> They argue that SIM card regulation could help “disincentivise” online manipulation, and say their tool can be used to test policy interventions the world over.
In Germany, you have to give ISP customer providers (help centers) a copy of your passport ID in a live video stream to authenticate. That was introduced since 2013, for all SIM registrations.
So explain to me, again, how did this help reduce botnet traffic from Russia that uses proxy services of third parties that installed their proxy backdoors in free apps on the PlayStore under the disguise of marketing and advertisement?
I don't understand why Google does not get any critique for allowing so much malware to be officially deployed via their PlayStore? They don't give a damn, have a history of not caring, and are the only point in the supply chain that is the problem. Every service provider that offers residential proxies is using those backdoors, and bought access for it from the advertisement companies.
If you report their Malware or Spamware, they ignore it. Try it, you will be disappointed. Because AdMob and other agencies are their customers. It's the same problem with Microsoft hosting Azure tenants that do spamming, sorry, "marketing campaigns".
Source: I track these companies and their rotating ASNs with zero tolerance for spam. [1]
I don't think anyone made the claim that requiring identification while providing German phone numbers would do anything about abuse from Russian botnets or abuse from non-German phone numbers.
How does blocking ASNs solve the problem you described, with proxy backdoors in apps? These will use residential/mobile IPs, right? That’s the point.
btw, may as well name and shame: the biggest culprit is Bright Data, formerly known as Luminati, also known as HolaVPN (the Chrome extension where they got their start, promising a VPN, routing traffic through a few DigitalOcean boxes, while selling each of their millions of users as a residential proxy endpoint to industrial scrapers). Nowadays they do the same but without the SPOF: they license their “SDK” to app developers, who launder the liability on their behalf.
I'm currently working again on my ebpf firewall, where I'm integrating an active DDoS kind of analysis across the network, so that other backends using that firewall can synchronize their blocklists more efficiently and contribute their traffic data.
I want the firewall to be some kind of middleware(?) for Go backends, so you can plug it in and can stop worrying. At least that's the idea.
It's similar probably to what cloudflare's DDoS protection is built like, but I'm focusing on Go backends first (my own use case) and am trying to make this as decentralizable as possible.
Is gonna take a bit until I'm confident that this approach will work, but I highly recommend eBPF for blocking and traffic analysis. It's insane what you can offload to the NIC, even when it's only partial support and not fully supporting XDP. The blocks are just so much faster to do than in userspace.
> They argue that SIM card regulation could help “disincentivise” online manipulation, and say their tool can be used to test policy interventions the world over.
Their solution is to deanonymize communication, which you're probably familiar with. That's not a tool for social good, but for government power. We could give government virtually any power, if we assume it will be used only for good.
What's a solution to online manipulation that is actually a social good or cannot be misused? What's a freedom-promoting technology that can replace the disaster that is current social media?
It's done little to nothing to stop phone-based scams in European countries. It's unbelievable how many calls and SMS we get with scams, supposedly for SIM cards that require ID (Belgium and France).
We have to solve universal beauty somehow. People like to take part in beauty, so it isn’t fair to admonish it outright as pure vanity. If you stared at the most beautiful people all day what need do you have to survey the world like Quasimodo from the social media bell tower?
The Hunchback struggled with an apparent vacancy of physical beauty and the burden of exclusion. He constantly doom scrolled from the tower above looking down. The solution required everyone in town to have a literal fucking epiphany.
>or people could just start to realize that [A] is [B] and stop [C] it.
Possible values for A = heroin, alcohol, tobacco, weed, porn, TV…
B = addictive, causes cancer, has an effect on brain health, spreads HIV…
C = using, consuming, eating, injecting…
Seems that this “people realizing” does not seem to work with other highly addictive chemicals or electronic media, since healing oneself from addiction requires far more than just “realizing” it is bad for you and the society. Perhaps there is a reason why we limit by law the sale of tobacco, drugs, alcohol and other highly addictive substances.
We are in a situation where it's a choice between unchecked corporate/oligarchic power or government power, at least the latter is nominally accountable in a democracy.
These services are a good because sometimes you need to access some information in social networks, which is available only after registration. So what other choices you have? And they often do not even allow registration from desktop:
- Google requires to scan QR code with a phone to create an account
- Facebook requires a 3D face scan
- VK requires to use mobile application
- Telegram requires to use mobile application
Desktop now feels like untrusted, shady device, used mostly by cybercriminals. Especially of you use Linux and enable "fingerprinting resistance" option.
> To register a new account, online platforms require SMS (Short Message Service) verification
Incorrect, see above.
> A fake Facebook account registered in Russia can post about the US elections
Facebook is blocked in Russia though.
As for spam problems, require payment to add new contacts above the limit, and disable messaging to non-contacts. Or restrict messaging based on country/city (so that messaging to a different country is paid).
> The average price of SMS verification for an online platform during the year-long study period running to July 2025 was ... just a fraction of that in the US ($0.26), UK ($0.10) and Russia ($0.08).
