Text messages — Is it them… or someone else?

According to reports by the U.S. Census Bureau and the CTIA, the use of text messaging among adults is growing at an explosive rate.  In the United States, it is estimated that at least 3 billion text messages are sent every day.

One of the conveniences offered by texting, is the succinctness by which information is conveyed from one person to another.  The 160 character limit forces people to be more direct, and to the point.  But in our eagerness to communicate with as few words as possible, we often overlook the issue of sender authentication.

How can you be certain the person you are exchanging texts with, is who you think it is?  The caller ID and that cute little contact picture, only tell you whose phone sent the message!  Unlike phone calls there is no heuristic method by which you can be sure of who is on the other side of the keypad.

There can be many situations in which the person you are exchanging text messages with, may not be the person you wanted to communicate with.  Pretexting is a common technique used by law enforcement, government agencies, private investigators and suspicious family members; to gather intelligence, admissions of guilt and dirt; by pretending to be the owner of a confiscated or otherwise unattended, text messaging device (cell phone or computer).

Unless you can claim Attorney-Client privilege, you should never use text messages to discuss confidential or otherwise private information.  If you must discuss such matters using text messages, take steps to verify the identify of whom you are exchanging messages with.

The most obvious way is to directly communicate with the other person by voice, and just ask if they are indeed the person you will be exchanging text messages with.  If that is not practical, then try texting them a “challenge question,” that only the real person would know the answer to.

“Mary ru there?” is a lousy choice for a text message challenge question.  Mary might be asleep and her husband Joe might be the one answering the question.  It’s fine to ask that over the phone, because you can usually tell from experience if the person answering the question is Mary, and not Joe.

Challenge questions can either be prearranged, or knowledge based.  Prearranged challenges are similar to passwords and “secret handshakes.”  Knowledge based challenges rely on heuristic information that only you and the other person are privy to.

Prearranged challenges, of course, require that both parties agree ahead of time on a challenge question and response.  The advantage of prearranged challenges, is that multiple answers can be agreed upon to the same question; allowing the answering party to secretly convey situational information.  We call this a covert information channel, because it secretly communicates information, without alerting other parties.  Alarm monitoring companies routinely use prearranged challenges, to authenticate a homeowner’s identity and to determine their level of duress.

But like passwords and secret handshakes, prearranged challenges can be defeated; because they are too hard to remember, or are easily discovered.  Sarah Palin’s e-mail account was easily hacked, because of poor choices she made for prearranged challenge questions.

Knowledge based challenges do not require prearrangement; only that the person answering the question has knowledge that was previously shared between both parties.  It should also be knowledge that only the answering party is willing to give.

For instance, let us suppose you previously helped Mary with her eBay account, and that she willingly shared her password with you.  Even if Joe also knows her eBay password, only Mary would be willing to repeat that information to you three weeks later, with little or no hesitation.  Whereas Joe would most likely answer “WTF4?” if you asked for the password and he was pretending to be Mary.

Knowledge based challenges get the job done, but can suffer from transparency problems.  Joe would now be suspicious, about why someone asked for Mary’s eBay password.  The best challenges are ones in which you obfuscate the manner in which the challenge is given.  You are not trying to deceive Mary about the challenge; you are trying to make sure that Joe doesn’t know how important it is, that you are texting Mary, instead of him.

Let us suppose that you told Mary you’re allergic to nuts, and that she knows it in no uncertain terms.  Joe doesn’t even know who you are; let alone anything about your food allergies.  Texting “I 8 2 Snickers bars 4 lunch!” to Mary should give you a response similar to “Ur not supposed 2b eatn dat!”  Any reply less alarming should suggest that either it isn’t Mary answering, or that she wasn’t pay attention to what you said about your food allergies.

For more information about text and instant message security issues, please read the post on how to create and use A Personal Security Classification Taxonomy (PSCT).

If you have any questions or concerns about your own personal information needs, or requirements, please contact The Assurer for a consultation.

Spread the word!