Huge problem we see at my current company, Stytch (https://stytch.com/). Toll fraud/traffic pumping can result in huge costs, mid thousands to millions per year.
One thing that surprised me a lot to learn, and is covered in the article, is that the primary bad actor is the telecom provider! I had no idea that the telecoms were sharing revenue with hackers that found unprotected SMS channels and exploited them. A really wild thing.
We have a bunch of built in protection against SMS toll fraud for our OTP product as well as more in-depth fingerprinting tools if your app ever runs into this problem. When you get that first surprise bill from Twilio, give us a shout and we can help!
The wild thing about this is that this isn't just a B2B fraud, but regular joes are hit with it as well and regular operators don't care.
My phone got stolen in Naples last year, just as I was about to board my plane. It was 11PM, so when I called my boss from my gf's phone he decided to block the number the next morning as he was in bed already. By the time the SIM was blocked, 10 hours had passed, and thieves had managed to place over 100 hours of very expensive toll calls to numbers in Algeria. It cost the company over 10k, and our operator was not willing to accept any responsibility over it. Admittedly, I turned off the PIN lock because my phone at the time would overheat and restart multiple times a day, but operators really should have lockouts on foreign payphone numbers, especially once they're being placed faster than a human can dial them.
The Prophet years ago wrote in 2600 telecom informer that there were solutions to telemarketing calls/spam but the phone network operators liked the profit and don’t want to solve this problem for their customers
Happened to us as well a while back. We tracked originating IPs to the same telco that was sending SMS to their own numbers through our platform. I couldn't believe it.
This article is a little dated, since then we’ve released Fraud Guard. Our model can detect and block 98% of pumping traffic with only .1% false positive. It’s working really well to deter these fraudsters. If you’re interested, you can learn more here [1].
Were also rolling out a version for all Programmable SMS customers with a higher false positive rate due to the wider variety of use cases supported.
Taking a wild guess – but is there a chance that people using Twilio as their personal phone provider are not their target customer group?
Sounds a bit like opening a merchant account and using credit card payments as a way to split bills and rent with friends, and then being annoyed about being treated like a business (i.e. getting tax forms, having to declare a business model etc.)
Don't get me wrong, I also use a Twilio account for my home automation setup, but I can kind of see how that's pushing the boundaries of the product a bit.
I'm actually in this exact same boat (I ported my US number to twilio when I had a long travel stint abroad to retain access, have since built a forwarding system to keep using it).
I registered with the IRS to get an EIN for my "sole proprietorship" (i.e. me), and that seemed to satisfy twilio for the brand registration requirements. Still waiting on a final A2P review for my use case (sending messages to family and friends) so not out of the woods yet, but hopefully that's the last step.
Please use secure channels for authentication. SMS is antiquatedly insecure (Any way it's sent: SS7, SMPP, etc.).
More traffic benefits the industry (since some sucker pays for it). There's no incentive for any of the entities that profit from this to stop it (unless it's too sell you a premium protection service).
Sure, but it seems a bit short-sighted to assume that SMS brings no benefit. If a customer somehow loses access, SMS is far cheaper and more available for all involved than any other alternative. Most people don't want to carry any dongles (especially not institution-specific ones) and many don't really want to install apps or have phones that will wipe app data for infrequently-used apps.
Meanwhile, there are countries whose entire banking, tax filing, CC processing and various public service systems rely on SMS as the only second factor.
Just want to flag that Twilio’s 2FA service, Authy, is tightly tied to SMS. For example, if you want to login to iwantmyname.com, it asks you for your Authy totp, but if you don’t remember it, they’ll settle for an SMS code instead. And that’s a ‘feature’ of the Authy integration.
SMS is the only second factor that works for people without smartphones. Having a smartphone means signing your life (your location 24/7, your messages, your contacts, your everything) over to either Google or Apple.
I understand the security aspect and realistically most people will have smartphones anyway, but forcing everyone into this surveillance duopoly, especially as Apple is overpriced and Google is ad company with stated mission of removing privacy, makes me pretty salty.
Before my bank supported smartphones, they used a smartcard reader that you'd put your debit card into (a vasco digipass). The earlier model required you to type in a numerical challenge, a later model used a digipass that can scan a QR like code (that uses colors for higher data density).
Another bank's employees used a physical RSA securid TOTP token (which was a bad idea since RSA hung onto the seeds and got hacked).
(TOTP can also be added to feature phones, it's fairly straightforward. There's open source java ME projects.)
Corporate clients with their competitor had been using MSDOS based banking software that came with a hardware token that ingested a challenge as flashes of light from the screen, which was pretty neat! It didn't read a debit card, the seed was just baked in.
