in, I can also provide the number of
the person that is affected by this issue.

--
Regards.
--------------------------
Fouad Bajwa
Advisor & Researcher
ICT4D & Internet Governance
Member Multistakeholder Advisory Group (IGF)
Member Civil Society Internet Governance Caucus (IGC)
My Blog: Internet's Governance
http://internetsgovernance.blogspot.com/
Follow my Tweets:
http://twitter.com/fouadbajwa
MAG Interview:
http://www.youtube.com/watch?v=ATVDW1tDZzA

[Jamal Shamsi]

nothing will happen unless people are really SERIOUS !

0333...@ufone.com is sender and receipent are x no of people.

so everyone gets the sender number as sometimes their OWN :)

> --
> Manage your subscription:
> http://groups.google.com/group/telecom-grid-pakistan
> Browse and populate the community wiki at: http://wiki.telecompk.net

[Salman Ansari]

Fouad

 

It is almost impossible that anyone can use your number as this would need them to have your SIM. It is also not possible to spoof your Mobile Number like an e-mail - there are too many checks built into the GSM system. The only possibility is someone making a new SIM – but then you cannot use the one which is there with you.

 

I would urge you to take this up with Ufone and ask for a detailed record of all calls/SMSs (from the Customer Services Center) made from your SIM and you can then check this  if calls/SMS related to your SIM were made. In case there were none and the gentleman is mixing up the number, then there is no issue.

 

If there was a very remote possibility of this happening, the PTA and Ufone - and all Cellular providers as well as the Intelligence agencies would be VERY interested to discover how this can be done as it has huge implications!

 

I am bcc’ing the Chairman PTA and the CEO of Ufone in this mail, as this really needs careful investigation.

 

Salman

 

 

 

-----Original Message-----
From: telecom-gr...@googlegroups.com [mailto:telecom-gr...@googlegroups.com] On Behalf Of Fouad Bajwa
Sent: Sunday, February 14, 2010 6:05 PM
To: TGP Group
Cc: Naveed Ul Haq; Ammar Hussain; Zahid Jamil; aamir attaa
Subject: Someone is SMS spamming citizens with my Ufone number - Advice Required

 

Dear TGP Members,

--

[Rehan Allah Wala]

IF the number was in +92333 format, MAYBE it was sent from outside Pakistan from another
SMSC

>
> Fouad
>
> It is almost impossible that anyone can use your number as this would need them to have your
> SIM. It is also not possible to spoof your Mobile Number like an e-mail - there are too many

> checks built into the GSM system. The only possibility is someone making a new SIM - but then

Rehan Ahmed AllahWala
President & CEO - Super Technologies Inc.

