The security of NHS Text Messages

[Richmond]

The NHS sends out text messages with a link to book appointments. The
link takes you somewhere and asks your date of birth. The link doesn't
even looks like an NHS link, it is florey.accurx.com ...

This seems like an insecure proceedure to me. Is it impossible or easy
to make a text message appear to come from the NHS?

[David Woolley]

On 15/09/2021 20:34, Richmond wrote:
> This seems like an insecure proceedure to me. Is it impossible or easy
> to make a text message appear to come from the NHS?

Definitely not the case, as the Covid test results come from NHS.

Generally though, marketing people never seem to understand basic
security, and outsourcing is very common. (E.g. people used to iframe
credit card processor forms, to try to make them seem part of the page,
but I trusted the few well known processing services more than the
retailers.)

However, my appointment texts come from a normal number, which is
constant, so I have a directory entry for it. They do have a dodgy,
nhsportal.net domain rather than a sensible, nhs.uk one, and I did quite
a bit of research before trusting the first one I received.

The dodgiest one was the (legitimate) invite to have a Covid
vaccination, which came from the organisation handling them for several
local GPs, but of which I hadn't heard. The latest ones had an nhs.uk
domain (accurx.thirdpary.nhs.uk), but the first one used the, dodgy, and
abusive (me is for individuals) book.nhs.me, which I think actually
redirected to the thirdparty one.

The last minute reminders for my hospital appointments come from MESSAGE!

[MB]

On 15/09/2021 22:32, David Woolley wrote:
> Definitely not the case, as the Covid test results come from NHS.

My ONS test PCR results now come by EMail, they have date of test etc so
unlikely to be faked and hard to see point of faking them. From a
gov.uk address.

My calls for the jab came from my local medical centre / GP by phone and
like all NHS calls displayed the NHS 0800 number.

[Martin Nicholas]

On Fri, 17 Sep 2021 23:02:51 +0100
MB <M...@nospam.net> wrote:

> My ONS test PCR results now come by EMail, they have date of test etc
> so unlikely to be faked and hard to see point of faking them. From a
> gov.uk address.

Your ISP should have added an "Authentication-Results" header to the
mail. It should look a little like this:

Authentication-Results: mx.isp.co.uk;
dkim=pass header.d=notifications.service.gov.uk;

It has passed a DKIM cryptographic signature test for the domain in
question and is thus genuine.

It's always been easy to forge the "From" address, but any diligent ISP
should refuse to accept them.

Common knowledge this? Not sure.

--
Regards,

Martin Nicholas.

E-mail: reply-...@mgn.org.uk (Address will be valid throughout
September).

The Usenet: 41 years of social media.

[Martin Brown]

On 15/09/2021 20:34, Richmond wrote:

> The NHS sends out text messages with a link to book appointments. The
> link takes you somewhere and asks your date of birth. The link doesn't
> even looks like an NHS link, it is florey.accurx.com ...

NHS IT isn't the greatest. Round here they haven't been able to print
out addresses so that the post code is visible in the windowed envelope.
I consider this a basic fail for computer undergraduates.

It isn't uncommon for genuine bulk mailings to be outsourced so someone
who looks like they are a scammer if you examine the headers.

> This seems like an insecure proceedure to me. Is it impossible or easy
> to make a text message appear to come from the NHS?

You can spoof anything if you set out to do it. That is why you have to
view all unsolicited incoming calls and texts as potentially hostile.
The ones that really annoy me demand that I prove to them who *I* am!

I'd use the info in the txt to access the NHS booking website from
another platform. Never trust a link sent in an unsolicited email or txt
even if it looks like it has come from (eg your bank). The scammers have
got very good at mocking up convincing man in the middle attacks.


--
Regards,
Martin Brown

[Richmond]

I was not quite specific enough before in that I said it was from the
NHS. It was, but specifically it was from my GP practice. But it is the
same problem either way. The text message comes from an alphanumeric
source, and I cannot see any number associated with it. It is not in my
contacts either. So this is a special use of SMS I think, where an
alphanumeric source has been inserted. And presumably this is supposed
to make it difficult to spoof. But if it can be done technically by an
organisation it could probably done by a hacker who hacks the right
system. We know NHS security is weak because they have out of date
systems and they got caught by ransomware a few years ago.

