版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
EricssonWhitePaperGFTL-25:000136
February2025
ERICSSON
AIT-Therootcause,the
SolutionandtheImplicationonRCSand
NetworkAPIs
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs2
Content
February2025
Content
ExecutiveSummary3
DemystifyingartificiallyinflatedSMStraffic4
WhyMNOsarenotatfault?5
WhatistherootcauseofAIT?6
Exclusiveagreements7
Ahandfuloftrustedpartners9
Terminationrevenueshareincentives10
Whatisthesolution?11
WhataboutRCSbusinessmessaging?12
WhataboutnetworkAPIs?14
Conclusion15
Authors16
3
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIsExecutiveSummary
February2025
ExecutiveSummary
ArtificiallyinflatedSMStraffic,orSMSpumping,hasbeenalongstandingconcernthathassurgedexponentiallyinrecenttimes.Largeinternationalbrandshavebeensignificantly
affected,withsomedirectlyaccusingmobilenetworkoperators(MNOs)ofbenefitting
fromthisspecifictypeoffraud.WefirmlybelievethatMNOsarenottheperpetratorsofthesefraudulentactivitiesforseveralreasons,whichwillbediscussedlater.However,weacknowledgethatcertainbusinessmodelsadoptedbyMNOscreateanenvironmentthatincentivizessomeactorstoengageinSMSpumping.
Additionally,whilerichcommunicationservices(RCS)aremoresecureandtransparent
thanSMS,theyarenotimmunetosimilartypesoffraud.IfSMSbusinessmodelsaredirectlyappliedtotheRCSbusinessmessagingecosystem,wemightencounterthesameissues.
AlthoughnetworkAPIscandisruptthefraudchainforspecificusecases,suchasone-timepasswords(OTPs),theyunfortunatelycannotaddresstheentireproblem.Consequently,MNOsmustreconsidertheirbusinessandpartnershipmodelstomaintaintheirnative
technologieswithinthevaluechain,preventingbrandsfrommigratingtonon-MNOchannelsandavoidingpotentialregulatoryimplications.
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs
DemystifyingartificiallyinflatedSMStraffic
February2025
4
Demystifying
artificiallyinflatedSMStraffic
Artificiallyinflatedtraffic(AIT)asdefinedbytheGSMA,referstoSMStrafficthatis
generatedforthefraudulentpurposeofgeneratingrevenueassociatedwithitsdeliveryforcertainpartiesintheSMStrafficchain.SMSAITtrafficistypicallydisproportionatetotheoverallamountoftrafficthatwouldbeexpectedfromlegitimateusageoracceptableandreasonablecommercialpractices.VictimsofAITaretypicallylargebrandsintheconsumerspacesubjectedto‘botattacks’againsttheirapplications,suchasone-timepasswordloginflows,notifications,orSMSlinkstodownloadmobileapplicationsduringausersign-up
flow.Largeenterprisesarenotthesolevictimsofsuchattacks;aggregatorsandMNOscanalsoencountersignificantliabilitiesintheeventoffrauddisputes.
TherearemultiplestrategiesforexploitingAITforfinancialgaindependingonthepositionofthebadactorintheecosystemandthespecificattackvector.AITcanbebroadly
categorizedintotwomaincategoriesbasedontheattackvector:Supplychainattacksorrevenueshare-basedattacks.
Supplychainattacksinvolveabadactor,eitherwithinthesupplychainorcollaboratingwithasupplychainpartner.Anattackislaunchedagainstthevictim,whichroutestrafficviathebadactorwithinthesupplychain.Dependingonthelevelofsophistication,trafficmaybe
forwardedtounsuspectingusers,droppedlocally,orinmoreadvancedcases,terminatedlocallyandconvertedintoalegitimateuseractionwithinthevictim’sapplication.For
example,abotmayenteraone-timepasswordtomimicalegitimateend-userandevadedetection.
Revenueshare-basedattackstargetlegitimateservicesofferedbyMNOssuchasnumber
leasingandtermination-basedrevenueshare.Insuchcases,thebadactorobtainsaccesstonumbersornumberrangesbeforelaunchinganattackagainstthevictim.Attackersarethenpaidarevenueshareofterminationrevenuesfromtheirserviceprovider,typicallyaresellerofservicesprovidedbyanMNOornationaloperator.
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs5
WhyMNOsarenotatfault?
February2025
WhyMNOsarenotatfault?
AlthoughtherehavebeendirectaccusationsclaimingthatMNOsareresponsibleforthistypeofAITfraud,thisisamisconception.Therearefourreasonsforthis:
First,itisoftenassumedthatbrandsdirectlyengagewithMNOstosendSMSmessages.However,thisisnotaccurate.Inmostinstances,therearemultipleintermediaries,suchasaggregators,betweentheMNOandthebrand.
