Security

Just sending an SMS does not protect your users

This sponsored post is produced by  Stacy Stubblefield, the VP of product strategy for TeleSign Corporation.

Spam, hacking, phishing, malware, and social fraud aren’t going away any time soon. With Internet fraud costing U.S. consumers over $560 million per year, it’s no surprise that most of the biggest web properties are investing considerable resources in protecting their users.

SMS-based two-factor authentication is one of the most popular and effective methods of increasing account security. You may have experienced this type of authentication when logging into your bank or email account from a computer you don’t regularly use. When you do this, to verify that you’re the person trying to access your account (rather than a fraudster who’s obtained your username/password), the online company will send a short, temporary PIN code to your mobile number. You then enter this code to prove your identity and are allowed account access.

Pretty easy, right? In concept, yes. However, many companies don’t anticipate the complexity of successfully delivering SMS globally on a consistent basis.

It’s just SMS: What’s the big deal?

We know what you’re thinking: SMS is simple. You just type up a short message on your phone, press Send, and voila! The message arrives on your friend’s handset in a matter of seconds. What could be easier than that, right??

Delivering an SMS is actually a bit more complicated than it appears. In fact, it’s a tiny miracle every time an SMS show up on your phone. Why? Well, here are just a few of the challenges you might face as you try to deliver SMS messages around the world.

Many points of failure

Have you ever thought about what takes place behind the scenes to get a text message from Point A (your phone) to Point B (your friend’s phone)? If you’re like most people, the answer is definitely no. So let’s peel back the curtain and take a look inside the life of an SMS message:

  1. You type up an SMS message on your phone, choose who you want to send it to, and press Send. The SMS is born.
  2. Your SMS message travels through the air to a mobile tower located somewhere near you, where it sits and waits to start the next part of its journey.
  3. The mobile tower contacts your carrier’s Short Message Service Center (SMSC) and says, “Hey! I have an SMS waiting for you! Come get it!!”
  4. Your carrier’s SMSC takes the SMS from the mobile tower, says “Thanks – I got the message!” to the mobile tower, and drops the message into a queue for processing.
  5. Now, the SMSC must determine where to deliver your SMS, so it takes a look at your friend’s phone number to see which carrier it currently belongs to.
  6. Your carrier then passes the SMS message to your friend’s carrier. If your carrier is directly connected with your friend’s carrier, this might be a very short journey. However, it’s more likely that your SMS message must travel through at least one third party that is responsible for connecting the carrier networks together.
  7. Now that your SMS has made it to your friend’s carrier, that carrier must determine whether your friend’s phone is currently able to receive your SMS (Is the phone on? Has your friend paid his bill?). It must also figure out where your friend’s phone is currently located.
  8. If everything looks OK, the SMS will be sent to a mobile tower near your friend.
  9. The mobile tower will then send the SMS to your friend’s phone, and the device will acknowledge that it received the SMS.

This is a simplified version of your SMS’s journey, but you can see that there are many potential points of failure along the way.

Spam SMS Traffic

Unfortunately, you’re not the only person trying to send an SMS at any given time. In fact, it’s likely that your SMS is competing with thousands of other SMS messages for delivery. Many of these, especially outside the U.S., are spam messages. What does this mean to you? A couple of things:

  • Spam messages are often sent in huge volumes over a short period of time. If your message happens to be sent at the same time as a burst of spam SMS and travels along the same route, there’s a chance your SMS message will be delayed or fail due to an overload in some element of the delivery system.
  • Many mobile phone companies try to limit the volume of marketing messages reaching their subscribers. To do this, the companies filter out messages they think are spam. If these mobile operators think your message is spam, it won’t get delivered.

Phone-numbering plans

People who live in the U.S. often take the simplicity of our phone number formats for granted. All of our phone numbers start with a 3-digit area code and are a total of 10 digits in length. This basic format hasn’t changed for decades.