But it is a bad practice because it encourages bad behaviour, i.e. click
on a link, go to an unfamiliar website, give away personal
information. I don't recall any communication from the GP telling me to
check carefully the source of such SMS. In these times when people are
eager to book appointments for jab they are vulnerable to being hasty
and not checking.

Anyway, I'll moan at the GP about it some day when I get an opportunity.

[Martin Brown]

On 18/09/2021 08:58, Martin Nicholas wrote:
> On Fri, 17 Sep 2021 23:02:51 +0100
> MB <M...@nospam.net> wrote:
>
>> My ONS test PCR results now come by EMail, they have date of test etc
>> so unlikely to be faked and hard to see point of faking them. From a
>> gov.uk address.
>
> Your ISP should have added an "Authentication-Results" header to the
> mail. It should look a little like this:
>
> Authentication-Results: mx.isp.co.uk;
> dkim=pass header.d=notifications.service.gov.uk;
>
> It has passed a DKIM cryptographic signature test for the domain in
> question and is thus genuine.

Way too many are soft fails though.

> It's always been easy to forge the "From" address, but any diligent ISP
> should refuse to accept them.
>
> Common knowledge this? Not sure.

I know of one ISP that regularly allows incoming spear phishing
forgeries as if from sup...@isp.co.uk to be sent on to their customers
despite it having a soft SPF fail (why it isn't a hard one escapes me).
The forgeries are quite good and look like real support msgs apart from
threatening loss of all email service if you fail to follow the ling
within 24 hours. Perhaps naming and shaming would be appropriate but I
prefer to believe that they might learn from customer feedback.

WTF they are accepting incoming unsophisticated forgeries from the
internet as if from their own domain is an interesting question too.

SPF offers almost no realistic protection and mainly causes trouble for
genuine but unsophisticated businesses that haven't quite configured
their records right so that more on the ball businesses drop it on the
floor. Rather tough for accountants who are insufficiently tech savvy.

--
Regards,
Martin Brown

[Chris]

I just received this one:
"NHS: We've recently checked our systems and can see you are eligible to
apply for a Pass proving you have been vaccinated. You can apply for this
here: https://passapply-digital.com"

Looks very scammy to me.

[Andy Burns]

Chris wrote:

> I just received this one:
> "NHS: We've recently checked our systems and can see you are eligible to
> apply for a Pass proving you have been vaccinated. You can apply for this
> here: https://passapply-digital.com"
>
> Looks very scammy to me.

"This Account has been suspended."

[Chris]

You're braver than I was!

[Richmond]

"Can the sender SMS sender ID be spoofed?

In many countries the sender ID can be set to whatever the sender
wishes. This means that there is a danger that a fraudster could attempt
to impersonate an organisation or individual."

https://thesmsworks.co.uk/sms-sender-id

[Chris]

They didn't even try with my txt. It came from a mobile number.

[David Woolley]

On 22/09/2021 21:40, Richmond wrote:
> "Can the sender SMS sender ID be spoofed?

My understanding is that the use of alphabetic IDs is controlled, in the UK.

[Someone Somewhere]

I'd suggest your understanding it wrong - particularly as unless you
look very carefully any message can be originated from any SMSC in the
world where there are no such controls (and it would be impossible to
e.g. firewall filter them as who would be the arbiter of whether a
message had a legitimate alphanumeric identifier of e.g. the Norwegian
Horticultural Society?)

[David Woolley]

Whilst a quick search failed to confirm the situation for the UK, it did
reveal that a very large number of countries either block such messages
completely at the border, or invalidate the sender ID, by changing the
alphanumeric id to a, dummy, numeric one. For example, see
<https://support.textmagic.com/article/number-filtering-restrictions/>.
There are many similar articles.

Although it looks like the UK is procrastinating on STIR/SHAKEN (I think
it doesn't want to do SHAKEN, so is waiting till everything is IP),
there is a lot of political pressure on it with regard to caller ID
spoofing. From the flood of questions from people confused by SHAKEN
markings on voice caller IDs is the States, the introduction of both
seems to be well underway in there.