Second,theadditionalrevenuegeneratedbysporadicAIThasaninsignificantimpacton
theoverallrevenuesofMNOs,makingithighlyunlikelythattheywoulddeliberatelyengageinfraudwithvirtuallynofinancialbenefit.
Third,itisnotinthebestinterestofMNOstodevaluetheirproductsanddrivebrands
toexplorealternativechannels,suchasWhatsApp,fromwhichMNOswouldnotderiveanyrevenue.However,MNOsandreputablesupplychainpartners,whoindirectlyderivemarginalprofitsfromtheterminationoffraudulenttraffichavebeenaccusedof"willfulblindness"—theactofavoidingliabilitythroughintentionalignoranceofthefacts.
Finally,thereisheightenedscrutinyfromregulatorsandlegislatorswhoseektoprotectconsumersandenterprisesfromharm.ThistrendismovingtowardestablishingadutyofcarewithfinancialandcriminalliabilityforMNOs,inanefforttobreakthefraudulentmoneychain.
6
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIsWhatistherootcauseofAIT?
February2025
WhatistherootcauseofAIT?
Therootcauseoftheissueliesinthecomplexsupplychainmodelinvolvingmultiple
actors,alongwithcertainMNObusinessmodelsthatcreateanenvironmentwheresome
participantsinthevaluechainfeelincentivizedtoengageinAIT.ItisrareforanMNOto
bedirectlyconnectedtoabrand.Typically,anMNOworkswithaselectgroupofpartners
orSMSaggregators,sellingSMStraffictothemonawholesalebasis.Theseaggregators
oftenarenotdirectlyconnectedtothebrandsandmayfurthersellSMStraffictoother
aggregators.Asaresult,therecanoftenbethreeorfouraggregatorsbetweenanMNOandthebrand.Attackersoftendependonthislackoftransparencytoavoiddetectionandevadelawenforcement.
7
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIsExclusiveagreements
February2025
Exclusive
agreements
Recently,MNOshaveincreasinglyadoptedshorterexclusivityagreementsforA2PSMS,
reducingthedurationfromtheinitialthree-yearperiodtojustoneyear.MNOstypically
auctiontheseexclusivitiesthrougharequestforproposal(RFP)processtoaggregators,
wherethosewhowintheRFPbecomethesoleSMSterminationproviderforthespecificMNO.Beingexclusive,thesedealsoftenincludesubstantialminimumcommitments,andthewinningaggregatorisusuallytheonewhooffersthehighestcommitmenttotheMNO.
Onceanaggregatorcommitstoasignificantupfrontcommitment,theymayfeel
incentivizedtodramaticallyincreaseSMSterminationprices—sometimesbyasmuchastenfold—tofulfillthecommitment.Thisdrasticshiftinprice-volumeeconomicspushesmanybrandsawayfromSMStocheaperbutlessubiquitousOTTchannels.Iftheexodusistooswiftandsignificant,theexclusiveaggregatorscouldfindthemselvesinadifficultpositionandmightresorttofraudulentmeanstoreplacetrafficandpreventlosses.
Furthermore,thisissuecascadesdownthesupplychain.Nosingleaggregatorconnects
directlywithallthebrandsworldwidetosellSMStraffic,sotheexclusiveaggregatorresellsSMSterminationrightstootheraggregators,imposingminimumcommitmentsonthemaswell.Anyaggregatorinthevaluechainfacingincreasedpricesandthethreatofincurringlossesmightalsoengageinfraudulentactivitiestostayinbusiness.
Importantly,therearelong-termconsequencestothestrategyofusingsoleexclusive
aggregators.Theincreasedprices,combinedwithAIT,erodethemarketandpushbrands
towardOTTchannels.Oncebrandsleave,itbecomeschallengingtolurethemback,evenifpricesarelaterreduced,asstabilityandtrustintheSMSchannelhavebeencompromisedintheireyes.
8
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIsAhandfuloftrustedpartners
February2025
Ahandfulof
trustedpartners
WhenMNOschoosetointeractwithahandfulofpartners,insteadofexclusivities,similar
issuesmightoccur(albeittoalesserextent).AnMNOoftenhasupfrontcommitmentstoitstrustedpartners.Sincethesepartnerscannotrepresentallbrandsglobally,theyneedto
resellSMSterminationtootheraggregatorsdownthesupplychain,oftenplacingrevenuecommitmentsonthemaswell.TheissuebecomesmoreevidentwhenanMNOselects
trustedpartners,astheaggregatorsthatdon'thavedirectrelationshipswithbrandsdependentirelyonresellers.AITfraudinthisscenariobecomesharderforMNOstopinpoint,as
oftenfraudulenttrafficismixedwithlegitimatetraffic.
