The document discusses SMS pumping fraud and how to prevent it. SMS pumping involves abusing phone verification systems to trigger a large number of SMS messages to generate revenue from mobile carriers. Attackers enroll phone numbers from different carriers, have one-time passwords sent to each number, and carriers share the resulting SMS revenue with the attackers. The document recommends ways for websites to protect against this fraud, such as adding CAPTCHAs, setting rate limits on messages to numbers, implementing delays between verification attempts, restricting destination countries, and monitoring OTP conversion rates.

1. authenticatecon.com
Protecting your phone verification
flow from fraud & abuse
Kelley Robinson
Account Security @ Twilio

2. 2022 TWILIO INC. ALL RIGHTS RESERVED
We're seeing someone signing up…immediately trigger
2FA enrollment…unenroll then re-enroll on a new
number. This really has no impact to us, aside from
cost for the Twilio service, but we’ve been kinda at a
loss what the motivation could be.

3. 2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��

4. Protecting your phone verification
flow from fraud and abuse
SMS pumping, toll fraud, and how to stop it

5. 󰗞 Kelley Robinson
󰟲 Account Security @ Twilio / Authy
📍 Upstate New York
Find me online
🐦 @kelleyrobinson
💻 github.com/robinske
✉ krobinson@twilio.com

6. 📈 What is SMS pumping?
🤑 How bad actors make money off of this
🔐 How you can stop it
2022 TWILIO INC. ALL RIGHTS RESERVED
Agenda

7. 2022 TWILIO INC. ALL RIGHTS RESERVED
What is
SMS pumping

8. 2022 TWILIO INC. ALL RIGHTS RESERVED
SMS pumping causes inflated traffic
to your app with the intent to make
money and not to steal information

9. 2022 TWILIO INC. ALL RIGHTS RESERVED
Commonly abuses
phone verification forms
Form will trigger an SMS
Attacker can specify destination number

10. Attacker triggers
thousands of messages
To: +12395000001
Your one-time passcode is 092367
To: +12395000002
Your one-time passcode is 681929
To: +12395000003
Your one-time passcode is 344423
To: +12395000004
Your one-time passcode is 110377
To: +12395000005
Your one-time passcode is 874632
To: +12395000006

11. 2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��

12. 2022 TWILIO INC. ALL RIGHTS RESERVED
��
��
��
��
Carrier #1
Carrier #2
Carrier #3

13. 2022 TWILIO INC. ALL RIGHTS RESERVED
Mobile network operators
(MNOs) share revenue
from SMS pumping with
the attackers

14. 2022 TWILIO INC. ALL RIGHTS RESERVED
How bad actors
monetize SMS pumping

15. 2022 TWILIO INC. ALL RIGHTS RESERVED
Owns & controls a range of numbers
in a country or countries
May resell access to a mobile virtual network
operator (MVNO)
A wireless carrier
AKA service provider, mobile network carrier.
See mcc-mnc.com
Mobile Network Operator
(MNO)

16. 2022 TWILIO INC. ALL RIGHTS RESERVED
The 2 ways MNOs enable fraud
1. The MNO is complicit in the scheme and
has a revenue sharing agreement with the
fraudsters
2. The MNO is unknowingly exploited by the
fraudsters through an MVNO

18. What about
toll fraud?
2022 TWILIO INC. ALL RIGHTS RESERVED

19. 2022 TWILIO INC. ALL RIGHTS RESERVED
Toll fraud /
International revenue sharing fraud (IRSF)

20. 2022 TWILIO INC. ALL RIGHTS RESERVED
Recommended actions to
prevent SMS pumping

21. 2022 TWILIO INC. ALL RIGHTS RESERVED
Spike of messages to a block of adjacent numbers
Completed phone verification rates drop
+1111111110, +1111111111, +1111111112, +1111111113, etc.
OTPs are sent but not checked
How to determine if you're
experiencing an SMS pumping attack
BUT FIRST…

22. Refresh your UX to
prevent bots
2022 TWILIO INC. ALL RIGHTS RESERVED
Use CAPTCHAs or libraries like botd
Verify an email address before allowing
2FA enrollment

23. 2022 TWILIO INC. ALL RIGHTS RESERVED
Set rate limits
Limit message rates to the same mobile
number range or prefix
Add rate limits by user, IP, or device

24. Add delays between
verification retry requests
2022 TWILIO INC. ALL RIGHTS RESERVED
Implement exponential backoff to
prevent rapid re-sending
Delay displaying a "call me instead"
option

25. 2022 TWILIO INC. ALL RIGHTS RESERVED
Add geo-permissions to
restrict destination countries
Set an allow or block list based on
countries you expect
Set rate limits by geography

26. 2022 TWILIO INC. ALL RIGHTS RESERVED
Look up the phone number
before sending an SMS
Determine country code or MNO

27. 2022 TWILIO INC. ALL RIGHTS RESERVED
Monitor OTP conversion rates
and create alerts
Monitor OTPs validated / OTPs sent
Trigger internal alerts if conversion rates drop

28. 2022 TWILIO INC. ALL RIGHTS RESERVED
Disable unused channels in
your verification service
Block calls to prevent toll fraud

29. 2022 TWILIO INC. ALL RIGHTS RESERVED
Work with your
verification provider
Providers may have automatic blocking
for suspicious messages

30. 1. Ask your verification provider what they're doing to stop fraud
2. Refresh your UX to prevent bots
3. Set rate limits
4. Add exponential delays between verification retry requests
5. Implement geo-permissions to restrict destination countries
6. Look up the phone number before sending an SMS to filter bad carriers
7. Monitor OTP conversion rates and create alerts
8. Disable unused channels
2022 TWILIO INC. ALL RIGHTS RESERVED
Menu of recommendations

31. slides: twil.io/authenticate22

32. Thank you.
authenticatecon.com

33. ● twilio.com/docs/verify/preventing-toll-fraud
● twilio.com/learn/voice-and-video/toll-fraud
● twilio.com/blog/best-practices-retry-logic-sms-2fa
● twilio.com/docs/verify/developer-best-practices
● twilio.com/blog/allow-list-country-code-lookup
● mcc-mnc.com
2022 TWILIO INC. ALL RIGHTS RESERVED
Resources