[Someone Somewhere]

On 23/09/2021 14:49, David Woolley wrote:
> On 23/09/2021 11:43, Someone Somewhere wrote:
>> On 23/09/2021 00:43, David Woolley wrote:
>>> On 22/09/2021 21:40, Richmond wrote:
>>>> "Can the sender SMS sender ID be spoofed?
>>>
>>> My understanding is that the use of alphabetic IDs is controlled, in
>>> the UK.
>>
>> I'd suggest your understanding it wrong - particularly as unless you
>> look very carefully any message can be originated from any SMSC in the
>> world where there are no such controls (and it would be impossible to
>> e.g. firewall filter them as who would be the arbiter of whether a
>> message had a legitimate alphanumeric identifier of e.g. the Norwegian
>> Horticultural Society?)
>
> Whilst a quick search failed to confirm the situation for the UK, it did
> reveal that a very large number of countries either block such messages
> completely at the border, or invalidate the sender ID, by changing the
> alphanumeric id to a, dummy, numeric one.  For example, see
> <https://support.textmagic.com/article/number-filtering-restrictions/>.
>  There are many similar articles.
>

And this is UK.telecom.mobile, so I was talking from that perspective.
Any one operator can decide to start filtering anything they like, but
there just isn't the data in the messages to tell whether it is faked or
not, and I'd argue that some filtering which gives a level of false
trust is worse than no filtering at all (when at least you can tell
people to not trust anything). For example, even with alphanumeric
filtering, how do you know that the number provided is the real one and
not some nefarious individual putting in the number of the local
hospital or whatever? There is also the contracts that e.g. textmagic
have signed up to vs what someone with true unfettered access can achieve.

> Although it looks like the UK is procrastinating on STIR/SHAKEN (I think
> it doesn't want to do SHAKEN, so is waiting till everything is IP),
> there is a lot of political pressure on it with regard to caller ID
> spoofing.  From the flood of questions from people confused by SHAKEN
> markings on voice caller IDs is the States, the introduction of both
> seems to  be well underway in there.

And that's because we still have POTS and I'm not sure even on mobile
whether VOLTE is in the majority yet and even if it was 90%+ you still
have the long tail legacy of those using SS7 (although I suspect no one
is using true SS7 anymore) type connections.

[David Woolley]

On 26/09/2021 11:15, Someone Somewhere wrote:
> there just isn't the data in the messages to tell whether it is faked or not

They just need to know the layer 2 information which will tell them
whether the immediate upstream source is trusted for alphanumeric IDs.
I presume those countries blocking them assume that every out of country
source is untrusted.

I suppose you could have a rogue licenced network operator, in the UK,
but I presume most spoofing is done through operators that wouldn't get
a licence if they were in the UK.

> For example, even with alphanumeric filtering, how do you know that the number provided is the real one and not some nefarious individual putting in the number of the local hospital or whatever

I'm not really sure what you are getting at here. Alphanumerics are
alternatives to numbers, and the idea is that you ensure that
alphanumerics are trustworthy, by a mixture of legal and technical
measures. The numbers substituted for alphanumerics are not valid
numbers, but just placeholders.

[David Woolley]

On 26/09/2021 11:15, Someone Somewhere wrote:
>

>> Although it looks like the UK is procrastinating on STIR/SHAKEN (I
>> think it doesn't want to do SHAKEN, so is waiting till everything is
>> IP), there is a lot of political pressure on it with regard to caller
>> ID spoofing.  From the flood of questions from people confused by
>> SHAKEN markings on voice caller IDs is the States, the introduction of
>> both seems to  be well underway in there.
>
> And that's because we still have POTS and I'm not sure even on mobile
> whether VOLTE is in the majority yet and even if it was 90%+ you still
> have the long tail legacy of those using SS7 (although I suspect no one
> is using true SS7 anymore) type connections.

The SHAKEN part of STIR/SHAKEN is about signalling trust over POTS.
There are a lot of reports of people suddenly starting to see "[V]" in
front of caller IDs in the US, which is because they have been verified
by the calling network. Although the reports I've seen tend to be from
Asterisk users, and likely to mean they are getting final delivery by
SIP, I believe that is the POTS version of the system. (Asterisk is a
circuit switched PABX with VoIP added on, but most users asking
questions are using it just for VoIP.)

I think the SS7 thing is actually an excuse for not retrofitting, rather
than a real blocker.

[Someone Somewhere]

On 26/09/2021 17:27, David Woolley wrote:
>
> I think the SS7 thing is actually an excuse for not retrofitting, rather
> than a real blocker.
>

The vast majority of the underlying network, particularly for SMS, is
baseed on SS7 which, due to history, has strict structure and no spare
space for additional data.

Yes, it could be replaced, but there's little appetite or funding to do so.