That's outdated. With new Russian legislation, most platforms removed support for Russian phone numbers, so now you cannot even find a service that allows to receive SMS to a Russian number. Futhermore, if you Google such services, it seems that they use the same provider because all of them do not have any working Russian numbers.
> As for spam problems, require payment to add new contacts above the limit, and disable messaging to non-contacts. Or restrict messaging based on country/city (so that messaging to a different country is paid).
This just a) increases the costs for attackers, which don't actually stop them; and b) means the poor amongst a population will be limited in who they can talk to. Very convenient, that. Don't want your peasants talking to citizens from other countries.
>And they often do not even allow registration from desktop:
You probably have a super suspicious browser fingerprint and/or IP reputation and they're using those measures as a mitigation without denying outright. Use a normie browser and a normal internet connection and account creation works fine.
Since I do not have a smartphone or a cell carrier, I only have a voip number, which most sites think is a fake number. As a result I often have to use these shady SMS verification services to get my own personal legitimate accounts open.
If you're in the US you can get a real cell phone number with VoIP and SMS that works without a phone for $20/mo with Google Fi. You'd need a phone to set it up but after that you could just turn it off and still use VoIP and SMS from any web browser.
There are BYOD prepaid providers that are even cheaper than that. The lowest you can get is ultra mobile's $3.50/month plan, but you need to jump through some hoops to get it working, like getting a physical sim in person. Tello is $5/month and you can activate online.
Instead of using risky SMS verification services, consider a trusted VoIP platform such as CallHippo. Its virtual numbers are issued through legitimate telecom partners, which improves acceptance across websites while keeping your communication secure and professional.
I went about six months without cell service a few years ago. The only deal breaker is this one - that lots of services require SMS authentication and won't accept Google Voice/similar. GPS navigation is a bit worse, because you have to pre-download the maps and don't get realtime traffic. You also can't be contacted when you're away from wifi; this wasn't a problem for me but I can imagine if you had kids or something it would probably be another deal breaker.
Never been happier, and does not get in my way of doing anything as an owner of two tech companies that frequently travels. Phones are still optional for virtually everything in the US, though it sometimes requires talking to a manager.
Probably, but it would increase my reliance on single point of failure device I have no control of and I would have to pay to support the current corrupt cellular network industry which is not appealing to me.
Not sure if it flags as fake but I'd look into getting a dedicated Twilio number, then just forward incoming texts to your email or something like that. It would at least get the "shady" part out of the equation as Twilio is pretty trustworthy.
This does not work, I've tried this before. Google verification for example would not accept my Twilio number as verification (about 2 years ago). You can lookup a phone number for the provider and numbers from Twilio or others tend to not be accepted.
I like this metric for service security. Which service is the most expensive to buy verification on? So far the best one I've found is Telegram at 166/$100, and the worst is Discord at 5044/$100.
Adding on to this one since it was the only link to the map data. There's some other supplemental data available. The supplemental PDF [1] has a bunch of the vendor names and there's a Google Docs sheet that has the list of vendors and availability per area. [2]
Once again I am reminded that "knowing" which accounts are fake is a knowable thing and yet social media companies don't mitigate them "because money" or "because DAU" Etc. When I was running operations at Blekko (a search engine) we were busily identifying all the bots that were attempting ad fraud or scouring the web for vulnerabilities or PII to update "people" data bases. And we just mitigated them[1], even though it meant that from a 'traffic' perspective we were blocking probably 3 - 4 million searches / day.
[1] My favorite mitigation was a machine that accepted the TCP connection from a bot address and just never responded after that (except to keep alives) I think the longest client we had hung that way had been waiting for over 3 months for a web page that never arrived. :-)
The post focuses on SMS verification, which based on the general level of costs makes sense. A KYC-verified Binance account costs a lot more than they list. But if they're only counting the cost for SMS verification, why would it depend on service? Wouldn't only the phone number's country matter?
Readit News
In Germany, you have to give ISP customer providers (help centers) a copy of your passport ID in a live video stream to authenticate. That was introduced since 2013, for all SIM registrations.
So explain to me, again, how did this help reduce botnet traffic from Russia that uses proxy services of third parties that installed their proxy backdoors in free apps on the PlayStore under the disguise of marketing and advertisement?
I don't understand why Google does not get any critique for allowing so much malware to be officially deployed via their PlayStore? They don't give a damn, have a history of not caring, and are the only point in the supply chain that is the problem. Every service provider that offers residential proxies is using those backdoors, and bought access for it from the advertisement companies.
If you report their Malware or Spamware, they ignore it. Try it, you will be disappointed. Because AdMob and other agencies are their customers. It's the same problem with Microsoft hosting Azure tenants that do spamming, sorry, "marketing campaigns".
Source: I track these companies and their rotating ASNs with zero tolerance for spam. [1]
[1] https://github.com/cookiengineer/antispam
btw, may as well name and shame: the biggest culprit is Bright Data, formerly known as Luminati, also known as HolaVPN (the Chrome extension where they got their start, promising a VPN, routing traffic through a few DigitalOcean boxes, while selling each of their millions of users as a residential proxy endpoint to industrial scrapers). Nowadays they do the same but without the SPOF: they license their “SDK” to app developers, who launder the liability on their behalf.
