Mobile terminated SMS billing Exploits and security analysis

This paper analyses mobile terminated (MT) SMS billing, an area of mobile commerce which has undergone massive growth with the maturation of mobile content delivery on 2.5G mobile networks. Although the short message service for GSM devices was never designed to be a facilitator for micropayments, premium SMS services have been embraced by many network operators worldwide. We investigate its inherent insecurity as a payment solution and show how existing systems can be used for fraud or to deceive users. From a UK perspective, we see how the standardisation of mobile platforms with J2ME combined with WAP delivery have enabled the rise of the mobile content industry, with premium SMS as the most method common of billing. Threats to the established business models are addressed, with particular attention paid to the potential for severe disruption from mobile (SMS) spam. Furthermore, we present attacks on MT SMS systems, showing how a malicious attacker could damage the mobile content industry by undermining consumer confidence in premium rate SMS payment solutions.