Recently, I crossed some sort of connectivity line with my Blackberry, setting it up to alert me whenever I receive an e-mail from any of the several Web-based services I use. I also downloaded applications that alert me whenever I get messages on the social networking sites with which I have accounts. Between that and my text messages, my phone is now guaranteed to be buzzing, beeping and blinking pretty much 24 hours a day. I consider this an experiment in connectivity. It may become the case that my Blackberry occupies entirely too much of my time from minute-to-minute, in which case I will have to remove some of the applications in order to keep the device’s role in my life to a reasonable one.
One thing I do enjoy is sending and receiving text and multimedia messages. I have several long-distance friends with whom I stay in touch by trading these messages. One of my friends, a truck driver, regularly sends me photos from his travels, which are often bizarre and come from all over the country. A picture message of that type is referred to as an MMS (Multimedia Messaging Service) message, while a text message is an SMS (Short Message Service) message. The latter term, SMS, has been used in coining a name for a new security threat: “SMiShing.” The term is a combination of “SMS” and “phishing.”
A “phishing” attack is generally defined as any attempt to get your personal information via e-mail or through a website. If you’re at all familiar with the spam in your inbox, you know that you frequently receive messages that purport to be from your bank, from eBay, or from some other institution with which you may or may not do business. Phishers count on the fact that for every thousand e-mails they send to random addresses, claiming to alert the reader to a security problem with their accounts at, say, Chase Bank, there will be a certain percentage of readers who do indeed use that bank and who will log in with their usernames and passwords (or worse, provide personal data like Social Security numbers) out of concern to check their accounts. This is one of the reasons certain sites and services repeatedly warn you that they will never ask for your password information via e-mail or instant messaging. They’re trying to prevent you from falling for these phishing attacks, in the hope that you will recognize such a request as automatically invalid and illegitimate.
Early this week, I attempted to log into my Gmail account to check my mail, after my Blackberry alerted me to the presence of new messages. I was mildly annoyed to discover that the service was not working. I closed the window and made a mental note to check later, when Gmail was up and running again. It was only later, when I discovered that the widespread outage had made international news and that people were genuinely up in arms over this failure of the “bedrock of the Internet,” that I realized fully the significance of this means of personal and business connectivity. You see, people depend on the Gmail service so much that they are more vulnerable to security exploits generated through it. Case in point? Immediately following the Gmail outage, a phishing attack launched through the Google Talk instant messaging service solicited Google users’ password information.
In what is apparently a demonstration of synchronicity, irony, or just blind luck, I also recently received my first ever spam message via SMS text messaging. I was a little surprised, in much the same way I was surprised the first time I ever received a “wrong number” call on my wireless phone. There’s really no reason you wouldn’t get a wrong number on your cell phone, just as there’s really no reason you can’t get spam text messaged to the same phone. Telemarketers have been targeting wireless phones for some time, especially because an increasing number of Americans don’t even have land lines. All it takes is somebody willing to send the spam and use the service, whatever that service may be. But every time spam or malicious security exploits rear their ugly heads in some new venue, it takes us by surprise. If it occurs in a venue we take for granted, generated by technology we’ve not previously had reason to suspect, we may well fall for it. We will then suffer accordingly.
SMiShing is, therefore, as reported in CNET News, the act of using your SMS text message service to solicit your personal data. That data could be a username and password for some website or Web-based service, including your e-mail. It could also be the request for your birth date, Social Security number and other information used to perpetrate identity theft. Regardless of the specific information solicited, nothing good will come of providing it.
Never, ever provide information about yourself or anyone else to someone who calls you on the phone, for you have no way of verifying who that individual truly represents. The same rule should apply to giving your personal information (or anyone else’s) to anyone through e-mail, through a website, or via any other technological means. Unless you can verify the recipient and unless giving the information is your idea (meaning it was not solicited, such as through an e-mail claiming to represent a service you use), don’t do it. Don’t ever do it. Only by adhering to this rule ruthlessly can you guard against the majority of phishing and SMiShing attacks.
In our technologically advanced times, with interconnectivity ever-increasing, the price of our innovation and our convenience is eternal vigilance. Security threats are all around us. We cannot afford to become complacent and, more importantly, we cannot afford to be trusting. It is unfortunate that technological advancement requires us to become ever more suspicious of our fellow human beings – but when those human beings are reduced to text on a screen, they can be anything and anyone, and we dare not assume.