Authentication of SMS
One of the limitations of mobile text messaging, when used for public dissemination of information, is its inability to easily authenticate the sender of the message. By this I mean it is possible for someone to spoof a mobile number and message, such that to the recipient the faked message appears to originate from your organization. It is important to address authentication issues to prevent falsified information being distributed by a third party, as well as to maintain the 'authoritative voice' / public trust of a forecast office or watch provider. Quite often mobile systems used by the hydro-meteorological community for dissemination of text messages rely on a carrier SMSC (SMS Center) or the gateway of a commercial SMS reseller. When routing information through these centers or gateways, there is not a dedicated short code or series of mobile numbers from which a message is sent. Or more to the point the dedicated number is often shared among other groups using the same center and gateway. As a result the end recipient of the message cannot reliably look at the number from which the message was sent to verify its authenticity. Even if your mobile system is tied to a unique short code or number, it is still possible for a third party to spoof the number. This requires a little more technical acumen to pull off, but it is still entirely possible. Spoofing of phone numbers is illegal in many countries, but even so, it has to be reasoned that someone wishing to release a false forecast, or worse yet, a fake warning, will not be terribly concerned about such laws.
For RANET and some country projects authentication has become a concern even though we do not have an example of a false warning or forecast being sent. There are some examples of rumors about warnings and disasters spreading via SMS, but these have more often been through 'gossip' and not a direct attempt to impersonate a watch provider or forecasting office. Unfortunately there is no easy solution to the potential problem. At the end of the day, verifying the authenticity of a message will be the responsibility of the recipient. However, there are a few actions you can take to make verification of messages easier.
Cross Post Messages To Other Communication Channels
The first and easiest way to support authentication is to ensure the message of the SMS is also publicly posted to a website, sent in an e-mail, or available through other existing messaging channels. In many cases this is something most forecast offices and watch providers do as part of existing operations. Forecasts and alert messages are routinely posted to a website, made available as RSS feeds, and sent out via e-mail. While you may make these other formats available, it is a good practice to remind subscribers or the public where to go (online or elsewhere) to see if the message they received has been actually released by your organization.
A variation of this technique is to include a short URL or verification code in your SMS that recipients can use to directly link to an online copy of the original text. This too, however, can be spoofed if users are not diligent about examining the URL and/or domain name of the website they are visiting. It would not be difficult for someone to copy the look and feel of your website and to cross post the faked message. Presumably the faked SMS would contain a link to the faked web site. But for recipients without without web enabled phones or general web access, this may be of little value anyway.
Allow Verification Via SMS Request
Another possibility is to allow SMS recipients to request that your system resend them the latest message. In this scenario a subscriber receives a forecast, alert, or other message. If she suspects the information is faked, she can send an SMS request to your system for the most recent message to be resent to her mobile device. If the messages do not match, then the recipient knows to be suspect of the original SMS. Even if your short code/number is spoofed, a user can directly poll your servers via text message to get the latest and correct information. An added benefit of this technique is that over time you can log the typical number of resend requests. If such requests abnormally peak, then an alert can be set up to help your staff proactively track the situation and squeltch any potentially falsified information.
Setting up this sort of two-way, on-demand system will require some additional investment, if you do not already have the capacity. Aside from writing scripts to handle the requests, you will either need to have a dedicated line to receive requests, and/or you will need to lease a dedicated number through an SMS gateway or carrier SMSC. Of course your messaging costs will increase as well; particularly if your subscribers are routinely requesting a verification message.
Assign PINs
When looking at our own system, as well as others, we came to realize that most systems disseminating SMS are at least loosely subscriber based. Each person receiving a weather forecast or warning has signed up for the service either directly from their mobile phone, by sending an e-mail request, or by completing an online registration form. We can take advantage of such subscriber based systems by assigning or allowing users to select a unique Personal Identification Number (PIN). When sending out messages to the user, the PIN can then be included at the beginning of the message. If the recipient does not see or receive a message with his PIN, then the he knows that the message may be faked.
Conceptually this sort of authentication is the most immediate and requires the least alteration in system design. But of course it is still entirely dependent upon the recipient watching for the PIN. Again, the user is ultimately responsible for verification.
Use of Unique Coding and Format
A less technical approach is to simply ensure your text messages contain some formatting of consistent headers, order in which information is presented, punctuation, etc. Similarly, as you are likely to use abbreviations or codes to squeeze information into a 160 character limit, purposefully use abbreviations, codes, or even unique terminology; so long as this does not affect the clarity or readability of a message. While a third party could easily copy your formats and styling, using this technique will add one more barrier, and it will provide a simple cue to the recipient that the message is potentially faked if the formatting does not follow that from previous messages.
Caveats
Using a few of these techniques in your messaging systems should greatly improve the ability of your recipients to authenticate messages. Still, it is not impenetrable, and moreover educating your message recipients on how to authenticate a message is likely the best defense.
One caveat of importance, however, is that before employing such techniques, make sure your operational procedures and automation work without fail. For instance if you are cross-posting messages sent out as SMS to a website and RSS feed, it is imperitative that the automation which sends the SMS also immediately posts the information to these other communication channels. If an update to a website fails or is delayed, then users seeking to verify a message or additional information may incorrectly assume a real message they received in an SMS is faked. Similarly, a script that fails to include a PIN or respond to a user request to resend the message could also cause confusion. Redundancy is good in public dissemination systems until it causes unmanageable complexity.
