Comreg SMS "likely scam" texts

Same for me Denist reminder in NI as well.

My appointment reminder from St James Hospital in Dublin 8 was flagged as 'likely scam'

My VHI authentication code was flagged as "Likely Scam". And 3 appointment confirmations from a beauty place I attend. None of them contained links or anything else that could lead to losing money. I'm all for them trying to cut down on things but maybe if they could target those messages that contain links rather than just the word messages. Not one person I talked to knew about this until the day it came into effect and that includes in work where we would send out messages to customers.

No excuse. This has been well documented for months and ComReg were very clear what needed to be done. This was first mooted back in June 2023 so anyone caught out at this stage just didn't bother doing anything until now.

Not necessarily surprising - in the era of outsourcing, most companies contract our bulk SMS to a provider and assume their provider looks after it all. In a lot of cases these providers are offshore and have absolutely no idea where Ireland is, never mind any of the specifics of our communications network.

I know of two customer facing systems where we worked with our SMS providers (at their request, not ours - so there are providers being proactive) earlier this year to ensure our outbound SMS that uses our name in the FROM will continue to work - which they still do as of today. Another system used for alerting and monitoring is being flagged, but that doesn't matter as it isn't customer facing so we never took much heed of it until now - the provider had absolutely no idea what I was talking about when I raised it with them.

Well, they have until October before their messages get blocked entirely! 😄

This has already happened with voice calls (hence the drastic reduction in spam calls with spoofed Irish numbers) which similarly knocked out a number of offshore-based VoIP providers which were presenting Irish geographic numbers and who didn't take action in time to verify themselves or their number ranges as legitimate.

To be honest it is badly overdue - the whole caller line identification system is beyond antiquated. There is absolutely no authentication at any stage that the number you present as the outbound caller ID belongs to you.

Once you have access to an SMS or voice gateway you could literally fire out calls and messages to anyone in the world and present whatever you like as the caller ID and the recipient network just accepts it as is (let's just say I have had great craic over the years with this in the days of having an onsite phonesystem!)

The regulators around the world are beginning to clamp down on that due to the abuse - which is what this is.

You need to register the message sender ID AND the gateway ("aggregator") that will be used to send messages with it, as a pair on the ComReg database.

If I have a dodgy gateway and I start sending out SMS as PLODDERBANK then the mobile operators will see that my gateway is not registered on the database to send messages as PLODDERBANK and will mark it as Likely Spam (and from October, block it outright).

Similarly, for number spoofing, the mobile operators know which operator an Irish mobile number is registered to at any given time, and if a message comes in with my number as the ID but the message is not coming from my mobile network, then it's not valid.

It's says these texts will be blocked outright from October

Is there any way to opt out?

Except that is not what is happening at all. This measure has nothing to do with 2fa directly nor is it confined to Ireland.

What this is about is to stop the rampant spam calls and texts of recent years that were spoofing names and numbers, mainly from dodgy providers.

Any provider who actually bothered to stay on top of matters will have had absolutely no difference to their SMS delivery once this change came into place.

@nullObjects there is no opt-out, it's all being done at a network interconnect level. Frankly, there is no need to opt-out - any legitimate provider of bulk SMS has zero reason for their SMS to be blocked once they follow the protocol.

I don't see why we should be holding off securing our public networks just because a company can't be bothered to do a relatively straightforward registration process. If anything it is in the interests of the companies involved to avoid being spoofed themselves and then having their support channels clogged up with hacked customer accounts.

Most companies are actually moving away from SMS 2FA themselves anyway - EpicGames, eBay and PayPal to name but a few - because SMS 2FA is at risk of SIM swap fraud.

Given that no messages are being blocked until October, something else went wrong here.