Series: Fraud and cyber security in messaging
What is artificially inflated traffic SMS fraud?
Definition: Artificially inflated traffic (AIT) or Artificially Generated Traffic (AGT) is defined as when bad actors take advantage of phone number fields on website forms or other locations to receive, for example, a one-time passcode (OTP) via SMS. If fraudsters can do this thousands or millions of times then they can inflate traffic and generate revenue. The revenue generated by this inflated traffic could be accessed by the fraudsters at any part of the delivery path between the business sending the one-time passcode and the number ‘requesting’ the OTP. This is why it can be so difficult to pin down the perpetrators or complicit organizations involved.
Every time an SMS message is sent someone makes money. Usually it is the mobile network operator that terminates the message but there can be multiple parties in the chain that get revenue from an SMS send. Even though an individual message will only generate a few cents in revenue, if the number of messages being generated can be increased then the amount of revenue generated can grow quickly.
Elon Musk entered the shadowy world of AIT recently to complain about the ridiculous SMS fees Twitter were being charged on one-time passcode (OTP) requests. He claimed they were defrauded over $60 million last year on bot accounts being created which Twitter has to verify with an OTP SMS message. Each bot account generates some revenue for a variety of companies in the delivery chain of that message. If millions of bot accounts are generated then they stand to make millions of dollars. Musk suggested that up to 350 MNOs worldwide were overcharging Twitter as a result of AIT. He did not go so far as to say MNOs were originating the bogus OTP requests, simply that they were profiting from it.
Our recent experience has highlighted similar AIT fraud at, for example, a supermarket chain in Europe where the unwitting business ran up tens of thousands of euros in SMS fees in a very short period of time as a result of OTP messages being generated on their system. In this case fraudsters scammed an online form to sign up for a loyalty program and generated the OTP messages that way.
So, who are the losers here? Firstly, the end-customer, supermarket in this case. They are hit with a huge bill that they have to pay or contest with their MNO or Aggregator. Secondly, the industry as a whole suffers reputational damage from fraud on its systems, ultimately driving customers to alternative methods of doing business.
How can I tell if AIT is an issue on my system?
This will be clear from a spike of messages sent to a group of similar numbers (i.e. +1234567890, +1234567891, +1234567892, +1234567893 etc.). These may be to remote destination countries. If you’re sending SMS for an OTP use case, you will probably not see a completed verification cycle for these OTPs.
How to prevent AIT and SMS Pumping
Disable Permissions for unused countries
Ensuring that countries to which you do not intend messages are disabled will lower the likelihood of SMS AIT fraud.
Set rate limits
Make sure your system will not send more than say 1 message per 10 seconds to the same mobile. Rate limits may not prevent 100% of fraud but can significantly mitigate the damage that an attacker can do and may even deter them if they decide that it’s not worth it to go after your app.
Use AI to distinguish traffic
If possible use a neural network or machine learning to distinguish between traffic types, for example, identify OTP traffic from other SMS message types. Now use your rate limits to apply specifically to that type of traffic and to certain countries. There are currently only a handful of countries where this type of traffic tends to terminate so use the industry knowledge to stamp it out.
Detect bots and refresh your user experience to prevent them
Use CAPTCHAs and botd libraries to deter bot traffic. Simple switches like getting users to confirm their email address before the two factor authentication step is often enough to stop the bots.
Delay retry requests
Install a delay between requests to the same phone. This type of retry logic can increase the time allowed between requests exponentially so bursts of send requests are stopped in their tracks.
Triage numbers
Use the Carrier Lookup API to determine the type of line (mobile or landline) for a given phone number, then only send SMS messages to mobile numbers. Additionally, you can use this API to identify the carrier and block any carriers that may be contributing to excessive traffic.
Monitor traffic and create alerts
Implement internal monitoring for the conversion rate of verifications by tracking the number of OTPs validated by end users versus the number of OTPs sent to end users. If a decrease in this rate is detected, particularly in an unexpected location, set up an alert for further investigation.
Thank you for reading our blog! We hope you found the information provided to be valuable and informative. If you have any further questions or would like to learn more about our services, please don’t hesitate to get in touch with us. Our team of experts would be more than happy to assist you and help you find the best solutions for your needs. You can reach us via email, phone or through our website’s contact form. We look forward to hearing from you and helping you take your business to the next level.
