SMS Sender ID Register Rollout Underway
Introduction
The Australian Government under the Australian Media and Communications Authority (ACMA) is commencing the rollout of a new SenderID Register. The changes take full effect from .
The new system requires registration of proposed SenderIDs and controls which organisations may use them. Further, attempts to use unregistered SenderIDs will be mitigated by changing the unregistered SenderID to "UNVERIFIED".
What is a SenderID?
A SenderID is an alphanumeric identifier attached to the sender of a text message (SMS or MMS) — similar to the "From" name in an email.
A SenderID is used in place of a telephone number, to provide greater recognition, familiarity and convenience to recipients. For example, an SMS notification sent by an organisation may use the organisation's name as the SenderID instead of using a phone number.
Security Issues with the Original Messaging System
A lack of security in the original messaging system's design meant that SenderIDs were not regulated — the system simply accepted whatever SenderID was supplied by the sender, and there was no way to verify the legitimacy of the sender of a given message.
This meant that scammers could generate SenderIDs to impersonate well-known brands and government agencies, such as the ATO and other prominent companies.
On modern mobile phones, messages sent with a spoofed SenderID could appear in the same messaging thread as legitimate messages.
This increased the risk of consumer confusion and the potential for malicious attacks. For example: an attacker could abuse the SenderID system to send scam texts that contain a link to a fake website or invoice, but appear to have originated from a legitimate business.
The new SenderID Register aims to reduce those risks by regulating the use of SenderIDs within the messaging system.
Advantages of the SenderID Register
The primary advantage of the SenderID Register is that it will enhance security by restricting unauthorised access to SenderIDs.
Once implemented, Telcos and Providers must replace unregistered SenderIDs with the word "UNVERIFIED". This will increase protection for registered organisations that use SenderIDs, as it will reduce the ability for a malicious actor to spoof the organisation's name or SenderID.
Key Milestones for the Rollout
Date | Milestone |
Telco & Provider Registrations Open Providers who wish to offer SenderID services must register with ACMA. Only registered providers will be allowed to send SMS or MMS using SenderIDs. | |
Business Registration of proposed SenderIDs Open Businesses and organisations who wish to use SenderIDs must regsiter the proposed SenderIDs with their chosen provider. The proposed SenderIDs must comply with the relevant SenderID Rules to be accepted for registration — see below. | |
SenderID Register commences operation Once the SenderID Register commences operation, it will not be possible to send an SMS or MMS within Australia using a SenderID unless that SenderID is registered to the relevant business or organisation. Providers must replace an unregistered SenderID with the word "UNVERIFIED" |
Eligibility Requirements
The following eligibility requirements must be met for an organisation to register a proposed SenderID:
- for organisations with an ABN — the proposed SenderID must match the organisation's:
- registered business name
- registered company name
- trade mark
- domain name
- for organisations without an ABN — the proposed SenderID must match the organisation's:
- trade mark
- officially-registered name in the country in which the organisation is based
- A "match" includes an abbreviation or initilaism of the organisation's name (eg "Australian Taxation Office" could be shortened to "ATO")
- The organisation may append additional words to the SenderID that relate to the organisation's role or location, or the purpose of the message (eg "Alert")
Importantly, the SenderID register is non-exclusive. This means that multiple organisations can register to use the same SenderID, so long as they meet the eligibility requirements. Potentially, this may lead to conflicts between organisations that share similar trade marks, domain names or business names.
Technical Requirements
The following technical requirements must also be met for a valid SenderID:
- length must be between 2 and 11 characters
- must only consist of letters, numbers or acceptable symbols (Characters within the ASCII Code range of 32-126 are accepted, which includes most characters found on a standard US keyboard)
- case insensitive (ie "
ABC" is the same as "Abc", "abc", etc) - cannot only consist of numbers
- cannot contain a space or underscore at the beginning or end of the SenderID
- cannot contain the word "UNVERIFIED" (this is a word reserved for use with unverified SenderIDs)
- cannot contain words that are offensive, misleading or deceptive - ordinary meaning test applied
- cannot consist solely of prescribed restricted words
How to register a SenderID
Once registration opens, businesses should sign-up with a Telco or messaging Provider that is certified under the SenderID Regime. Only certified providers will be authorised to generate and send messages with SenderIDs.
Businesses also have the option to continue using a regular telephone number to send messages. However, telephone numbers are not regulated under the SenderID Register, and will not have the protections of the new Register.
Other Important Considerations
Businesses should also remember that other legislation and rules may apply to the use of messaging services for commercial purposes. These include adhereing to any applicable requirements and restrictions under the:
- Spam Act 2003 (Cth)
- Privacy Act 1988 (Cth)
- Do Not Call Register
Further Information
Connect
Mt Gravatt East Queensland 4122
Closed Public Holidays.
Meetings by appointment only.