SMS spam is out of control, but why is this even an issue?

A couple of months ago my wife and I had a rash of text/SMS spam sent to our phones.  I decided to see what facilities my provider had to mitigate the problem.  Unfortunately AT&T recommends sending the code “STOP” as a response to unwanted messages.  Having experience dealing with other forms of spam over the years, I knew responding to spam was never a good idea.  I discovered that my provider has a short code 7726 (SPAM) to which you can forward the offending messages.  Once you forward the message, AT&T then sends an automated response asking you to send them the number that sent you the offending message.  (seriously AT&T??)  This is fine if the spammer is using a real phone number, but many of them don’t.  Like the mobile providers themselves, many spammers use short codes which AT&T claims are untraceable.  (seriously, this is utter BS…)  Later, I got a message from another spammer thanking me for signing up for their service and immediately got one of their message-of-the-day texts.  This got me worried.  Was someone out there signing me up for this stuff as a prank, or was the system really this broken?  Either way, I wasn’t going to have any of that.  I scoured AT&T’s website looking for ways to block charges.  I did eventually find it, but it wasn’t particularly easy.  If you find yourself in this situation, your best bet is to do what I did and just call customer support.  Tell them you want to block any 3rd party charges to your account.  What they’ll do is add a feature to your account that requires an authorization code to approve any charges to the account.  So, now we’re protected, but why is this even necessary?

The problem with the phone companies is that they just don’t care.  Building better facilities to prevent fraud isn’t necessarily profitable.  They’re in the business of getting you to spend money on features, not save.  The problem is that there’s no transparency and no way to opt-out other than blocking all charges.  SMS is a wireless industry cash cow.  (this blog post has a good explanation)  It’s a huge business and one the carriers want to keep.  If you’ve ever wondered how phone companies can afford to subsidize expensive devices like the iPhone, this is how.  Unfortunately, I don’t think anything is going to change unless the federal government steps in and does something, but honestly they’ve got bigger fish to fry.  If you have a wireless phone with text/SMS capability (basically every cellphone on the planet) you need to set up a block on 3rd party charges to your account.  It’s the only way to protect yourself.

Apple & Security; It’s time to man-up

While I have become more of a fan of Apple’s products in recent years, I have never been a fan of their security disclosure policy.  Apple has traditionally been very secretive, sometimes out of necessity.  Back when Steve Jobs retook the company, Apple was near death.  The company had run into a brick wall with it’s legacy operating system.  The latest version, OS8 had been so long in development that it was now technologically far behind it’s competitors.  When Jobs shook things up with OS X (10) he had a reason to be secretive.  Apple had been successful with their new products, but was still fragile.  If any of their competitors could peek inside what was going on, they might be able to stop Apple’s progress before the company could become healthy again.

Today, Jobs legacy is an Apple with a $98B war chest made largely on the success of the iPod, iPhone and iPad.  These are all benefactors of the technology Jobs brought over from NEXT that helped to form what we now know as OS X.  The problem is with all that success, Apple’s share of the desktop PC market has grown.  Apple is now big enough that’s it’s clearly visible on the radar of a lot of people including potential attackers.

To Apple’s credit, OS X was designed with security in mind from day one.  Most of the vulnerabilities that have effected the OS over the years have required a social engineering element to get users to unwittingly install malware.  For a long time, Apple’s policy, (of withholding details about security flaws until a patch is available) worked for them.  However, a recent vulnerability in Java managed to scratch a large unsightly gash in that previously pristine, brushed aluminum finish.

The component that most recently exposed this weakness in Apple’s approach is ironically a third party product, Oracle’s Java platform.  It’s a little more complicated in Apple’s case because the company repackages and builds their own custom version of Java. Because of this, it always takes longer to get Java on Macs because the software has to be separately modified, tested and blessed by Apple.  The people behind the Flashback trojan saw this opportunity and modified their malware to take advantage of the Java vulnerability.  In the 2 months it took for Apple to produce their version and publicly acknowledge the flaw over 600,000 Apple computers were infected.  The fact that most Apple customers think they’re immune to viruses didn’t help the problem either.

This should be a wake-up call to Tim Cook and the OS X security team.  Apple may not agree with full disclosure, but they can’t continue to put their collective heads in the sand and think nothing will happen.  Had even limited disclosure been made to Apple customers earlier, it would have been possible to mitigate much of the threat posed by this vulnerability.  Instead, Apple customers were exposed to this vulnerability for 2 months.