SlideShare a Scribd company logo
1 of 33
Download to read offline
authenticatecon.com
Protecting your phone verification
flow from fraud & abuse
Kelley Robinson
Account Security @ Twilio
2022 TWILIO INC. ALL RIGHTS RESERVED
We're seeing someone signing up…immediately trigger
2FA enrollment…unenroll then re-enroll on a new
number. This really has no impact to us, aside from
cost for the Twilio service, but we’ve been kinda at a
loss what the motivation could be.
2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��
Protecting your phone verification
flow from fraud and abuse
SMS pumping, toll fraud, and how to stop it
󰗞 Kelley Robinson
󰟲 Account Security @ Twilio / Authy
📍 Upstate New York
Find me online
🐦 @kelleyrobinson
💻 github.com/robinske
✉ krobinson@twilio.com
📈 What is SMS pumping?
🤑 How bad actors make money off of this
🔐 How you can stop it
2022 TWILIO INC. ALL RIGHTS RESERVED
Agenda
2022 TWILIO INC. ALL RIGHTS RESERVED
What is
SMS pumping
2022 TWILIO INC. ALL RIGHTS RESERVED
SMS pumping causes inflated traffic
to your app with the intent to make
money and not to steal information
2022 TWILIO INC. ALL RIGHTS RESERVED
Commonly abuses
phone verification forms
Form will trigger an SMS
Attacker can specify destination number
Attacker triggers
thousands of messages
To: +12395000001
Your one-time passcode is 092367
To: +12395000002
Your one-time passcode is 681929
To: +12395000003
Your one-time passcode is 344423
To: +12395000004
Your one-time passcode is 110377
To: +12395000005
Your one-time passcode is 874632
To: +12395000006
2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��
2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��
Carrier #1
Carrier #2
Carrier #3
2022 TWILIO INC. ALL RIGHTS RESERVED
Mobile network operators
(MNOs) share revenue
from SMS pumping with
the attackers
2022 TWILIO INC. ALL RIGHTS RESERVED
How bad actors
monetize SMS pumping
2022 TWILIO INC. ALL RIGHTS RESERVED
Owns & controls a range of numbers
in a country or countries
May resell access to a mobile virtual network
operator (MVNO)
A wireless carrier
AKA service provider, mobile network carrier.
See mcc-mnc.com
Mobile Network Operator
(MNO)
2022 TWILIO INC. ALL RIGHTS RESERVED
The 2 ways MNOs enable fraud
1. The MNO is complicit in the scheme and
has a revenue sharing agreement with the
fraudsters
2. The MNO is unknowingly exploited by the
fraudsters through an MVNO
What about
toll fraud?
2022 TWILIO INC. ALL RIGHTS RESERVED
2022 TWILIO INC. ALL RIGHTS RESERVED
Toll fraud /
International revenue sharing fraud (IRSF)
2022 TWILIO INC. ALL RIGHTS RESERVED
Recommended actions to
prevent SMS pumping
2022 TWILIO INC. ALL RIGHTS RESERVED
Spike of messages to a block of adjacent numbers
Completed phone verification rates drop
+1111111110, +1111111111, +1111111112, +1111111113, etc.
OTPs are sent but not checked
How to determine if you're
experiencing an SMS pumping attack
BUT FIRST…
Refresh your UX to
prevent bots
2022 TWILIO INC. ALL RIGHTS RESERVED
Use CAPTCHAs or libraries like botd
Verify an email address before allowing
2FA enrollment
2022 TWILIO INC. ALL RIGHTS RESERVED
Set rate limits
Limit message rates to the same mobile
number range or prefix
Add rate limits by user, IP, or device
Add delays between
verification retry requests
2022 TWILIO INC. ALL RIGHTS RESERVED
Implement exponential backoff to
prevent rapid re-sending
Delay displaying a "call me instead"
option
2022 TWILIO INC. ALL RIGHTS RESERVED
Add geo-permissions to
restrict destination countries
Set an allow or block list based on
countries you expect
Set rate limits by geography
2022 TWILIO INC. ALL RIGHTS RESERVED
Look up the phone number
before sending an SMS
Determine country code or MNO
2022 TWILIO INC. ALL RIGHTS RESERVED
Monitor OTP conversion rates
and create alerts
Monitor OTPs validated / OTPs sent
Trigger internal alerts if conversion rates drop
2022 TWILIO INC. ALL RIGHTS RESERVED
Disable unused channels in
your verification service
Block calls to prevent toll fraud
2022 TWILIO INC. ALL RIGHTS RESERVED
Work with your
verification provider
Providers may have automatic blocking
for suspicious messages
1. Ask your verification provider what they're doing to stop fraud
2. Refresh your UX to prevent bots
3. Set rate limits
4. Add exponential delays between verification retry requests
5. Implement geo-permissions to restrict destination countries
6. Look up the phone number before sending an SMS to filter bad carriers
7. Monitor OTP conversion rates and create alerts
8. Disable unused channels
2022 TWILIO INC. ALL RIGHTS RESERVED
Menu of recommendations
slides: twil.io/authenticate22
Thank you.
authenticatecon.com
● twilio.com/docs/verify/preventing-toll-fraud
● twilio.com/learn/voice-and-video/toll-fraud
● twilio.com/blog/best-practices-retry-logic-sms-2fa
● twilio.com/docs/verify/developer-best-practices
● twilio.com/blog/allow-list-country-code-lookup
● mcc-mnc.com
2022 TWILIO INC. ALL RIGHTS RESERVED
Resources

