Hi, As an academic project, I tackle the problem of SMSishing. SMSishing can be defined in the same way as a phishing except that the fraudulent link is sent by SMS.
The goal of the project is to create an awareness about SMSishing. Many approaches might have been used. I'm working with the Google Safe Browsing API in order to download on the mobile phone the list of the (hashed) fraudulent addresses. Then I extract the http links in the SMS inbox to compare them with the database created on the phone. There is some disadvantages doing like that : - we need an internet connection - the list provided is LONG so it takes time to write the database and make comparaisons Other methods to fight SMSishing would be : - the mobile operator checks the validity of each SMS before sending it to its destination - a Google Safe Browsing API which allow to send the address we want to check and make the test online (it avoids heavy computations) - the security level is implemented inside the mobile browser and not in the SMS/MMS application The code and more details about my project can be found here : http://code.google.com/p/anti-smsishing/ Other SMSishing related topic is Vishing : a fraudulent SMS asks you to call a number you believe in (by example your bank) and most of the time the called number will be an automatic voice responder asking you personal informations (such as credit card number). Both problems might be approach in the same way because we could store a database of fraudulent number. What do you think about these problems ? What would be the best solution ? The most realistic implementation ? Should this problem be handled by operators ? By the browser ? By the SMS application ? Deniz.