http://www.supertec.com/ - Internet Telephony Solutions

Don't Remember Me ? Visit http://www.Rehan.com

~~~~~~~~~~~~~~~~~~~
"First they ignore you, then they laugh at you, then they fight you, then you win."
By Gandhi.
"Think Smart, Act Fast, Learn from Others, Be Successfull"

Are you on Facebook ? http://www.youtube.com/watch?v=FI0tmktiLd0

[aamir attaa]

In my opinion there can be three possible ways of sending such SMS...

Case 1: Message center number of receiver will reveal the real story, if its local, for instance its Ufone's message center number then the problem is at Ufone's end, by the way there are very little chances for this to happen.

Case 2: If you registered your Ufone number online - with their info service, and by mistake gave this login information to someone, then he/she can send SMS with your number. Hunt him/her down if this is the case.

Case 3: If there is no message center number, or there is a message center number of some other country, then just sit back and pray that the person doesn't do this again.


As mentioned by Rehan, SMS can be sent with any number through SMSC, and there are websites available to do so - let's get familiar with this way of teasing people - where anyone will be sending SMS with your number.

Regards,
Aamir Attaa

On Mon, Feb 15, 2010 at 12:52 PM, Ammar Hussain <am...@brain.net.pk> wrote:

Dear Fouad,

Sorry to hear the trouble caused to you. If you want to book an offical
complaint with FIA, kindly let me know, someone from Lahore office would
contact you for the needful.

I am avilable for any support/assistance  in this regard.

Take care

Ammar Jaffri

[Fouad Bajwa]

Thank you Salman and TGP members for your continued support.

From my own basic understanding this shouldn't have been possible but
I too have found certain websites and software since last night where
this can be done and the software's are extensively available. This
means more trouble for cell phone users and more customer disturbance
opportunity is out there. Does this refer to something we may call as
Mobile Phone Message Spamming?

Now the real issue is the people getting disturbed while the sms from
header has my number in it, what should be done?

Regards.
--------------------------
Fouad Bajwa

[M. Umair]

Yes it is possible if sms interconnect passes CLI. I think PTA already has one CVAS registration for SMS aggregators. If all are required to obtain that registration then tracing may be easy.

BR,
M. Umair

-----Original Message-----
From: Rehan Allah Wala
Sent: 16/02/2010 1:37:47 am
Subject: Re: Someone is SMS spamming citizens with my Ufone number - Advice Required

IF the number was in +92333 format, MAYBE it was sent from outside Pakistan from another
SMSC

>

> Fouad
>
> It is almost impossible that anyone can use your number as this would need them to have your
> SIM. It is also not possible to spoof your Mobile Number like an e-mail - there are too many

> checks built into the GSM system. The only possibility is someone making a new SIM - but then

[Fouad Bajwa]

Dear Ammar,

Thank you for your continued kind support as always! I believe it
would be viable to have this complaint in record just in case to
mitigate risk of legal implications and this may be an example that
can be used within the PTA Mobile Antispamming Efforts directive. This
also gives us an important implication that was to some extend raised
by us at the Internet Governance Forum meetings last week in Geneva
(http://www.intgovforum.org).

We need to have a public task force of some kind where we can look
into these existing as well as emerging implications of the use and
abuse of mobile networks and this is necessary for the governance of
our own Internet and Mobile Networks. We can consider this as a call
for comments in this area?

Adding to the issue, Ufone was very kind enough to call me today after
Salman Ansari sahib intimated them of the issue and they too read the
issue on TGP. Ufone have carried out a preliminary technical
investigation into the issue today and has confirmed that they have
recorded from their systems evidence that my phone was powered off
from specific timings when I boarded my flight from Karachi to Geneva
on the morning of the 8th of Feb 2010 to when I switched on my phone
on the morning of the 13th of Feb 2010 arriving in Karachi so at their
end, my number is innocent. They have taken information on the person
that called me and are further investigating the other end of the
network and we cannot leave out the fact that mobile telephony
networks can be attacked from the ends other than it, such as the
example of the Internet generated attack towards the mobile telephony
network connected to it.

Technically, my SIM wasn't cloned, it didn't leave my handset as Ufone
has the wireless signature of the set as well as locations of the set
and finally the Ufone network was not used to carry out the spam
attack. We can therefore conclude separately that this means that the
Mobile networks and in essence the user of mobile services in Pakistan
are also as vulnerable as the Internet users to SPAM and identity
theft. There needs to be some necessary regulation in place to protect
consumers of mobile-telephony-internet services in Pakistan from the
implications of the networks and what damage may occur to them. The
European Union has made some significant reforms to its Telecom
regulation legislation to protect the consumers in a more logical and
trusted manner other than being subjected to pain and concern if it
wasn't their fault.

Thank you once again Ammar sahib and all the members for their
continued valuable support!

-- Best Regards

Fouad Bajwa

On Mon, Feb 15, 2010 at 12:52 PM, Ammar Hussain <am...@brain.net.pk> wrote:

[bmug...@gmail.com]

Exactly its impossible, I once saw this in a movie, all his identity is stolen, his name gets changed, he can no longer be in touch with his friends and CIA is on the hunt to track him down for inexplicably failing to carry out an officially unsanctioned assassination and then failing to report back in afterwards. Slowly he learns about his past and regains his memories of all the things he did and his past actions suddenly flashback. I think the guy's name was Jason Bourne.

