Cisco Logo


Security

The American Red Cross had a tremendously positive response when it announced a mobile phone giving campaign in the wake of the January 12, 2010 earthquake in Haiti. The campaign was announced at 9pm on Tuesday, Jan 12; by 10am Thursday, Jan 14, the group had collected $3.4 million through mobile donations alone. Each text of the word ‘HAITI’ to the number 90999 was a $10 donation. 340,000 people gave $10 each in just over 36 hours.

I didn’t give a dime via my cell phone. The whole thing smelled like a scam to me, but 340,000 of my fellow Americans did not agree. I was wrong on this one. But given the ubiquity of scams surrounding the Haiti disaster, it would be good to know how we can tell when to trust these campaigns, or when not trust them, down the road.

So what are those five-digit (and in fact, now six-digit) numbers that you text to? They’re called common short codes, or just “short codes” colloquially, and they’re administered by the Common Short Code Association (CSCA). The CSCA even maintains a helpful little directory on their site, in case you are looking to register a short code of your own. The CSCA maintains agreements with various wireless carriers, who in turn bill their customers according to agreements for what each short code message requires. As I mentioned, the texts of ‘Haiti’ to 90999 would result in a $10 charge on the next bill for this agreement.

Searching their directory turns up the code 90999 as registered to Mobile Accord, which was mentioned alongside mGive in the American Red Cross news release about the Haiti text donations campaign. Mobile Accord claims to have revolutionized text-based giving back in February, 2008, with a campaign designed to help the United Way.

There is no doubt that the American Red Cross was able to generate great revenue in a short period, when it was desperately needed. Hopefully, with more information about the CSCA, organizations and consumers can continue to make good decisions about how to use this technology appropriately. Thanks to forward-thinking groups like Mobile Accord and mGive, and the pervasive use of cell phones, similar disasters and emergency responses should be able to find support quickly and from a wide audience of willing donors. Organizations could adopt this kind of giving and prepare to respond in a way that instantly enables others to help out.

But if the American Red Cross, or any other organization for that matter, doesn’t own the rights to use a specific short code, then what happens to typos or even nearby name collisions? These kinds of things are something to watch out for. Just as URL-based scams have relied on the format “www.eaxmple.com” misspellings for “example.com”, or “www.example.com.site.bad” to lure people to the wrong location, who’s to say that short codes won’t suffer the same fate? One would hope that an organization leasing short codes would have some controls in place to prevent these kinds of near misses:

Some security exists with confirmation replies. Users can receive a confirmation message to ensure that they are aware of a donation to their charity. But how can a user know the recipient of their donation is their intended charity? They might confirm the amount at $5 or $10, but if there are no strong controls on who the donation goes to, it is still a potentially dangerous mechanism.

There is potential, just like with malicious domain name squatting, to grab up short codes that could be used repeatedly (43571 for “HELP!”, for example). If there aren’t controls in place now to stop this kind of illicit use of the common short code system, a miscreant could quickly benefit from the right combination of short codes or text triggers sent to those short codes. It will be important for organizations to understand who else is using the same short codes they have decided to use, how to inform the public that their short codes are legitimate, and for users to know how to find the same kind of information about the services they use as well.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments.


  1. SMS spoofing is trivial. I wonder what implications this will have on the longevity of this donation method. Its a good cause… so hope it survives.

       0 likes

  2. The criminals always follow the money trail. Good security awareness is still the most important element in preventing these sorts of attacks.

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home