Before banks started shipping physical tokens or card readers, they would send you a list of one time codes to approve transactions.
Note that Google also has the option to generate such codes (although you get 6, not 50 at a time), so you can get into your account even if your phone is stolen.
All of those worked in the age before smartphones.
Now, there's also passkey/U2F/FIDO2 based hardware keys you can provision yourself and buy from several vendors, like Yubikey or Token2.
There's plenty of reasons to be salty about the smartphone duopoly and surveillance economy, but for 2FA there's plenty of alternatives. And if you do use a smartphone, you could always use an open source authenticator app.
There is a better way. There are plenty of non-phone-based totp authenticators, and many of the password managers provide one. I’m using 1Password for example and I do not use phones for second factor.
Why would I want to buy a smartphone, just to log in to some service? Why would I want to install some crappy auth app on my computer (That most likely does not have a Flatpak for it even)?
Most places do not support Yubikey... so getting SMS on my Nokia 3310 is the best option for me.
It's the way to go for you since it is convenient for you? Doesn't really help against the security problems with SMS. Someone can for example socially engineer a phone company operator to steal your phone number.
This is just a new variant of an old attack. I have been working for a VOIP provider 10 years ago and the attack was similar: the attackers compromise a VOIP PBX (default passwords, extensions opened in the WAN, etc.) and then use it to call a very expensive value added service that they owned (like one special number in Tristan De Cuna or Nauru that costs 50€ at the reply and 10€ at minutes).
Here's the missing bit of advice, which you won't get, because Twilio makes money from you sending SMS messages:
Do not use SMS for 2FA.
Seriously — just don't. It is not secure, it is susceptible to fraud, it is not a good second factor.
Yes, I do realize there are other uses for SMS, but this is the prevalent one, and I'd like people to consider seriously if they really want to use it before they blindly follow what others do.
Remember that there are companies that use SMS 2FA not to make anything more secure, but to get your unique tracking identifier (your phone number) and tie it to online targeted advertising.
Need to yell this as loud as possible to the goddamn banking and healthcare industry face then. Cause those dinosaurs don't even let you have an online account without an SMS (and only SMS in most case) as a 2FA mechanism.
Just to shame a few out there right now: Chase, Fidelity, Bank of America, American Express, United Healthcare, Signa and many more.
Ally Bank used to allow 2FA through SMS or email, if I recall both were optional. But they eventually required everyone to use 2FA, and it had to be SMS -- email 2FA doesn't work anymore
I think that depends on how it's implemented and how their account recovery process is done. If they give SMS special status and use it with few or no other data to recover accounts when you're locked out, then adding SMS 2FA might actually significantly decrease your security for that account by allowing someone to gain access with just the SMS capability.
That's hopefully very rare, but of the companies that would do so, I imagine the ones that only support SMS 2FA are likely to have a higher occurrence.
India has been enacting regulation enshrining SMS as 2FA for their entire Digital payments infrastructure. They even require storing all biometrics (FaceID etc.) on gov servers and not on-device. We are in for a decade+ of this at minimum.
SMS also comes with no deliverability or latency guarantees, and hard to scale globally as rules and regulations are different in every country. Acquiring IDs is slow and you need multiple for backup routes and different use cases.
We all here live in a tech bubble. None of my friends and family have a 2FA app, or know what one is. They understand SMS, and it's better than no 2FA at all.
At worst it's no worse than SMS, but at best it's at least secure in transport and effectively free.
The downside to email is primarily that data is not a roaming perk for many. But if it's too access an app then a reasonable assumption of internet access even if not on the mobile is valid.
For literally years Google Authenticator had no means to move between phones. Of course people who were told to use it decided never to use OTP apps again after getting screwed.
Yubikeys (and google's keys) have had issues where the keys were extractable and needed to be replaced.
and so on.
SMS has just worked. Yes, it has reliability issues, but it's almost like people can't model even the most basic ways that the non-SMS tech is basically terrible. Even Apple doesn't work well because of the broadcast behavior of the confirmations.
I don't know about Android but Apple users can literally start adopting TOTP without changing a single thing.
Providers should simply add instructions telling people that if they have an Apple device they can just go to the keychain and add the code displayed on the screen or use the QR with the camera
2FA is not the main target here, it’s SMS one time password flows. Where you never go through a traditional account setup, you just enter your phone number, it sends you a text with a one time password (generally embedded in a URL you can click), and you’re logged in.
With 2FA, you at least have to log into successfully without the cell phone first, it’s harder to exploit. You can pretty easily rate limit 2FA prompts per account, auto-ban malicious accounts, etc. While SMS OTP flows are extremely easy to exploit - the text is sent before any sort of association with and account occurs, making rate limiting, banning, etc. much more difficult.
