Mobile Data Theft: why it’s a problem for marketing

Most people would have missed it, but at the end of October the Government’s Justice Committee published a report called Referral Fees and The Theft of Personal Data. It mostly looked at how referral fees for accident claims are fuelling a range of illegal and criminal activities. Many people are aware of spam accident claims texts, which are part of this ‘industry’. Although the spam messages were a smaller part of the report, there could be some important repercussions for the mobile marketing sector.

The report recommended the ending of referral fees, better investigation powers for the Information Commissioner’s Office and harsher penalties, including custodial sentences for data breaches. All of those are good things. Anything that can help clean up the mobile channel for legitimate marketers has to be of benefit. However, it is the age old problem with many regulations – it’s not lack of powers but lack of enforcement that is at issue. The ICO has never prosecuted anyone for sending an unsolicited SMS. There has been plenty of opportunity to do so, but it would appear that lack of evidence or investigation resources has meant that nothing has happened.

Whilst the need to clean up messaging is obvious for brand marketers, there is a less obvious worry about increasing government legislation. History shows that when governments try to legislate for technology they never do a good job. This year’s PECR update to include an opt-in for cookies is a good example. Everyone; brands, consumers and even the regulators are confused as to how it works or how it should be implemented. In these cases, industry self-regulation is always a more effective option.

Although this report isn’t largely concerned with spam, The Justice Committee called for legislation to look beyond just the accident claims sector. Although nothing specific has been suggested yet, you only have to look at recent legislation in India limited messages to 100 per day per person to see how draconian (and ineffective) it can get. Whilst that’s unlikely to happen in the UK, some people have already called for proof of ID when buying PAYG SIM cards. Both of these examples hurt individuals but do very little to combat the spam problem.

SMS spam is not simply a moral issue though. Whilst many brand marketers and ad agencies are thinking up whizzy apps and social media campaigns, spam messaging is damaging the whole channel. As mobile users we consume across all channels and the perception of spam will affect all brand campaigns. Poor legislation may actually make that worse.

In the end, the best solution is the introduction of better consumer spam reporting (as we have in email) and better filtering by the mobile operators.

How to stop mobile spammers

Click here for my tips, Dos and Donts to stop mobile spammers

A couple of days ago, two friends of mine received the same spam SMS. It read:

‘FREE MSG: Our records indicate u maybe entitled to £5000 in compensation for your recent Accident, To claim just reply with CLAIM to this msg, 2 stop txt STOP’

Poor grammar aside, my friends were (unsurprisingly) quite upset by the message, as neither had had an accident, nor had opted in to any kind of marketing on their phone. Although there was no premium rate SMS attached to the messages it looked like a crude attempt at fraud.

I decided that it would be an interesting exercise to see if I could find the spammers/fraudsters.

The first thing was to identify the network that supplied the reply number. The spammers had used a standard long number (like a mobile phone number), which meant that it could not be a premium rate SMS. All PSMS are connected to a 4,5 or 6 digit shortcode.
For those of us in the business, there is a simple way to identify the network using something called an HLR Lookup. This gives the number, a unique ID, the current network (even if the number has been ported) and it’s approximate location.

Checking the number gave me the following information:

Number: 447797800425
IMSI: 234507100200425
MCC: 234
MNC: 50
Operator Name: Jersey
Operator Country: United Kingdom
MSC: 447797706004
MSC Location: null

There are two particularly useful bits of information – the operator and the MSC Location. The mobile operator was Jersey Telecom. The MSC Location was ‘null’. This means that the number was not attached to any mobile phone handset, and therefore would have been used in conjunction with a messaging platform. Messaging Platforms are systems for sending bulk SMS and receiving replies. Typically they are web-based but include a connection to the mobile operator. These are used by companies and individuals for legitimate purposes, such as sending service updates or opted in mobile marketing. I know about these, because that’s what my company does! It would appear that the spammers had access to one of these platforms.

Next thing was to contact Jersey Telecom with all of the HLR and message information. They responded within a few hours (good going for a mobile network) with the following:

‘I have now received confirmation from our client that your request has been
forwarded on to their ‘opt-out’ department in order to have the number
provided removed from any mailing list. ‘

Now this is not what I wanted to hear. The spammers are probably involved with fraud, so I wanted to find the company. I emailed Jersey Telecom back asking for the name of the platform provider. They responded with:

‘I am not in a position whereby I can simply divulge our clients’ information or identity. I also work within certain ‘data protection’ restrictions.’

That really got my back up. The Data Protection Act and PEC Regulations are there to protect individuals, and not to allow companies to hide their identity, especially dishonest companies. In fact, the regulations are the opposite. Companies must make their identity explicitly clear in their communications.
Jersey Telecom received an irate response from me, explaining why they were totally in the wrong. The next day, much to my surprise, I got the following reply:

‘we have conducted an investigation into this incidence & have stopped this provider from sending these messages through our network’

Not only that, but they gave me the name of the platform provider. A company called Mblox.

Result!

To be clear, Mblox are an entirely honest and reputable company. They are not responsible for the spam, but rather have provided their messaging system to the company (or individuals) who then misused it for spam.

I then emailed Mblox asking for the details of the company who sent the messages, so I can pursue the matter further. That was a day ago, and so far I haven’t had a reply from them. But watch this space, as soon as I find out who they are, I will update the blog.