However, in other countries, mobile phone use is growing so fast that there aren’t enough numbers in the country’s numbering plan to accommodate the growth. When this happens, a country generally undergoes a numbering-plan change, which usually involves adding another digit somewhere in the original phone number. As an example, Brazil added the digit “9” to mobile numbers in many (but not all) of its cities in 2013. When this type of change takes place, the mobile numbers you have on file for many Brazilians are no longer valid and must be updated according to the new rules to be reachable.

In addition, there are some countries where phone numbers must be formatted differently depending on whether the number is being dialed from within the country or outside the country. An example of this is Argentina, where local mobile numbers are reached by adding the prefix “15” to the subscriber phone number. To reach the same mobile number from abroad, the prefix “15” must be dropped, the local area code must be added, and a “9” must be prefixed to the beginning of the phone number. If this is not done, your SMS will not reach your intended recipient.

Character encoding

If you’re reading this, you probably speak English. And luckily for you, sending SMS messages in English is pretty easy. The challenge begins when you need to send special characters, such as those with accents or characters from non-Latin languages (Chinese, Russian, Arabic, etc.). To do this successfully, you must:

  • Determine which character set should be used: Check whether the country/mobile operator you’re sending the message to supports those characters (not every operator supports every type of character).
  • Figure out how many characters are allowed in each SMS when using that character set: Encode each character in the message properly.
  • Set the encoding in the header of your SMS correctly. If any of this goes wrong, your message will not get delivered or will appear garbled.

Local rules/regulations/capabilities

Every country has its own rules. You probably know this in theory, but many times it’s hard to understand what this means in practice, especially when it comes to sending an SMS. Here’s a quick breakdown:

  • Do Not Call Lists: Several countries have implemented Do Not Call lists. SMS delivery to phone numbers on these lists can incur major financial penalties, or messages to these phones may be dropped altogether. There are strategies for managing this, but they are specific to each country.
  • Short codes versus long codes: Some countries require that all enterprise SMS traffic be delivered via a short code (i.e., a short numeric or alphanumeric code that identifies each SMS “campaign”). Other countries don’t support short codes at all, and messages are instead sent with a long code (i.e., a standard phone number) or an ad-hoc alphanumeric word/phrase set as the Sender ID (i.e., the “from” number shown on the receiver’s phone).
  • Number portability: Some countries let you port your mobile number from carrier to carrier. Others don’t. To deliver your messages successfully, you need to know which countries offer number portability and which carrier currently controls the phone number you’re trying to reach.

Keeping up with each regulation/capability introduced or modified in 200-plus countries around the world can be a challenge, but it’s necessary to send SMS successfully.

Unreliable delivery reports

In theory, you should receive a Delivery Report (DLR) for every SMS you send indicating whether delivery of the SMS succeeded or failed. Unfortunately, this is not realistic for various reasons:

  • DLR delays/failures: DLRs can be delayed or fail due to large volumes of outbound SMS, failure of some piece of the reporting system, or for other reasons.. When this happens, it can be difficult to know whether you are experiencing an actual SMS delivery problem or a DLR problem.
  • DLR faking: Operators and aggregators have both been known to send fake DLR reports indicating successful SMS delivery. These fake DLRs muddy any delivery monitoring that is based on DLR reports.
  • DLRs not supported: Some mobile operators simply don’t support delivery reports. For these operators, you will never know whether your messages are successful or not based on DLRs.

These issues all make monitoring SMS delivery success on a global scale challenging.

Failure is not an option

SMS messages sent for security purposes are often part of a user’s login experience, so delay or failure can be catastrophic. These messages must be encoded properly, sent to a correctly-formatted phone number, and arrive quickly and reliably.

Even with the challenges of reliably delivering SMS at a global scale, SMS technology it is still the most effective and simple method of verifying, authenticating, and alerting your users. Just make sure you’re familiar with the challenges and work with a partner who prioritizes successful delivery above all else.


Sponsored posts are content that has been produced by a company, which is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.


0 comments