SMS has become the most common method for verifying user identities on web platforms and mobile applications. Sending one-time verification codes, known as OTPs, can reduce the number of fake accounts able to complete the registration process. However, this protection mechanism can backfire and become costly due to attacks known as "SMS pumping."
SMS pumping is a type of cyber attack strategy where cybercriminals exploit the phone number verification or two-factor authentication (2FA) processes of your application for financial gain.
The concept is straightforward yet highly effective. Picture having a system in place that sends one-time passwords (OTPs) to verify the phone numbers of new users in your application. The attacker will then set up several premium-rate telephone lines with a telecommunications operator. The sender incurs charges for each message sent to these lines, and the revenue is split between the telecom operator and the owner of the lines.
The cybercriminal initiates the attack by deploying bots to create thousands of accounts on your application, inputting these premium-rate numbers into the registration form. Consequently, your application sends thousands of premium-rate SMS messages to these lines. By the time you detect the fraud, your SMS budget will already exploded, causing financial damage to your company.
Twitter's Battle with SMS Pumping
On February 18, 2023, Elon Musk announced the removal of 2-factor authentication for users not paying for a Twitter Blue subscription from X (ex-Twitter).
Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages
— Elon Musk (@elonmusk) February 18, 2023
Each year, SMS pumping attacks cost X $60 million. As a radical solution, users without subscriptions are thus stripped of SMS 2FA:
While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.
Beware of Calls Too!
So far, we've discussed SMS attacks, but the same mechanism also applies to telephone calls. Although rarer, some mobile applications or web platforms offer their visually impaired users an alternative to sending SMS by calling them with an automated system that reads the one-time code.
Here too, the premium-rate telephone line opened with a telephone operator can charge the caller by the minute.
How to Detect an Attack?
To detect an attack, the key metric to monitor is primarily the rate of registrations whose phone number verification is not completed. If suddenly a majority of new users have not finished verifying their phone number, it's likely that you're the victim of an SMS pumping attack.
How to Protect Your Business from SMS Pumping?
You don't need to be as radical as X (formerly Twitter) by removing 2FA from your application.
To protect against SMS pumping attacks, NumCheckr provides an API designed to identify premium-rate phone lines. Thanks to our algorithms and connections with telecommunication operators, we're able to ascertain whether a phone number incurs premium charges for SMS or voice calls.
Your developers can implement our API into your registration process, ensuring every phone number is checked before dispatching a one-time password (OTP) via SMS.
If our system flags a phone number as premium-rate, you'll have the capability to stop the registration process. This ensures peace of mind, sparing you the shock of receiving an unexpectedly hefty invoice from your SMS service provider.