More Related Content

What's hot

IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 
今なら間に合う分散型IDとEntra Verified ID
今なら間に合う分散型IDとEntra Verified ID今なら間に合う分散型IDとEntra Verified ID
今なら間に合う分散型IDとEntra Verified IDNaohiro Fujie
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptxFIDO Alliance
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO AuthenticationFIDO Alliance
 
OpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクルOpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクルMasaru Kurahayashi
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15OpenID Foundation Japan
 
パスワードのいらない世界へ
パスワードのいらない世界へパスワードのいらない世界へ
パスワードのいらない世界へKeiko Itakura
 
FIDOセキュリティ認定の概要と最新状況
FIDOセキュリティ認定の概要と最新状況FIDOセキュリティ認定の概要と最新状況
FIDOセキュリティ認定の概要と最新状況FIDO Alliance
 
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況FIDO Alliance
 
Workshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxWorkshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxFIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO2 ~ パスワードのいらない世界へ
FIDO2 ~ パスワードのいらない世界へFIDO2 ~ パスワードのいらない世界へ
FIDO2 ~ パスワードのいらない世界へFIDO Alliance
 
俺が考えた最強のID連携デザインパターン
俺が考えた最強のID連携デザインパターン俺が考えた最強のID連携デザインパターン
俺が考えた最強のID連携デザインパターンMasaru Kurahayashi
 
What are Passkeys.pdf
What are Passkeys.pdfWhat are Passkeys.pdf
What are Passkeys.pdfKeiko Itakura
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdfOpenID Foundation Japan
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication APIFIDO Alliance
 

What's hot (20)

IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
 
今なら間に合う分散型IDとEntra Verified ID
今なら間に合う分散型IDとEntra Verified ID今なら間に合う分散型IDとEntra Verified ID
今なら間に合う分散型IDとEntra Verified ID
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
OpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクルOpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクル
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15
 
パスワードのいらない世界へ
パスワードのいらない世界へパスワードのいらない世界へ
パスワードのいらない世界へ
 
FIDOセキュリティ認定の概要と最新状況
FIDOセキュリティ認定の概要と最新状況FIDOセキュリティ認定の概要と最新状況
FIDOセキュリティ認定の概要と最新状況
 
