SMS delivery: What rate should you expect? How to optimize it. read the article SMS delivery: What rate should you expect? How to optimize it.more information Entrega de SMS: ¿Qué tasa debe esperar? How to optimize it. más información Consegna degli SMS: quale tasso di consegna si deve prevedere? How to optimize it.per saperne di più SMS-Zustellung: Welche Rate ist zu erwarten? Wie man sie optimiert.mehr erfahren

Protecting yourself from OTP fraud

 

A new type of fraud is gaining ground in the use of SMS OTP identity verification, known as "SMS PUMPING" or "Artificially Inflated Traffic". Fraudsters generate large volumes of SMS from mobile applications or websites, by sending massive verification codes. According to a study by Mobilesquared, this type of fraud will account for over 20% of global business SMS traffic by 2022. Find out how you can protect yourself against this type of fraud, and how to smsmode© can help.

Talk to an expert

2FA SMS OTP Fraud

How does SMS PUMPING work?

 

2FA OTP fraud scheme

Fraudsters use various methods including bots to generate fake requests via SMS. For example, they create fake accounts on an application or website, request password updates, click on "forgot password", etc. They take advantage of the presence of a phone number input field to receive a one-time password (OTP ), a download link or any other type of content delivered via SMS. If this verification form is not monitored, fraudsters can exploit it to generate fraudulent SMS traffic from your account.

In most cases, attackers use their bot to fill out this form en masse to "validate" these fake accounts, which triggers an SMS to be sent.

The SMS messages are sent to numbers that the fraudsters have "control" over, allowing them to obtain a share of the revenue generated by this Artificially Inflated Traffic.

If you suffer such an attack, as the owner of the application, you will probably be forced to pay the bill for the delivery of messages. The purpose of this fraud is to make money , not to steal information.

There are two ways to make a profit with this type of fraud:

Case 1:

Fraudsters benefit from a complicit operator/aggregator, with whom they have a revenue sharing agreement. They generate mass SMS messages to these operators and share the revenues.

Case 2:

An operator/aggregator is unknowingly exploited by the fraudsters.

In the second case, small operators or aggregators are paid by larger players for the volume of traffic they can allow to pass through. A fraudster can therefore create a fake company and promise a large amount of traffic (which he will make himself). The small operator/aggregator may not seek to know the source of the traffic and ends up supporting the fraud.

As you can see, in both cases, this type of fraud is more likely to occur among smaller operators. It is also common for these traffic anomalies to originate from distant destinations, as some international destinations have higher delivery costs and are therefore more profitable for the fraudsters (and more costly for the victim companies ).

But businesses aren't the only losers in this story. OTP authentication fraud is a problem for the entire messaging ecosystem.

Operators and aggregators can hardly take action without the validation of their customers, which reduces the scope of action against this fraud and leads to a loss of credibility as well as a legitimate frustration for their impacted customers.

How to determine if you are a victim of an attack?

This fraud may go completely unnoticed and only become apparent after comparing the volume of messages delivered to the number of expected authentications.

However, there are several things that can tip you off:

  • A peak of messages sent to adjacent numbers(e.g. +331111110, +331111111, +331111112, +331111113, etc.) and therefore controlled by the same mobile network operator.
  • A large number of unsuccessful verification cycles(conversion rate going down sharply)
  • A large volume of SMS sent to destinations where you are not present or very little.

What actions can be taken to protect yourself?

Although there is no miracle protection against this new type of fraud, companies can implement a few good prevention and detection practices that can significantly reduce these attacks. Involving customers is key to effectively combating fraudNo vendor-side solution can guarantee 100% effectiveness against these attacks. smsmode© can support you in implementing these best practices, and also provide a range of features to drastically limit fraud.

BEST PRACTICES 2FA BY SMS GUIDE|2FA Best Practices by SMS

Two-factor authentication (2FA) via SMS has become a widespread way to improve security. However, these 2FA SMS must be optimized and your provider must guarantee a high level of security.

DOWNLOAD FREE GUIDE

IP control

Add additional checks on IP, user or device credentials when a new user creates an account (ISP/proxy/TOR/cloud provider, etc.). This helps identify suspicious behavior and take action before the fraudster requests a message to be sent.

You can also limit the number of SMS request attempts from the same IP address or device and include a latency in the requests e.g. one password reset per hour, etc

VPN monitoring and detection

While there are legitimate use cases for VPNs, attackers will surely use one, if only to circumvent an IP address block. There are many solutions for VPN detection.

Detecting bots

There is a good chance that fraudsters are using bots to generate a large volume of SMS. Using a feature like CAPTCHA can help detect and prevent bots from repeating requests.

Set up a "pre-audit" system

Avoid making sending an SMS your first and only authentication device. This type of process does add a step to the creation and therefore a little friction for legitimate users, but can deter automated scripts and bots. For example, you can make sure your users confirm their email address before their phone number.

Set server limits and service rates

Ensure that your application will not send more than one message every X seconds to the same mobile number range or prefix. Set up throughput limits per user, IP or device ID.

You can set up rules that restrict the number of requests allowed from a specific IP address or user over a given period of time by implementing modules in your web server such as Nginx and Apache for rate or frequency limiting requests to your server.

Set sending limits

You can set several types of limits in collaboration with your smsmode© account manager:

  • Monthly limits to avoid overcharging
  • Daily limits to add a layer of monitoring. smsmode© will send you alerts for each level crossed.
  • A limit on the number of SMS sent per minute in prevention.

Establish exponential delays between audit attempts

Setting exponential delays between requests made with the same phone number is an effective way to prevent bulk sending. They may not prevent fraud, but they can slow attackers down enough that they decide it's not worth their while to go after your application.

Implement geographic permissions to restrict destination countries

Review the geographic areas where authentication on your app is possible anddisable any destinations not eligible for your services (most cases occur in countries where brands are not present).

You can also create a list of automatic authorizations or blocks based on the country codes of the phone number.

Check phone number before sending with smsmode©

Use our API Lookup to get all information about the phone number used for authentication (country code, type of number, network...)
You can also automate this API request. The Lookup can also allow you to determine the operator(s) responsible for excessive traffic (knowingly or unknowingly) and block them.

Monitor unique access code (OTP) conversion rates and create alerts

Create an alert in your internal monitoring tool for the authentication conversion rate (i.e., number of OTP validated by end users / number of OTP sent). If you notice that this rate starts to drop abnormally, especially if the OTP requests come from an unexpected country, trigger an alert for a manual review.

An analysis of the DLRs received from smsmode© can allow you to block the service in case of suspicion on one or several numbers.

What should you do if you suspect fraud on your smsmode account?

Send an e-mail to commercial@smsmode.com with the following details:

Account ID:

Channel(s) concerned:

Date and time range:

Country of destination of the SMS :

Business Description:

l

Our team advises you

Are you interested in our services? Our account managers and our technical team are at your disposal to answer all your questions about our SMS solutions and to give you advice on how to set up a campaign.

Contact us