On the flip side, SMS spoofing can be used to bait criminals into police traps. But with growing usage of SMS in India, the above board are at a higher risk. In 2003, outbound SMS volumes in India surged by 200.8 per cent year-on-year to touch 7.39 billion messages, and even as wireless data services accounted for a meagre 5.4 per cent of cellular service revenues in India, a bulk of it was from SMS. Gartner expects cellular data services to account for 20.5 per cent of total cellular service revenues in 2008. While the number of mobile phones is set to cross the 50-million mark this year, SMS traffic for the leading cellular operators is already soaring at 15-20 per cent per month. According to Merrill Lynch, SMS could bring in as much as $75.6 million of revenues for Indian GSM operators by 2005. Corporate India is increasingly lapping up mobile phones, PDAs, wireless intranet connectivity, and customised SMS-based ERP-enabling (software to support and automate business processes). And there's no reason why spoofers won't evolve along with the advent of mobile image messaging or mms to find ways to abuse the new technology.
Mobile service providers let messages through without authenticating the senders, a task made increasingly difficult by swelling SMS volumes. "SMS messages aren't stored by the mobile telephony service provider, making it impossible to ascertain their origin," says Duggal. While there could be remote hope for messages staying within one SMSC (Short Message Service Centre) or operator, roaming capabilities rob the operators of opportunities to filter messages. Sophisticated features open up ever-greater holes.
Ideally, cellular companies should cooperate with investigating agencies in tracking down spoofers, like website owners and administrators of messaging servers do. But spoofers are often too well read to fall in the net and the law is helpless in case of intercontinental crimes.
This could well be a conundrum for next-generation law-enforcers, telecom players and cellphone users. But while the Indian Penal Code (1860) equates SMS spoofing with forgery punishable with hefty fines or two to seven years behind bars or both, there are no immediate fixes for the inability to nab the perpetrators and get a successful prosecution under the law. "Law agencies in India aren't properly oriented," says Duggal. "The lack of awareness and latest tools complicates the situation." Although SMS is an electronic record admissible in a court of law as evidence under the Information Technology Act (2000), provided it fulfils some mandatory requirements, the courts can merely trust the message contents. "Agencies would generally believe the mobile number to be genuine unless they have a cause to think otherwise," says Duggal. But, adds Nayak: "Any party claiming that an SMS originated from a particular number has to prove so. In the absence of proof, the courts reject the claim."
Duggal says the right training to give sharper teeth to the legal machinery is very important. "The fbi has successfully implemented regulations that direct service providers to instal infrastructure for providing law enforcers wire tap capability," he says. But, say the CCRC experts, "there's no silver bullet solution yet." So until that happens, the only defence is to look beyond the "face value" of the SMS. "Ascertain the real sender before acting on an SMS," Nayak advises. After all, people aren't always who they seem to be—much less in the 150 characters of an SMS.