On Mon, Feb 15, 2010 at 9:28 AM, Salman Ansari <sal...@super.net.pk> wrote:

[Zarrar Hasham Khan]

Dear Team,

It is NOT impossible to use any number in sending SMS. Infact if I have access to an SMS client with link to an SMS gateway, I can use any number or any alphanumeric character that I want. This is generally allowed by almost all the operators in the world. This is one of the reason why when you subscribe to Skype and buy their SMS package you can use any number that you want to be shown as the sender's number when you send SMS from skype. However, in skype you need to verify the number as skype sends you a code on the number that you want to use as the senders number.,

Fouad, the easiest way to trace the problem is that you contact anyone who has received a spam SMS from your number and ask him to go into the SMS properties and give you the SMS address. For Mobilink I remember the SMSC address was +923000000042 and for others it will be country code-operator code-SMS GT. The country code can give you an idea from where this SMS is coming,

Regards,

Zarrar

[Muhammed Nasrullah]

Don't be fooled; anyone can pretend to be you. I can send messages as you right now. This is called sender address spoofing. It's not rocket science and is not new, read about it here: http://en.wikipedia.org/wiki/SMS_spoofing

You can also spoof your calling number to appear to come from any number of your choosing. But limiting discussion to SMS, it is very possible for anyone to pretend to be you much the same way anyone can send an email and pretend to be you. You can't control email address spoofing because there are millions of email relays and email hosts but you can certainly put a cap on SMS spoofing because there are limited ops.

Twitter, which began via SMS, had a similar problem where anyone could use your number and update your status, they 'fixed' it by adding an authentication key with the message http://www.theregister.co.uk/2009/03/06/twitter_sms_spoofing_risk/

If you are a victim of a spoof; ask the recipient to send you the Message-Center-ID and other diagnostic information. You can work with your Operator to identify, isolate and eliminate the source but there are too many services which allow this and there are not enough systems in place to protect against this.

WS

-Nash

On Mon, Feb 15, 2010 at 9:28 AM, Salman Ansari <sal...@super.net.pk> wrote:

[Salman Ansari]

I stand corrected. While the spoofed SMS will not come from a cell phone network but can originate via the way  Nasarullah and Wikipedia has explained.

 

I followed the links and actually registered on SMSGang.com, paid and signed in – it took me immediately through an anonymiser (!) site and what I saw that one can do, is frightening, to say the least and a huge headache for any law enforcement agency. This goes beyond spoofing and irritating people is indeed is a huge threat for security and by eliminating footprints of criminal and terrorist activity . I also got to the software that Cell phone companies can deploy to get their guards up in for this aspect and should do it in order to protect the issue of privacy and reliability of their systems. The common man does not know of this complexity and it just needs Geo or Express news to get onto this….

 

This is a much more important threat for the PTA to consider and should go after its resolution via the IP network rather than blocking some innocent blogs and silly YouTube videos. 

 

Salman Ansari

[Muhammed Nasrullah]

SMS Spoofing has its place as well. For example, setting the from address as an alphanumeric value "Warid" or "Zong" etc. It can also be used by VAS Providers to charge users via LA-2-LA charging (essentially, I send an SMS with your address to a shortcode that deducts 5 rs from your account). But these cases should be looked upon on a case-to-case basis and as a general step, spoofign should not be allowed.

WS
-Nash

[Majid Farid]

4 year ago when I was in an operator in Pakistan and was responsible
for information security area. I had a huge fight with our VAS
planning team who wanted to open the SMSC (SMS Server) on Internet for
VAS partner to access. The argument was that countries biggest GSM
company at the time had the setup like that and it was essential for
them to have it the same here. Their argument was correct the SMSC was
open to world. I didn't investigated it further to see if SMPP binding
was allowed or now.

After much argument the SMSC wasn't opened to Internet. All the VAS
partner where asked to make secure VPN connection, no direct SMSC/SMPP
etc were allowed and the VAS partner were directed to our SDP for
audit purposes apart from SMSC log.

Looking at our security devices logs we would daily find people trying
to scan port 7777 i.e. SMPP over IP. Apart from that our website would
only allow a web user to send SMS after they log in...we found that
after our launch a few people wrote custom scripts that would log into
the portal automatically and used the CGI/API for send SMS to other
users however there messages were throttled due to security machnism
we implemented for not overloading the SMSC

Although this isn't completely inline with what been discussed it
highlights yet again the security area which is consistently
overlooked in our country. I know that our security agencies are at
war and trying hard to tap as much information from our telecom
networks but if we allow security loops like these to exists its
criminal on part of the operators!

/Majid

> > *From:*telecom-gr...@googlegroups.com[mailto:>telecom-gr...@googlegroups.com]*On Behalf Of *Muhammed Nasrullah
> > *Sent:* Monday, February 15, 2010 11:19 PM> *To:*telecom-gr...@googlegroups.com
> > *Subject:* Re: Someone is SMS spamming citizens with my Ufone number -

> > them to have *your* SIM. It is also not possible to spoof your Mobile

[Babar]

Good points Majid. This thread has provided some useful information. I
hope that operators in Pakistan pay attention to these scenarios and
tighten their security.

Babar

> > > *From:*telecom-gr...@googlegroups.com[mailto:>telecom-grid-pakistan @googlegroups.com]*On Behalf Of *Muhammed Nasrullah

> > > -----Original Message-----> From:telecom-gr...@googlegroups.com[mailto:>telecom-grid-pakistan@g ooglegroups.com]On Behalf Of Fouad Bajwa