[HN Gopher] Twilio's toll fraud problem
___________________________________________________________________
Twilio's toll fraud problem
Author : billychasen
Score : 234 points
Date : 2023-01-05 19:44 UTC (3 hours ago)
(HTM) web link (billychasen.medium.com)
(TXT) w3m dump (billychasen.medium.com)
| lotsofpulp wrote:
| The idea that you can contact a phone number without any idea how
| much it will cost in 2023 is crazy.
|
| At the least, there should be a list of phone numbers known to
| not result in surprise charges so you can block all others.
| Natsu wrote:
| You'd think they'd have an option simply not to let you connect
| to those toll numbers at all.
| dima_vm wrote:
| They do: https://www.twilio.com/blog/2015/08/introducing-max-
| price.ht...
| dhritzkiv wrote:
| Thank you. I can't believe I missed this API parameter when
| I was looking to solve our toll fraud issue a few years
| ago.
| dima_vm wrote:
| You can download phone prefixes with prices from them, and also
| set max price for an SMS (won't work if they charge just a
| little amount and you send thousand requests of course).
| EGreg wrote:
| It gets better. An Ethereum address can receive any tokens,
| including NFTs, and has no power to reject them. A famous
| celebrity can have a lot of NFT spam publicly visible in their
| accounts, and people have no idea if they bought them or not!
| TylerE wrote:
| The idea that phone numbers still exist is kinda crazy. It's
| like paper checks... just let it die.
| toast0 wrote:
| When I was working in this space, all of my providers gave me a
| pricing feed which was essentially phone number prefix, price
| (and some text that my system didn't care about, I don't need a
| name, just a price, thanks). It looks like twilio doesn't offer
| that publicly for SMS, but you can see their voice price list
| by clicking "download voice prices (.csv)" on their voice
| pricing page [1]. The SMS page has a similar feed, but it only
| gives you price by carrier name, which isn't very helpful ---
| you'd need to pay to do a carrier lookup before you could use
| the price list; these lists don't feel complete either anyway,
| but it's an idea.
|
| [1] https://www.twilio.com/voice/pricing/us
| iamleppert wrote:
| Is it not possible to ban pay Toll numbers in 2FA applications?
| Why doesn't Twilio do this by default? I would absolutely dispute
| the charge. Or better yet use only virtual credit cards for these
| services like Twilio that cannot be trusted, with fixed spending
| limits and monitor them closely.
| alberth wrote:
| When you want to grow revenue at all costs, reducing/preventing
| fraud isn't a priority.
|
| E.g. why don't they have KYC controls during account opening?
| Because it would reduce the # of people who open an account.
| from wrote:
| Twilio and their users are the victim here... Twilio having KYC
| would not solve the problem, they do not the own the numbers
| the expensive texts are being sent to. Twilio should just
| enable their anti fraud systems by default (by the way this is
| no panacea, like every other anti fraud this is a cat and mouse
| game, there is often no clear way of telling that a number is
| premium rate, and many carriers are in on it too and use normal
| mobile number ranges).
| bbbbb5 wrote:
| Why on earth should _Twilio_ have KYC controls during account
| opening?
| toast0 wrote:
| As a programmatic telephone company, they're a possible (but
| not really probable) base for fraudulent spam calls. With
| KYC, and the fact that Twilio requires you call from a number
| you control, fraudulent calls would be easy to trace back to
| a person who could be charged for the calls. Much better than
| status quo, where it's very difficult to get to the
| originating phone account, and if you could, it's probably
| not really connected to a person.
| gggggg5 wrote:
| Why should Twilio do this when nobody else does?
| toast0 wrote:
| Keeping their traffic clean makes it easier to
| interconnect, and in an ideal world, they want to
| interconnect with everyone
| jameshart wrote:
| There's no way to set up an account such that it isn't permitted
| to text premium numbers? Throttling to prevent the same number
| being messaged more than a certain number of times in a given
| window? Or throttling to prevent charges accumulating faster than
| a set rate?