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況
2020 0218 - パスワードのいらない世界へ:FIDOアライアンスとFIDO認証の最新状況
 
Hyperledger Aries 101
Hyperledger Aries 101Hyperledger Aries 101
Hyperledger Aries 101
 
Workshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxWorkshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptx
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO2 ~ パスワードのいらない世界へ
FIDO2 ~ パスワードのいらない世界へFIDO2 ~ パスワードのいらない世界へ
FIDO2 ~ パスワードのいらない世界へ
 
俺が考えた最強のID連携デザインパターン
俺が考えた最強のID連携デザインパターン俺が考えた最強のID連携デザインパターン
俺が考えた最強のID連携デザインパターン
 
What are Passkeys.pdf
What are Passkeys.pdfWhat are Passkeys.pdf
What are Passkeys.pdf
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 

Similar to Protecting your phone verification flow from fraud & abuse

Contemporary Frauds.pptx
Contemporary Frauds.pptxContemporary Frauds.pptx
Contemporary Frauds.pptxZiaullahShah9
 
Frauds in telecom sector
Frauds in telecom sectorFrauds in telecom sector
Frauds in telecom sectorsksahu099
 
Identity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms SessionIdentity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms SessionAlan Quayle
 
How to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeHow to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeAlan Percy
 
How to Prevent Telecom Fraud
How to Prevent Telecom FraudHow to Prevent Telecom Fraud
How to Prevent Telecom FraudJeraSoft
 
How to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeHow to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeTelcoBridges Inc.
 
Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIRKelley Robinson
 
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...apidays
 
Presentation (004).pptx
Presentation (004).pptxPresentation (004).pptx
Presentation (004).pptxsambaba17
 
Distil Networks Protecting the Telephony Industry
Distil Networks Protecting the Telephony IndustryDistil Networks Protecting the Telephony Industry
Distil Networks Protecting the Telephony IndustryPaul Hobbs
 
Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Narayan Makaram
 
Tradewin. tieng anh.online
Tradewin. tieng anh.onlineTradewin. tieng anh.online
Tradewin. tieng anh.onlinequanganhnguy
 
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...CDGcommerce
 
52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloningSALMAN SHAIKH
 
STIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQSTIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQAlan Percy
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...Alan Quayle
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCAlan Percy
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCTelcoBridges Inc.
 

Similar to Protecting your phone verification flow from fraud & abuse (20)

PSD2, SCA, WTF?
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?
 
Contemporary Frauds.pptx
Contemporary Frauds.pptxContemporary Frauds.pptx
Contemporary Frauds.pptx
 
Frauds in telecom sector
Frauds in telecom sectorFrauds in telecom sector
Frauds in telecom sector
 
Identity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms SessionIdentity, Authentication, and Programmable Telecoms Session
Identity, Authentication, and Programmable Telecoms Session
 
How to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeHow to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-Time
 
How to Prevent Telecom Fraud
How to Prevent Telecom FraudHow to Prevent Telecom Fraud
How to Prevent Telecom Fraud
 
How to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-TimeHow to Prevent Telecom Fraud in Real-Time
How to Prevent Telecom Fraud in Real-Time
 
Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIR
 
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...
apidays LIVE JAKARTA - Deliver A Dynamic & Secured Buying Experience by Shara...
 
Presentation (004).pptx
Presentation (004).pptxPresentation (004).pptx
Presentation (004).pptx
 
STIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQSTIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQ
 
Distil Networks Protecting the Telephony Industry
Distil Networks Protecting the Telephony IndustryDistil Networks Protecting the Telephony Industry
Distil Networks Protecting the Telephony Industry
 
Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!Beware of Scam Artists - Recognize Them Before They Get You!
Beware of Scam Artists - Recognize Them Before They Get You!
 
Tradewin. tieng anh.online
Tradewin. tieng anh.onlineTradewin. tieng anh.online
Tradewin. tieng anh.online
 
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud &...
 