I used to work on a related problem (call traffic pumping) for a large VOIP provider, for domestic & international calls. It was a very interesting problem which has two distinct patterns of abuse.
First is just basic account takeover/hijacking, where a criminal will login to your account and receive a cut for calling expensive numbers (or in this case, sending SMS's to them). This is basically the web version of the pre-existing PBX hijacking issue.
The second, more interesting version, is people abusing free quotas to send calls (or SMS), such as in the verification case. This is novel (relative to the pre-web era) because historically it would have been hard to make free calls/texts.
As an aside, PBX hijacking was how certain Fido BBS operators in the early 90s Hungary got their feed from abroad: a friendly installer left an extension in the PBX of the largest consumer bank which gave you a dial tone so very expensive calls abroad were billed to the bank. This went on for a few years.
We faced the same problem at Zenly and had to build our own anti-spam strategies to prevent it. We used multiple providers to improve our conversion rate and reduce cost. We are now building this as a service https://www.ding.live/ and are seeing huge improvements for our first customers in term of cost savings and conversion rate. Feel free to reach out if it could be any interest to you hello@ding.live.
We use a combinaison of route that are are evaluated in real-time for their cost to conversion ratio.
Our customers have the option to choose only « direct routes » if needed but those strategies are use at scale by players like Facebook, TikTok or Google we’re just making sure our customer have all the options, visibility and control on their conversion rate/price tradeoff.
Another strategy that allows to lower cost significantly is the use of alternative channel when available and competitive : Google RBM, WhatsApp, Viber, line..
Last but not least we don’t do any margin on the sms price so we bill back exactly what we pay for and negotiate with aggregated volumes.
Readit News
One thing that surprised me a lot to learn, and is covered in the article, is that the primary bad actor is the telecom provider! I had no idea that the telecoms were sharing revenue with hackers that found unprotected SMS channels and exploited them. A really wild thing.
We have a bunch of built in protection against SMS toll fraud for our OTP product as well as more in-depth fingerprinting tools if your app ever runs into this problem. When you get that first surprise bill from Twilio, give us a shout and we can help!
My phone got stolen in Naples last year, just as I was about to board my plane. It was 11PM, so when I called my boss from my gf's phone he decided to block the number the next morning as he was in bed already. By the time the SIM was blocked, 10 hours had passed, and thieves had managed to place over 100 hours of very expensive toll calls to numbers in Algeria. It cost the company over 10k, and our operator was not willing to accept any responsibility over it. Admittedly, I turned off the PIN lock because my phone at the time would overheat and restart multiple times a day, but operators really should have lockouts on foreign payphone numbers, especially once they're being placed faster than a human can dial them.
Rate limits and billing limits should definitely be included, even on personal numbers.
You gave the operator an out. While this shouldn’t prevent remedy, in some cases it will.
Were also rolling out a version for all Programmable SMS customers with a higher false positive rate due to the wider variety of use cases supported.
[1] https://www.twilio.com/docs/verify/preventing-toll-fraud/sms...
What kind of business entity should I incorporate to continue texting my friends?
How would you define my current “campaigns” and what kind of opt-out language should I give to my children who receive my texts?
Can you show me example unsubscribe language that I can give to my wife ?
Sounds a bit like opening a merchant account and using credit card payments as a way to split bills and rent with friends, and then being annoyed about being treated like a business (i.e. getting tax forms, having to declare a business model etc.)
Don't get me wrong, I also use a Twilio account for my home automation setup, but I can kind of see how that's pushing the boundaries of the product a bit.
I registered with the IRS to get an EIN for my "sole proprietorship" (i.e. me), and that seemed to satisfy twilio for the brand registration requirements. Still waiting on a final A2P review for my use case (sending messages to family and friends) so not out of the woods yet, but hopefully that's the last step.
Instead of "just" blocking it... have you considered referring the origination for prosecution?
I'd that would work better to deter fraud.
More traffic benefits the industry (since some sucker pays for it). There's no incentive for any of the entities that profit from this to stop it (unless it's too sell you a premium protection service).
I’d say 7 years is plenty of time that folks really shouldn’t be using it.
https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...
I understand the security aspect and realistically most people will have smartphones anyway, but forcing everyone into this surveillance duopoly, especially as Apple is overpriced and Google is ad company with stated mission of removing privacy, makes me pretty salty.
There should be a better way.
Another bank's employees used a physical RSA securid TOTP token (which was a bad idea since RSA hung onto the seeds and got hacked).
(TOTP can also be added to feature phones, it's fairly straightforward. There's open source java ME projects.)