| jspaetzel wrote:
| Twilio managed to convince everyone that SMS based auth was a
| good idea but it's always been a bad idea. Drop twilio and go
| back to using passwords and use a different 2fa method.
| dima_vm wrote:
| Most users forget/neglect keeping backup codes for proper 2fa,
| unfortunately.
| kylehotchkiss wrote:
| Great reminder to close unused personal twilio account. I'm not
| gonna risk these charges to play with their tech!
| [deleted]
| tobinfekkes wrote:
| I loved Twilio many years ago, but they've become the new
| Google/SendGrid/Shopify/Stripe/Uber/(soon to add CloudFlare).
|
| They retain the right to any/all the upside of any risk/scale,
| and you retain the obligation in any downside. No questions.
|
| It's despicable.
| doodlesdev wrote:
| > SendGrid
|
| Just FYI SendGrid is a Twilio product LOL, so I guess you are
| right.
| mxuribe wrote:
| Same here! So, i wonder then, who would be a viable alternative
| to Twilio?
| STELLANOVA wrote:
| There are some alternatives for example:
|
| https://wavecell.com/sms/
|
| While they are mostly known in Asia but they offer service in
| Europe/North America as well.
| tobinfekkes wrote:
| Thank you for sharing. Haven't heard of this before.
| tobinfekkes wrote:
| Unfortunately, I haven't found any. There are some hacky
| solutions that I've bookmarked over the years, but nothing
| reliable enough for a production service(s). At least that
| I've found.
|
| Most "alternative" SMS services a simply a facade built on
| top of Twilio, with the markup to prove it.
| startledmarmot wrote:
| Hey! I'd naturally recommend SignalWire (as one of the
| founders over there.)
|
| We have a full messaging + voice + video APIs, including a
| Twilio-compatible API just for people who need to switch.
| We're backed by companies like Deutsche Telekom, T-Mobile,
| and Samsung so we know how to make telecom infra!
|
| https://signalwire.com/products/cloud-messaging
|
| We're also the folks behind the open-source FreeSWITCH
| framework that powers companies like Bandwidth, Five9,
| Dialpad, Zoom Voice... maybe even your own company's PBX!
|
| https://freeswitch.com
| robbiep wrote:
| How are you preventing the type of attack that is being
| described here?
|
| Thanks
| jpeg_hero wrote:
| i've used these guys: Thinq and they are awesome for sms /
| messaging apis
|
| https://www.thinq.com/sms-mms-text-messaging/
| johndhi wrote:
| Confused, I don't see what's in common with all of the
| companies in your list.
|
| I work with Twilio a lot and kind of agree with your last
| sentence but what do you mean? Are these normal business
| practices?
| tobinfekkes wrote:
| Unfortunately, a cursory glance at the tech landscape betrays
| that these are "normal" business practices.
|
| Or, more accurately, that they have become normal, rather
| than being objectively normal.
| bombcar wrote:
| They start out insanely great when riding high on VC cash,
| but over time they become the gorilla in the room and their
| service and support and quality begins to diminish until
| they're more annoying than they are helpful.
| tobinfekkes wrote:
| Couldn't have said it better myself.
|
| There's a very obvious pattern on the spectrum of | Asset
| -> Liability |, and sadly, time proves they're much closer
| to a liability than an asset.
|
| Over time, tech becomes a tax.
| bee_rider wrote:
| It is surprising that our VC based companies haven't been
| hit with anti-dumping sanctions. I guess if there are
| enough extra steps...
| Rastonbury wrote:
| I use twilio, can anyone suggest alternatives that they've
| migrated to from twilio?
| MTmind wrote:
| I spent a lot of time working on this exact problem at a "Big
| Tech Retailer". 6 different teams had worked on it before we did,
| and all had given up. This is actually a very difficult problem
| that is at the intersection of two other very big and familiar
| problems... spam phone calls and bots on the internet.