52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
 
STIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQSTIR-SHAKEN Top 10 FAQ
STIR-SHAKEN Top 10 FAQ
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBC
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBC
 

More from Kelley Robinson

Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Kelley Robinson
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authenticationKelley Robinson
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key CryptographyKelley Robinson
 
Identiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAIdentiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAKelley Robinson
 
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldKelley Robinson
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala CommunityKelley Robinson
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationKelley Robinson
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ StartupsKelley Robinson
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center AuthenticationKelley Robinson
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMSKelley Robinson
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationKelley Robinson
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical CryptographyKelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaKelley Robinson
 

More from Kelley Robinson (20)

Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authentication
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key Cryptography
 
2FA in 2020 and Beyond
2FA in 2020 and Beyond2FA in 2020 and Beyond
2FA in 2020 and Beyond
 
Identiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAIdentiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FA
 
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA world
 
Intro to SHAKEN/STIR
Intro to SHAKEN/STIRIntro to SHAKEN/STIR
Intro to SHAKEN/STIR
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ Startups
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMS
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical Cryptography
 
2FA Best Practices
2FA Best Practices2FA Best Practices
2FA Best Practices
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
2FA, WTF!?
2FA, WTF!?2FA, WTF!?
2FA, WTF!?
 
2FA WTF
2FA WTF2FA WTF
2FA WTF
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 

Recently uploaded

priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organizationchnrketan
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Amil baba
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHbirinder2
 
Indian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfIndian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfalokitpathak01
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProRay Yuan Liu
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfShreyas Pandit
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studydhruvamdhruvil123
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfManish Kumar
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdfchess188chess188
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 

Recently uploaded (20)

priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organization
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 
Substation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRHSubstation Automation SCADA and Gateway Solutions by BRH
Substation Automation SCADA and Gateway Solutions by BRH
 
Indian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfIndian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdf
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision Pro
 
ASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductosASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductos
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdf
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain study
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdf
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 