Corporate clients with their competitor had been using MSDOS based banking software that came with a hardware token that ingested a challenge as flashes of light from the screen, which was pretty neat! It didn't read a debit card, the seed was just baked in.
Before banks started shipping physical tokens or card readers, they would send you a list of one time codes to approve transactions.
Note that Google also has the option to generate such codes (although you get 6, not 50 at a time), so you can get into your account even if your phone is stolen.
All of those worked in the age before smartphones.
Now, there's also passkey/U2F/FIDO2 based hardware keys you can provision yourself and buy from several vendors, like Yubikey or Token2.
There's plenty of reasons to be salty about the smartphone duopoly and surveillance economy, but for 2FA there's plenty of alternatives. And if you do use a smartphone, you could always use an open source authenticator app.
That's not correct. Many password managers have TOTP authentication features built in.
There's also increasing support for security keys (e.g. yubikey) with many websites.
Passkeys are also on the rise.
True – but using SMS-OTP signs over your life to your phone provider.
Most places do not support Yubikey... so getting SMS on my Nokia 3310 is the best option for me.
SMS is the way to go.
https://en.wikipedia.org/wiki/Time-based_one-time_password
edit: here's a cli tool for doing this: https://www.nongnu.org/oath-toolkit/oathtool.1.html
SMS is the way to go until you need to sign in from somewhere you don't have cellular coverage.
TOTP is superior in almost every way. Failing that, sending a login link (or code) to the user's email address is more secure than SMS.
You cannot install a barebones TOTP app on your Nokia 3310 because it is closed source.
Most services don't offer third party TOTP because they are pressured into pushing their shitty proprietary apps.
But TOTP not only is more secure but it's completely offline. It's close to the best solution and totally exists right now
Do not use SMS for 2FA.
Seriously — just don't. It is not secure, it is susceptible to fraud, it is not a good second factor.
Yes, I do realize there are other uses for SMS, but this is the prevalent one, and I'd like people to consider seriously if they really want to use it before they blindly follow what others do.
Remember that there are companies that use SMS 2FA not to make anything more secure, but to get your unique tracking identifier (your phone number) and tie it to online targeted advertising.
Just to shame a few out there right now: Chase, Fidelity, Bank of America, American Express, United Healthcare, Signa and many more.
but it is better than not having a second factor. If your only choice is a password or a password & SMS, use SMS.
That's hopefully very rare, but of the companies that would do so, I imagine the ones that only support SMS 2FA are likely to have a higher occurrence.
For 2FA apps I need to securely store backup keys, and take them with me when travelling.
In my company we set up Duo, so at least IT Admin can bypass 2FA for me. But it doesn't work with all services, regular type-in OTP are still lost.
At worst it's no worse than SMS, but at best it's at least secure in transport and effectively free.
The downside to email is primarily that data is not a roaming perk for many. But if it's too access an app then a reasonable assumption of internet access even if not on the mobile is valid.
For literally years Google Authenticator had no means to move between phones. Of course people who were told to use it decided never to use OTP apps again after getting screwed.
Yubikeys (and google's keys) have had issues where the keys were extractable and needed to be replaced.
and so on.
SMS has just worked. Yes, it has reliability issues, but it's almost like people can't model even the most basic ways that the non-SMS tech is basically terrible. Even Apple doesn't work well because of the broadcast behavior of the confirmations.
I don't know about Android but Apple users can literally start adopting TOTP without changing a single thing.
Providers should simply add instructions telling people that if they have an Apple device they can just go to the keychain and add the code displayed on the screen or use the QR with the camera
With 2FA, you at least have to log into successfully without the cell phone first, it’s harder to exploit. You can pretty easily rate limit 2FA prompts per account, auto-ban malicious accounts, etc. While SMS OTP flows are extremely easy to exploit - the text is sent before any sort of association with and account occurs, making rate limiting, banning, etc. much more difficult.
First is just basic account takeover/hijacking, where a criminal will login to your account and receive a cut for calling expensive numbers (or in this case, sending SMS's to them). This is basically the web version of the pre-existing PBX hijacking issue.
The second, more interesting version, is people abusing free quotas to send calls (or SMS), such as in the verification case. This is novel (relative to the pre-web era) because historically it would have been hard to make free calls/texts.
Spain 0.0094 Italy 0.0159 Germany 0.0198
Most likely, your upstream providers are using SIM farms
High quality routes - either direct operator connections or 1-hop - will have these aprox pricing
Spain ~0.021-0.023 Italy ~0.026-0.030 Germany ~0.06-0.07
[1] https://dinglive.notion.site/SMS-e03051265199429cb36aed17bac...