|
| Spam phone calls... the global phone system is a network of
| relays. No telecom provider connects everyone on the planet
| together. To call our grandmother in Russia, we may have to go
| through Verizon, Deutsche Telecom, MTS, and ~five different
| smaller, regional telecom providers. The first telecom provider
| will request the second to complete the call, will trust they do
| this, and will accept the price they charge upon which they'll
| add their own costs. This occurs recursively until the phone call
| has been connected and completed. This implicit trust enables
| fraudulent actors to get into the circle of trust. Verizon may
| trust Deutsche, Deutsche may trust MTS, and MTS may trust a
| smaller telecom provider who in turn trusts a spam caller. This
| enables you to get spam calls. Telecom providers themselves don't
| know all the callers on the global telecom network and don't
| really know how much people will be charged. There is no global
| government to legislate across all telecoms.
|
| Bots on the internet... the internet as a whole doesn't have a
| firm sense of identity. It's just a network protocol routing
| packets to ip addresses. In the past, these ip addresses were
| mostly human beings. In the current time, the majority of the
| participants on the internet are bots/computer programs. A
| website like "Big Tech Retailer" has >90% of all traffic from
| computer programs. Elon Musk was probably right that Twitter is
| full of bots, because the entire internet is swimming with bots.
| They can be incredibly difficult to detect because AI blurs
| humans with bots.
|
| This toll fraud problem is that bots we struggle to detect place
| phone messages to phone numbers we struggle to identify. This
| ends up costing a huge and growing amount of money. You cannot
| truly solve the problem without solving the two underlying
| problems of bots on the internet and spam calls. Solutions to
| those problems may require rethinking and rebuilding the entire
| communication system we've built our lives around.
|
| Nonetheless, we can greatly reduce the effect of this problem. At
| "Big Tech Retailer", myself and two others we were able to reduce
| the cost to a small percentage of what it was. After that point,
| the business sort of stopped caring because the fraud cost less
| than the staff. There were perhaps five techniques that were most
| helpful, all of which were contemporary fraud fighting/bot
| fighting/security techniques.
|
| If you're a startup facing this problem, I can help give you some
| guidance. Twilio will probably see this post and start working on
| a solution, but that may take a long time. There are easy things
| you can do to mitigate the problem right now. You can contact me
| at manrajt@gmail.com.
| wbharding wrote:
| We were defrauded by Twilio as well:
| https://bill.harding.blog/2019/08/13/twilios-incentives-to-a...
|
| Maybe a class action possibility here?
| olliej wrote:
| The fact the Twilio is allowing toll numbers at all is clearly
| their fault, not that of their customers. Turning around and
| claiming that customers should be paying for twilio's bad choices
| is BS
| [deleted]
| benlivengood wrote:
| Could this stop every random company from asking for my phone
| number to send me SMS? I hope so.
|
| Email works fine, is more reliable, latency is fine, and it works
| across devices and on desktops.
|
| Deduplicate your accounts some other way. Owning a bunch of phone
| numbers is (clearly, from the article) not a hurdle for
| attackers.
| [deleted]
| dahfizz wrote:
| This is the first I'm hearing of this, so I might be missing some
| information, bit I don't understand how this is Twilio's fault or
| responsibility.
|
| Your service got hit with a ddos-style attack that translated
| into you using twilio to send lots of texts. This cost you a lot
| of money.
|
| I don't see how this is categorically different than your kid
| "accidentally" buying movies on Amazon prime or something like
| that. No way a credit card company would accept a chargeback in
| that scenario.
|
| Ultimately, you used their product in the intended way. Of course
| you're on the hook for the bill.
| [deleted]
| randyburden wrote:
| We've been hit by this at work as well. We had to add CAPTCHA and
| a several other techniques to defend against this.
|
| How it works: 1. Attacker leases 1 or more
| premium rate numbers in an international country. -
| Attacker can lease a premium rate number for as little as
| $10/month - Typically, the attacker gets to keep 70% of
| the money generated by the premium rate number. 2.
| Attacker then finds companies with OTP (One-Time Passcodes) or
| 2FA (Two-Factor Authentication) endpoints that require no
| validation and writes a script to automate the webpage or call
| the API endpoint - Attacker will typically obtain a new
| IP address per API call using a VPN or a rented botnet from the
| dark web. 3. If the premium rate number costs 10
| cents, then each successful text message they can send to the
| number generates 7 cents for them. 4. The attacker
| then just needs to send 150 SMS to the premium rate number to
| break-even on their $10 investment, not counting the cost of the
| VPN or rented botnet.