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs
Terminationrevenueshareincentives
February2025
9
Termination
revenueshareincentives
InadditiontosupplychainfactorsinAIT,fraudstersalsoexploitlegitimaterevenue-sharingagreementssuchasnumberrangeleasing,andmicro–mobilevirtualnetworkoperator
(MVNO)ormobilevirtualnetworkenabler(MVNE)deals.Likesupplychainfraudscenarios,MNOsmustexercisecautioninvettingandworkingwithtrustedpartnerswhoaredirectlyusingtheirvaluablenumberingandinterconnectassets,asthisdirectlyexposesthemto
regulatoryandlegislativerisks.
ThesimpleapproachforanattackerwouldbetoregisterwithanonlineresellerwhooffersvirtualnumberscapableofreceivingcallsorSMSforwhichtheattackerispaidashare
ofanyassociatedwholesaleterminationrevenue.Theresellerhasinturnleasednumberrangesfromalicensedoperatorunderaterminatingrevenueshareagreement.
Atamoreindustrialscale,attacksoftenspanextensivenumberrangeswhereanattackerhaseitherenteredintoadirectagreementwithanMNOorhasusedanMVNE,which
offerstheabilitytosetupawhite-labeledMVNOwithinweeksusingpre-existingMNO
agreements.Insuchcases,theMNOorMVNEoftenbecomedirectvictimsoffraud,asbadactorsusefakeorstolencredentialstoaccessservices.
Ineithercase,responsibleserviceprovidershaveadutyofcaretotakereasonable
measurestodetectandpreventfraud,includingstrongvettingofrevenueshareusecasesandtrafficmonitoringtodetectsuspiciouspatternsofabuse.Thesignificanceoftrust
betweenanMNOandapartnerorresellerofferingaccesstotheMNO’slicensedassetscannotbeoverstated,astheMNO’sriskexposureismuchhigherinsuchcases.
10
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIsWhatisthesolution?
February2025
Whatisthesolution?
TrustandintegrityintheMNOanditssupplychainpartnersareessentialtoensuringsafe,durablebusinessrevenuesforall.Theindustryhaswitnessedanerosionoftrustinmobilecommunicationsduetothegrowthofspoofing,phishing,andAITattacksastechnologyevolvedintoIP-basedcommunications,enablingwidernetworkaccesswithglobal
interconnectedness.Despitethis,ourindustryhasanopportunitytorebuildtrustthroughsolutionssuchasRCSandnetworkAPIswhichincreasesupplychaintransparencyandbreakthefraudchain.
However,toenablethiswemustlearnfromhistory.Exclusivitydealshavedistortedmarketsandobscuredsupplychainsthroughreselling,enablingbadactorstogoundetected.Such
dealsincentivizefraudandincreasecompliancerisk.Prioritizationofshort-termgains
fromhighinitialcommitmentsoverlong-termmarketresiliencecombinedwithincreasedcomplianceriskduetoweakknowyourcustomer(KYC)controls,createsatoxicrisk
environmentforanMNOoperatingvaluablelicensedassets.
TominimizeAITfraudandensurethelong-termsustainabilityofCSPassetsinthevaluechainwerecommendthefollowing:
1.Avoidexclusiveagreements
2.Choosepartnerswithstrongconnectionstobrands,avoidingresellers
3.Recognizethatunsustainablehighinitialcommitmentsincentivizefraud
4.ImposestringentKYCandethicalstandardsonsupplychainproviders
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs11
WhataboutRCSbusinessmessaging?
February2025
Whatabout
RCSbusiness
messaging?
AsallmajordevicevendorsstartsupportingRCSandRCSbusinessmessaging,the
impactonA2Pmessagingwillbesignificant.RCSoffersrichercontent,suchasinteractivecarousels,combinedwithtrustedbrandregistration.Itoffersbettermonetization
opportunities,suchaschargingbasedonconversationortime,unlikeSMS'sper-messagemodel.Additionally,RCShasaclearpathforevolutionbypotentiallysupportingnew
featureslikedocumentsigningandscreensharing.AsglobalnetworksevolvetowardsfullIMSarchitectures,RCSwilldisplaceSMSmessagingwithinmobilenetworksastheubiquitoussecuremessagingsolution.
RCSbusinessmessagingrepresentsasignificantstepforwardinreducingspamand
mitigatinggreyroutesandintroducesgreatertransparencyinsupplychainroutingbetweenbrandsandterminatingMNOs.However,itisvulnerabletothesamepitfallsandmarket
conditionsasSMSA2P,duetotherisksassociatedwithexclusivitydeals,price-volumeeconomics,andtheprevalenceofresellerslackingdirectconnectionswithbrands.