Protecting your phone verification flow from fraud & abuse

  • 1. authenticatecon.com Protecting your phone verification flow from fraud & abuse Kelley Robinson Account Security @ Twilio
  • 2. 2022 TWILIO INC. ALL RIGHTS RESERVED We're seeing someone signing up…immediately trigger 2FA enrollment…unenroll then re-enroll on a new number. This really has no impact to us, aside from cost for the Twilio service, but we’ve been kinda at a loss what the motivation could be.
  • 3. 2022 TWILIO INC. ALL RIGHTS RESERVED �� �� �� ��
  • 4. Protecting your phone verification flow from fraud and abuse SMS pumping, toll fraud, and how to stop it
  • 5. 󰗞 Kelley Robinson 󰟲 Account Security @ Twilio / Authy 📍 Upstate New York Find me online 🐦 @kelleyrobinson 💻 github.com/robinske ✉ krobinson@twilio.com
  • 6. 📈 What is SMS pumping? 🤑 How bad actors make money off of this 🔐 How you can stop it 2022 TWILIO INC. ALL RIGHTS RESERVED Agenda
  • 7. 2022 TWILIO INC. ALL RIGHTS RESERVED What is SMS pumping
  • 8. 2022 TWILIO INC. ALL RIGHTS RESERVED SMS pumping causes inflated traffic to your app with the intent to make money and not to steal information
  • 9. 2022 TWILIO INC. ALL RIGHTS RESERVED Commonly abuses phone verification forms Form will trigger an SMS Attacker can specify destination number
  • 10. Attacker triggers thousands of messages To: +12395000001 Your one-time passcode is 092367 To: +12395000002 Your one-time passcode is 681929 To: +12395000003 Your one-time passcode is 344423 To: +12395000004 Your one-time passcode is 110377 To: +12395000005 Your one-time passcode is 874632 To: +12395000006
  • 11. 2022 TWILIO INC. ALL RIGHTS RESERVED �� �� �� ��
  • 12. 2022 TWILIO INC. ALL RIGHTS RESERVED �� �� �� �� Carrier #1 Carrier #2 Carrier #3
  • 13. 2022 TWILIO INC. ALL RIGHTS RESERVED Mobile network operators (MNOs) share revenue from SMS pumping with the attackers
  • 14. 2022 TWILIO INC. ALL RIGHTS RESERVED How bad actors monetize SMS pumping
  • 15. 2022 TWILIO INC. ALL RIGHTS RESERVED Owns & controls a range of numbers in a country or countries May resell access to a mobile virtual network operator (MVNO) A wireless carrier AKA service provider, mobile network carrier. See mcc-mnc.com Mobile Network Operator (MNO)
  • 16. 2022 TWILIO INC. ALL RIGHTS RESERVED The 2 ways MNOs enable fraud 1. The MNO is complicit in the scheme and has a revenue sharing agreement with the fraudsters 2. The MNO is unknowingly exploited by the fraudsters through an MVNO
  • 17.
  • 18. What about toll fraud? 2022 TWILIO INC. ALL RIGHTS RESERVED
  • 19. 2022 TWILIO INC. ALL RIGHTS RESERVED Toll fraud / International revenue sharing fraud (IRSF)
  • 20. 2022 TWILIO INC. ALL RIGHTS RESERVED Recommended actions to prevent SMS pumping
  • 21. 2022 TWILIO INC. ALL RIGHTS RESERVED Spike of messages to a block of adjacent numbers Completed phone verification rates drop +1111111110, +1111111111, +1111111112, +1111111113, etc. OTPs are sent but not checked How to determine if you're experiencing an SMS pumping attack BUT FIRST…
  • 22. Refresh your UX to prevent bots 2022 TWILIO INC. ALL RIGHTS RESERVED Use CAPTCHAs or libraries like botd Verify an email address before allowing 2FA enrollment
  • 23. 2022 TWILIO INC. ALL RIGHTS RESERVED Set rate limits Limit message rates to the same mobile number range or prefix Add rate limits by user, IP, or device
  • 24. Add delays between verification retry requests 2022 TWILIO INC. ALL RIGHTS RESERVED Implement exponential backoff to prevent rapid re-sending Delay displaying a "call me instead" option
  • 25. 2022 TWILIO INC. ALL RIGHTS RESERVED Add geo-permissions to restrict destination countries Set an allow or block list based on countries you expect Set rate limits by geography
  • 26. 2022 TWILIO INC. ALL RIGHTS RESERVED Look up the phone number before sending an SMS Determine country code or MNO
  • 27. 2022 TWILIO INC. ALL RIGHTS RESERVED Monitor OTP conversion rates and create alerts Monitor OTPs validated / OTPs sent Trigger internal alerts if conversion rates drop
  • 28. 2022 TWILIO INC. ALL RIGHTS RESERVED Disable unused channels in your verification service Block calls to prevent toll fraud
  • 29. 2022 TWILIO INC. ALL RIGHTS RESERVED Work with your verification provider Providers may have automatic blocking for suspicious messages
  • 30. 1. Ask your verification provider what they're doing to stop fraud 2. Refresh your UX to prevent bots 3. Set rate limits 4. Add exponential delays between verification retry requests 5. Implement geo-permissions to restrict destination countries 6. Look up the phone number before sending an SMS to filter bad carriers 7. Monitor OTP conversion rates and create alerts 8. Disable unused channels 2022 TWILIO INC. ALL RIGHTS RESERVED Menu of recommendations
  • 33. ● twilio.com/docs/verify/preventing-toll-fraud ● twilio.com/learn/voice-and-video/toll-fraud ● twilio.com/blog/best-practices-retry-logic-sms-2fa ● twilio.com/docs/verify/developer-best-practices ● twilio.com/blog/allow-list-country-code-lookup ● mcc-mnc.com 2022 TWILIO INC. ALL RIGHTS RESERVED Resources