|
| There is a lot of money to be made here by an attacker
| unfortunately. :(
| mike_d wrote:
| Which seems like a super easy fix for Twilio to implement.
| Don't allow SMS to premium rate numbers.
|
| If they can identify the premium numbers for billing, they
| should be able to identify them for blocking.
| macinjosh wrote:
| I would imagine there are rules/regulations about a SMS
| provider blocking communications before fraudulent behavior
| is determined? Not saying it shouldn't/couldn't be done, but
| probably one of those things with a simple tech fix but a
| complicating social/business aspect.
| kevincox wrote:
| It could be an option in the API call with a default in
| account settings. I bet most people who are trying to
| reduce spam accounts by requiring a phone number would
| actually prefer to exclude these numbers anyways.
| Natsu wrote:
| Down thread someone pointed out that their API allows you to
| set a max price:
|
| https://www.twilio.com/blog/2015/08/introducing-max-
| price.ht...
|
| Apparently a lot of people could really use that info.
| eitau_1 wrote:
| > premium rate number costs 10 cents
|
| wut, the absolutely most ordinary (in the realm of single
| telecom) text costs me ~6.5 cents
| ender341341 wrote:
| Can I ask where?
|
| I'm in the US and any of the big carriers offer unlimited
| texting as a baseline, and we have pretty crappy carriers
| compared to a lot of the world.
| TeMPOraL wrote:
| Maybe on prepaid plans? Been a while since I've heard of
| SMS costing anything on subscription plan, outside of
| roaming charges. Mobile Internet effectively cannibalized
| that income stream for the phone companies.
| eitau_1 wrote:
| yea, it's prepaid in Poland. But to be fair, I pay $12 a
| year for 50GB of data and don't call/text much
| EGreg wrote:
| With AI, you won't be able to tell humans and computers apart
| anymore.
|
| Anyone with enough determination can execute a sybil attack on
| any service that doesn't require in-person verification.
| a-r-t wrote:
| Does this still apply if only US and Canada are selected in the
| text messaging geo permissions?
| rcme wrote:
| I'm surprised it's not possible for Twilio to detect premium rate
| numbers. How does Twilio negotiate the payment with the number
| holder?
| from wrote:
| These numbers are usually not premium in the 1-900 sense of the
| word. It's more like they are international numbers and there
| are various intermediaries who work with mobile/landline
| operators in a bunch of countries to set up these kind of
| numbers and split the revenue from incoming calls/texts if they
| can deliver lots of minutes to them. One way of doing so is by
| getting a bunch of 2fa texts sent.
| admn2 wrote:
| Does this Fraud Guard they offer protect against this?
| https://www.twilio.com/docs/verify/preventing-toll-fraud/sms...
| jwcooper wrote:
| As far as I understand, you need to be using their "Verify"
| product in order to use the SMS Fraud Guard.
| nebula8804 wrote:
| Isn't this something Elon Musk brought up a few weeks ago when
| Twitter SMS 2FA stopped working in some countries? (India? I
| think?). On a Twitter spaces he said they were losing millions to
| SMS fraud for years and found out that some Telecom companies
| were complicit so they just cut off all SMS traffic to those
| companies until they re-negotiated terms.
| ridgered4 wrote:
| Last time I tried to sign up for Twitter it demanded I verify
| my account with text messages. Actually, virtually all services
| do this now when creating an account. The worst (Microsoft for
| example) let you sign up and use the account for a bit
| (possibly purchasing some items tied to the account) and then
| extort the phone number out of you later to maintain access.
|
| It is sort of amusing that these companies hitched their wagon
| to the now scam laden telephone network to track users and
| ended up getting scammed themselves.
| mylidlpony wrote:
| TBH I would consider this type of fraud of a more Robin Hood
| variety. Companies that still encourage weak security
| practices like sms 2fa (or even worse, just hoover your PII
| under the guise of it) should be defrauded of their money as
| much as possible.