RCSstructurallymitigatesAITrisksthroughitsMaaP(messagingasaplatform)framework,whichcentralizesagentprovisioningunderGSMA-backedcertificationprocesses.Unlike
SMS’sfragmentedsupplychain(withopaqueaggregatorsandresellers),RCSrequiresall
agentstoundergoidentityverificationandcompliancecheckstoensurelegitimacybeforeintegration.Thiscreatestraceability;everymessageistiedtoacertifiedentity,enabling
MNOstomonitortrafficsources.Additionally,MaaP’sstandardizedAPIsandcentralized
hubsreduceuncontrolledintermediaries,limitingavenuesfortrafficmanipulation.However,ifMNOsbypassthesesafeguardsthroughexclusivitydeals,laxcertificationenforcement,orpoormonitoring,thesystem’stransparencybenefitsdiminish,bringingbackvulnerabilitiessimilartothosefoundinSMSAITfraud.Thus,whileRCS’sarchitectureinherentlyprovides
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs12
WhataboutRCSbusinessmessaging?
February2025
asignificantstepforwardinsecurityandtransparencycomparedtoSMS,itsefficacystillhingesontheMNO’sdiligenceinmonitoringthechainoftrust.
BrandshavehighexpectationsforRCS,hopingthatthistypeoffraudwillbesignificantly
reduced.IfRCSdevelopsareputationsimilartothatofSMS,brandsmayfindthemselves
leftwithonlyOTTchannelsasviableoptions.Therefore,MNOsmustbehighlyvigilantto
maintainthebrandvalueofRCSbyaddressingthepitfallsoftheecosystemwhereAIT-typefraudcanoccur.
AIT-Therootcause,theSolutionandtheImplicationonRCSandNetworkAPIs13
WhataboutnetworkAPIs?
February2025
WhataboutnetworkAPIs?
IntherealmofCAMARA-basednetworkAPIs,themechanismsdiffersignificantlyfrom
thoseofSMSandRCS.AITisoftenfoundintwo-factorauthentication(2FA)usecases.
Fraudstersfind2FAjourneysinmobileapplicationswithaglobaluserbaseandartificiallyinflateSMSandvoicetrafficintheformofOTPsaroundtheworld.
NetworkAPIslikenumberverificationandenhancednumberverificationeliminateanyincentiveforAITbyremovingtherequirementforOTPsduringthe2FAusecase.Numberverificationisanew2FAsolutionthatleveragesthesimcardofamobiledeviceasthe
possessionfactor.Enhancednumberverificationelevatesthesecurityandavailabilityofnumberverificationusinganintegratedtoken-basedsystem.
Moreover,thesenetworkAPIswillincorporateconsentcapturemechanismsforexplicitend-userconsent,furtherdeterringfraudstersfromusingbotstoartificiallyinflateCAMARAAPItraffic.
EvenasnewtechnologieslikeRCSandnetworkAPIsemergeandgaintraction,traditionalOTPsolutionslikeSMSandvoicewillcontinuetobedeployed.Developersandenterpriseswilltransitionandadoptnewtwo-factorauthentication(2FA)solutionsatdifferenttimes,dependingontheirindividualrisktoleranceandlocalmarketavailability.Therefore,MNOsstillneedtoreassesstheirbusinessmodelpracticestoeliminateAITfraud,evenasnew
technologieshelptoaddresstheproblem.
14
AIT-Therootcause,th
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026年新能源防雷接地检测面试题库
- 施工线路绝缘防护方案
- 2026年语言语法应用题集常见语言错误自测题
- 2026年历史常识百问百答趣味试题
- 2026年全员保密意识自测题库
- 全国数据资源调查报告(2025年)
- 金矿卸矿工艺方案
- Revision 2教学设计小学英语四年级下册人教版(新起点)
- 供水管网老旧管线更新方案
- 2026年胶体金标记抗体行业分析报告及未来发展趋势报告
- DB11T 1927-2021 建设项目环境影响评价技术指南 医疗机构
- 鲁教版五四制七年级数学下册全套教案
- DL∕T 5370-2017 水电水利工程施工通 用安全技术规程
- 车管所指导员述职报告总结
- 发动机教案课件
- 先张法预应力混凝土空心板(桥梁)
- 老年人的排泄护理
- 十字路口交通灯控制设计-十字路口交通灯控制设计(PLC设计课件)
- 活塞式压缩机设计大作业
- 北京市老年人养老服务补贴津贴申请表
- 农村消防安全培训课件培训课件
评论
0/150
提交评论