I want the firewall to be some kind of middleware(?) for Go backends, so you can plug it in and can stop worrying. At least that's the idea.
It's similar probably to what cloudflare's DDoS protection is built like, but I'm focusing on Go backends first (my own use case) and am trying to make this as decentralizable as possible.
Is gonna take a bit until I'm confident that this approach will work, but I highly recommend eBPF for blocking and traffic analysis. It's insane what you can offload to the NIC, even when it's only partial support and not fully supporting XDP. The blocks are just so much faster to do than in userspace.
Their solution is to deanonymize communication, which you're probably familiar with. That's not a tool for social good, but for government power. We could give government virtually any power, if we assume it will be used only for good.
What's a solution to online manipulation that is actually a social good or cannot be misused? What's a freedom-promoting technology that can replace the disaster that is current social media?
India has also always required buyers to submit their government IDs to buy SIM cards.
The Hunchback struggled with an apparent vacancy of physical beauty and the burden of exclusion. He constantly doom scrolled from the tower above looking down. The solution required everyone in town to have a literal fucking epiphany.
Possible values for A = heroin, alcohol, tobacco, weed, porn, TV… B = addictive, causes cancer, has an effect on brain health, spreads HIV… C = using, consuming, eating, injecting…
Seems that this “people realizing” does not seem to work with other highly addictive chemicals or electronic media, since healing oneself from addiction requires far more than just “realizing” it is bad for you and the society. Perhaps there is a reason why we limit by law the sale of tobacco, drugs, alcohol and other highly addictive substances.
Dead Comment
- Google requires to scan QR code with a phone to create an account
- Facebook requires a 3D face scan
- VK requires to use mobile application
- Telegram requires to use mobile application
Desktop now feels like untrusted, shady device, used mostly by cybercriminals. Especially of you use Linux and enable "fingerprinting resistance" option.
> To register a new account, online platforms require SMS (Short Message Service) verification
Incorrect, see above.
> A fake Facebook account registered in Russia can post about the US elections
Facebook is blocked in Russia though.
As for spam problems, require payment to add new contacts above the limit, and disable messaging to non-contacts. Or restrict messaging based on country/city (so that messaging to a different country is paid).
> The average price of SMS verification for an online platform during the year-long study period running to July 2025 was ... just a fraction of that in the US ($0.26), UK ($0.10) and Russia ($0.08).
That's outdated. With new Russian legislation, most platforms removed support for Russian phone numbers, so now you cannot even find a service that allows to receive SMS to a Russian number. Futhermore, if you Google such services, it seems that they use the same provider because all of them do not have any working Russian numbers.
I doubt that stops the IRA tbh
This just a) increases the costs for attackers, which don't actually stop them; and b) means the poor amongst a population will be limited in who they can talk to. Very convenient, that. Don't want your peasants talking to citizens from other countries.
You probably have a super suspicious browser fingerprint and/or IP reputation and they're using those measures as a mitigation without denying outright. Use a normie browser and a normal internet connection and account creation works fine.
You can just get a fliphone clamshell, they still do those and don't need a full smartphone (ironically the clamshell still runs android)
They boot fast and battery can be pulled after
This is how I do all the 2-factor that demands real SMS
Deleted Comment
Tell support you’ve lost access to email and they might allow you to change it if you can still verify sms code
how would one "verify sms code" without a phone?
Blissfully tranquil.
as considered by who? do banks accept a Twilio number as a valid number according to their security best practices?
https://cotsi.org/platforms?platform=ds&view=map I wish they showed a graph of services, but it seems like you can only view a graph of countries per service.
[1] https://www.science.org/doi/suppl/10.1126/science.adw8154/su...
[2] https://docs.google.com/spreadsheets/d/1Aialrzkl4kjk2WgQac5f...
The Vendors that actually got included in COTSI are these:
Vendor1 https://sms-activate.org/price 16,310,000 China Vendor3 https://5sim.net/ Vendor 5,137,000 China Vendor5 https://smshub.org/en/main 1,871,000 Indonesia Vendor7 https://smspva.com/ 1,212,000 Nigeria
Others got Reserved (and I guess maybe they'll be included eventually?)
Vendor4 https://sms-man.com/ 2,751,000 USA Vendor6 https://sms-activation-service.com/en/ 1,778,000 Russia Vendor9 https://2ndline.io/ 320,487 Vietnam
[1] My favorite mitigation was a machine that accepted the TCP connection from a bot address and just never responded after that (except to keep alives) I think the longest client we had hung that way had been waiting for over 3 months for a web page that never arrived. :-)
The post focuses on SMS verification, which based on the general level of costs makes sense. A KYC-verified Binance account costs a lot more than they list. But if they're only counting the cost for SMS verification, why would it depend on service? Wouldn't only the phone number's country matter?