The world leader in mobile network security Enea AdaptiveMobile Security,  partnered with The Campaign Registry, the central hub for registering 10DLC messaging campaigns in the US,  to address A2P messaging in North America and the benefits of using 10DLC.

At a recent MEF (Mobile Ecosystem Forum) Connects Cyber Security event our CSO (Chief Strategy Officer), Simeon Coney was joined by Stefan Heller, VP for Business Development and Strategic Partnerships at The Campaign Registry to discuss behaviours in the messaging ecosystem. Looking specifically at A2P (Application-to-Person messaging) in North America. They explored the recent changes in A2P messaging sending behaviours and looked to the future of A2P messaging.

Some highlights from the session below.

Examination of the North American A2P system

When brands and enterprises are looking to communicate with customers over mobile messaging in the US there are a few options.

One option is using Short Code services, originated by the carriers. Which is a fully sanctioned product that you can use to send A2P messaging. However, there is limited availability, it is expensive and unsuitable for certain scenarios. Another option is using Long Codes, which are people’s personal phone numbers which are not the ideal way of sending A2P messaging. A2P messaging going over Long Codes is deemed unsanctioned content by US carriers. Text Enabled Toll free is another product that is supported and sanctioned by carriers but managed by 3rd party organisations not directly by the US carriers, it is an expensive option for businesses.

Then comes 10 DLC (Digit Long Code) which is fully supported and sanctioned originator to carry A2P content.

What is A2P 10DLC? (Ten Digit Long Code)

10 DLC stands for “10-digit long code.” It looks like a normal telephone number may already be in your address book from engaging with the business. You can take an existing long code that you are using today and turn it into a 10 DLC by registering it in the US.

Benefits of 10DLC

There is a great brand benefit of using 10DLC for businesses with existing voice identities with enhanced consumer trust and brand recognition. Another consideration is that if you need to identify yourself to your users from a regional perspective, you can have a specific area code number, from a brand perspective it can be regionally important to have a number associated with a city or state. Also, potentially better throughput for good campaigns using 10DLC, which leads us to the security aspects of 10DLC.

Challenges from a security perspective before adoption of 10 DLC

Before 10DLC, it was difficult  to differentiate between what was  a consumer/individual vs. an Application/Business mobile number. A formalisation of a business 10 DLC, gives a separation of identity. Knowing who and what is happening on an originator is important to the carriers, they need to know who is accessing the network to reach their end users. It is important for mobile network to know their end users are being looked after and not getting messages that are unwarranted.

Myth-busting: Are paid channels cleaner?

There is a perception out there that paid messaging channels are cleaner. However, in the Enea AdaptiveMobile Security experience, we know that is not true. A person looking to defraud intentionally can operate on slim margins and if costs go up, they can still have a profitable business.

Campaign Registry terminology in the 10DLC ecosystem

• At The Campaign Registry they have produced terminology so there are clear identifiers of players in the ecosystem:
• The brand is the company that the end users believe is sending them the message.
• Normally there is a CSP (campaign service providers) in front which acts as a messaging platform to help the brand send messages.
• Then, a DCA (direct connect aggregator) connects the CSP with the mobile network operator (MNO). A Gateway then connects the DCA to the MNO and finally end user.

Diagram below illustrates all these players and shows the different terminology to describe each. The terms are often used interchangeably and even misused so it is careful to have a common frame of reference.

Best Practices for A2P messaging

Everyone in the chain needs to be responsible for better messaging. Enea AdaptiveMobile Security and The Campaign registry have a significant role to play to ensure compliant messaging is coming from very inception from the brands all the way through the chain.

More Secure Messaging Security with Campaign Registration

As we mentioned earlier, without a campaign registration there is no straightforward way for identifying A2P vs P2P. The consequences of this, impacted how brands communicated with customers and there were inconsistencies on reputation and risk management. Understanding the chain is essential, so they can play their part and apply controls at their point.

Enea AdaptiveMobile Security’s ability to work with The Campaign Registry, allows rewarding good messaging behaviour. People do not realise the extent of spam and the effect of negative brand association from consumers to brands. The brands affected are both the MNOs (Mobile Network Operators), for allowing spam to reach phones and the brands being mentioned in spam campaigns. Brands, customers, and the communications channel for the conversation need to be protected.

SMS Spam is Persistent
Unfortunately, spammers are always looking for new techniques to get their bad messaging through and once you stop one behaviour, they find other loops holes as is can be a lucrative business for some companies. With 10DLC, instead of just penalising bad brands, you can start incentivising good messaging behaviour by being able to identify and reward, properly executed A2P campaigns.

What is an A2P campaign?
From the registry perspective, an A2P campaign consists of a brand and a use case, delivered by a CSP. Campaign service providers that represent their brands put transparent information into the registry, the brand is validated and verified, and the registration gives transparency to the MNOs to give back to the brands and CSPs (Communications Service Providers) that improve quality and predictability or delivery. The creation of a shared database of intelligence, enables every party in the chain to understand the campaign from start to finish. This map is important to identify where things are working and not working for campaign delivery perspective.

Is 10DLC Live?
Each MNO has their own code of conduct, and each network has their own limitations and processes so there are technical complexities. The Campaign Registry is live and all the carriers are there in some form or another. Whilst, there are still some use cases still being ironed out, you can register campaigns today and facilitate complete delivery chain management.

Top SMS spam trends and poor sending behaviours

We shared some of the most persistent SMS spam that we have seen in recent times active in the network:

Messaging Abuses we have seen

• Bulk sending without consent
• Harassment / Social Engineering
• Unauthorised Transfer of consent
• Leveraging recognized brands / services
• Snowshoe, Identity Sharing
• URL Call to Actions
  • Disposable URLs
  • Credential
  • Country TLD’s & Class C addressed
  • Page Pre-rendering & Brand Association
• Phishing & Spear-phishing
• Malware generated account take-over fraud

How to enable positive re-enforcement offerings rewarding good behaviour

Brand’s sometimes use bad messaging behaviour in error. In the US it is worth looking at the CTIA’s best practices and guidelines to make sure you avoid these behaviours and being penalised for bad messaging. Whilst there are people out there to deliberately defraud and harass but for the vast majority it is a case that the sending practices are not as good as they should be.

There are effective and approved ways of contacting customer and now we have a feedback loop so we can offer guidance and advice on how to improve sending behaviour to get their traffic through. Yes, we want to stop harmful traffic, but we do want to facilitate and enable legitimate businesses communicating with customers.

Opportunities for brands with better messaging

Campaign registration and monitoring enables identification of sources complying with codes of conduct / regulation. When we can tell that there are good sending practices, there are opportunities for improved sending rates for brands. This allows brands to communicate with their customer more effectively and hopefully accelerate business growth.

There is opportunity for the reduction and removal of restrictions, for e.g., the use of services like URL shorteners which would allow more space for message content. Finally, there are many enhanced services that can deliver more value to brands and their customer conversations in the future.

What does the future hold for A2P messaging?

There is a wave of formalisation of best practices spread across the world. With harmonised concepts of consent and choice and the opportunity for all those in the messaging ecosystem to earn clean reputations and improve sending rates.

The combination of Enea AdaptiveMobile Security and The Campaign Registry gives a 360-degree view of messaging, we can finally identify and associate good behaviours with an identity and reward those with good sending practices. We will see expanded business insights as we get a clearer view of the ecosystem and track the identities, content, and behaviours of senders. This will enable new A2P SMS revenue and charging models for messaging in the future.

If you are interested in watching the full MEF Connects Cyber Security presentation, you can view it here: https://www.youtube.com/watch?v=N3miNTgo4eo