SMS Traffic Fraud - SMS Pumping
SMS Traffic Fraud
Operating on a global scale comes with an increased risk of fraud. Phone verification and two-factor authentication (2FA) flows are commonly targeted with two types of attacks:
SMS pumping - Artificially Inflated Traffic
SMS pumping, also known as Artificially Inflated Traffic, is a fraudulent scheme in which attackers exploit a phone number input field to receive a one-time passcode, app download link, or other information via SMS. This attack is executed by sending many SMS messages to a range of numbers controlled by a specific mobile network operator (MNO), which can generate revenue for the attackers. This attack can be successful if the form within your application or your server backend does not have adequate controls to prevent it.
To determine if you are experiencing an SMS pumping attack, you will likely see a sudden and significant increase in messages sent to a block of adjacent numbers (e.g. +1111111110, +1111111111, +1111111112, +1111111113, and so on) controlled by the same MNO. In addition, if you send an SMS for a one-time passcode (OTP) use case or similar authentification flow, you will likely not see a completed verification cycle.
International Revenue Sharing Fraud (IRSF), also known as "Toll Fraud."
Toll fraud is similar to SMS pumping, but instead of sending SMS messages, fraudsters target phone verification or authentification flows to generate voice calls to premium numbers.
These attacks cause inflated traffic to your app to make money rather than to steal information. While the ways attackers monetize these types of fraud may differ, the strategies to reduce fraud are similar.
Mitigating fraud requires customer participation. As a result, your systems have the most up-to-date data on fraud as it is happening and, thus, the best chance to detect and act on fraud in real time.
Some strategies to consider
To prevent sending more than one message per X seconds to the same user, device, IP or mobile number, implement rate limits. You can implement rate limiting using different web servers such as Nginx and Apache, or you can utilize a Content Delivery Network (CDN) like Cloudflare. These solutions offer basic rate limiting functionalities to help you control and limit the amount of traffic to your website or web application. While rate limits may not completely prevent fraud, they can significantly reduce the potential damage an attacker can cause and may even deter them from targeting your app if they feel it is not worth the effort.
Detect Bots and Captcha
To detect and deter bot traffic, consider using libraries like botd or implementing CAPTCHAs. Additionally, making small changes to your user experience, such as requiring users to confirm their email address before enrolling in two-factor authentication (2FA), will introduce another barrier to your customer experience for real users but can deter fraudulent attackers.
Exponential delays between additional authentication requests
By implementing exponential delays between requests to the same phone number, one will slow down the rate of fraud and often deter fraudulent attackers.
Identify and block premium rate phone numbers
A potential solution is using libphonenumber to recognize and obstruct premium rate phone numbers. However, questions arise regarding the reliability of the data and the effectiveness of this particular approach.
Monitor the success of OTP verification
To monitor the effectiveness of your verifications, track the conversion rate of OTPs (i.e., the number of OTPs validated by end users divided by the number of OTPs sent to end users). If you notice this rate starting to decline, especially in an unexpected country, trigger an alert for review. This can help you identify potential issues or fraudulent activity.
For more help please contact our support at firstname.lastname@example.org
Be safe out there!