Comreg SMS "likely scam" texts

archfi · 14-08-2025 12:05PM

Paypal codes via SMS are no longer 'Likely Scam', for me anyway.

plodder · 14-08-2025 06:34PM

https://www.boards.ie/discussion/comment/123721534#Comment_123721534

This is one of the scenarios that bothered me. I think they are basically saying you should "find a completely new platform" - ie one based in this country which knows about this system, which may be more expensive etc etc. I suspect the effect (whether it was intended or not) will be to increase costs and reduce competition. It reminds me a bit when they made it illegal to pay to have a burglar alarm installed by someone not registered with the Private Security Authority - another absurd restriction that grinds the gears of commerce in the name of "security".

At least you have the possibility to do something about it. The other scenario that has no workaround is the user of a service based outside of Ireland using SMS texts for 2FA and like the platform you mentioned, does not care about Ireland and isn't going to sign up to this system. Their users based here could end up high and dry if there is no alternative authentication mechanism. Longer term, this kind of mess is only hastening the end of non IP based messaging imo.

expectationlost · 17-08-2025 10:40PM

https://www.boards.ie/discussion/comment/123721534#Comment_123721534

Tell comreg that.

Charles Babbage · 20-08-2025 03:16PM

https://www.boards.ie/discussion/comment/123721472#Comment_123721472

Is there a particular feedback mechanism to Comreg about this that I should use? I am happy to complain, but don't want my complaint to disappear into the system

Alun · 21-08-2025 01:14PM

There's a page for complaints here…

https://www.comreg.ie/advice-information/consumer-care/contact-our-consumer-care-team/

I got a reasonably prompt reply from the consumer line email on that page.

plodder · 19-09-2025 07:01AM

I don't think they ever had a handle on the big picture and how it was going to be enforced.

https://www.rte.ie/news/business/2025/0916/1533822-scam-texts-delay/

Neowise · 19-09-2025 09:43AM

"Therefore, and out of an abundance of caution, ComReg will defer the commencement of the blocking phase, thereby maintaining the 'Likely Scam' modification requirement, until it can be satisfied that the outstanding matters are addressed," ComReg said.

Stripe payment system multi factor messages still being marked as likely scam. If they were to be blocked as of now, I can't make purchases with my credit card using stripe, as i won't recieve the 6 digit code to authorize that i'm not to share with anybody.

plodder · 19-09-2025 10:29AM

It looks like part of the system is going to implemented anyway on Oct 3, which will result in some SMS texts being blocked.

(4) Relevant Undertakings that are MSPs but are not Participating MSPs, or that do not have a Network MSP applying Decision 1, 2 and 3 on their SMS traffic on their behalf, shall not deliver any SMS bearing a Sender ID to an Irish number.
and
(9) Undertakings that are MSPs must block any SMS bearing an originating number in the Irish number range, fixed, mobile or a short code, when presented for delivery from an SMSC which is not operated by or on behalf of an Irish MSP.

These measures might fix the fake DHL texts illustrated earlier in this thread. There could be some legitimate users of foreign based services affected by (9) though.

Hotblack Desiato · 19-09-2025 12:21PM

Legitimate foreign based services should not be faking Irish phone numbers in the sender field

plodder · 19-09-2025 01:12PM

https://www.boards.ie/discussion/comment/123830896#Comment_123830896

Not sure if this actually happens, but what if the user of the (foreign based) service is the owner of the number and they have confirmed they own it through some offline mechanism? They still want replies to go to their number.

Hotblack Desiato · 19-09-2025 01:58PM

If they want to send messages which appear as if they're coming from an Irish number, then they'll have to send them from an Irish number. If they don't like that, tough.

plodder · 19-09-2025 02:51PM

https://www.boards.ie/discussion/comment/123831283#Comment_123831283

If by "from an Irish number" you mean from a mobile device, registered on an Irish network with an Irish number, over the air, then fair enough.

But, if they are going to allow Irish SMSC's to effectively fake Irish sender addresses, through other channels, but not allow foreign SMSC's to do it, then that would be discriminatory.

plodder · 25-09-2025 09:02AM

For what it's worth, my OH got a fairly sophisticated phishing email this morning purportedly from Revenue. The site it directs you to is also an exact copy of the ROS login site. Worth pointing out that the 2FA authenticator apps that Revenue use, don't protect you against this at all. If you generate a valid code on the app and enter it on the fake web page, you've just handed over a one time login code to the fake site, and they are in your ROS account. I believe revenue use client certificates for access by tax professionals/accountants, but these are not used by the average taxpayer afaik.

Hotblack Desiato · 25-09-2025 09:05AM

There's no way to stop people entering valid credentials into fake sites 😕

plodder · 25-09-2025 09:51AM

https://www.boards.ie/discussion/comment/123848977#Comment_123848977

True. Until recently I thought people could be educated, and it definitely helps. But, there was an incident a couple of weeks ago, where a software developer who maintains a pile of Javascript packages was phished to get access to his github account (including 2FA). The consequences could have been very serious (for the world not just this guy) except that it was detected by a third party. So, if this kind of sophisticated developer can be phished, anyone can. And while 2FA protects against simple password guessing (or loss) attacks, it doesn't protect against phishing at all. That could be news to some people.

Comreg SMS "likely scam" texts

Comments