| Terretta wrote:
| Your only power to encourage them to fix this is to do the thing
| they're begging you not to: _dispute the charges_.
|
| If a threshold of Twilio customers dispute charges, Twilio loses
| the ability to process credit cards at a lower risk rate, then
| with all but high risk processors, then may lose the ability to
| process them at all.
|
| If enough of their customers are getting burned, and enough
| dispute, Twilio would no longer be able to accept credit cards.
| They are terrified of that, so begging you not to dispute charges
| _for their lack of fraud prevention_.
|
| You accepting anything less than full refund of all fraudulent
| use they're cascading back on you is a gift to them. You
| accepting less than a full refund, while not dinging them at all
| with a chargeback is also a gift to them. If they don't want to
| give you the full refund for misuse they should be preventing,
| dispute it, _as is your right_.
|
| The correct course for Twilio is for Twilio to refund these
| charges _no questions asked_ while fixing the problem.
| tomesco wrote:
| Couldn't Twilio also close and cease providing service to any
| accounts that initiate chargebacks?
| toomuchtodo wrote:
| They could, but customers could then file complaints with the
| FTC and their state's attorney general for the fraud Twilio
| is enabling.
|
| I _strongly encourage_ Twilio customers to pursue this route
| if Twilio is charging them for fraudulent charges.
| bredren wrote:
| These filings may add up to change at some later time,
| though are unlikely to provide any kind of near-term
| actionable remedy.
| toomuchtodo wrote:
| Such is America's regulatory landscape -\\_(tsu)_/-
| Terretta wrote:
| Further, the customer has the right to dispute credit card
| charges thanks to the agreement between customer and card
| provider _and between card provider and merchant_.
|
| Twilio will get in trouble with Visa/Mastercard if
| customers say Twilio is dropping them for disputes the card
| provider finds in the customers' favor.
| EGreg wrote:
| Customers can do that anyway.
| bragr wrote:
| >Your only power to encourage them to fix this is to do the
| thing they're begging you not to: dispute the charges.
|
| I'd check their TOS to see if they offer some kind of
| arbitration option. As noted in other threads, triggering that
| process can be a surprisingly effective way to make someone
| from the company actually engage with the issue. Disputing the
| charges is always a nuclear option. They may never do business
| with you after that.
| Teever wrote:
| > Disputing the charges is always a nuclear option. They may
| never do business with you after that.
|
| This is something that I think needs to be regulated. I'm not
| saying that this should be the case for a company the size of
| Twilio, but I definitely think that a company the size of
| Apple/Google/Samsung should not be able to ruin your life
| because you had temerity to stand up to them and dispute a
| charge.
| username_my1 wrote:
| Also twilio ... they're the industry standard for
| enterprise communications
| ljm wrote:
| It's a shame that regulation has failed to keep up with
| tech. It's not exactly the first time we've had a gold rush
| or a lawless wild-west situation.
|
| The west still prospered when consumer rights were given
| priority over business.
| Scoundreller wrote:
| Is there anything in the arbitration clauses forbidding them
| from cancelling your account if you invoke arbitration
| (regardless of whether you prevail or fail?).
| RC_ITR wrote:
| Well they have to abide by the arbitration and any good
| arbitrator will put a good faith clause in the agreement.
| idontpost wrote:
| [dead]
| acover wrote:
| That Twillio doesn't protect you is bad. However, would a court
| agree you don't owe them the money? This recommendation seems
| like abuse of disputing a charge and will just get you banned
| from Twillio.
| gghffguhvc wrote:
| You don't even have a viable option for court as they have
| forced arbitration clauses.
| Terretta wrote:
| The court doesn't have to agree, only the card provider does.
|
| The customer has the right to dispute credit card charges
| thanks to the agreements between customer and card provider
| and between card provider and merchant.
|
| Twilio will get in trouble with Visa/Mastercard if customers
| say Twilio is dropping them for disputes the card provider
| finds in the customers' favor.
|
| This is why you _always_ pay for sketchy merchants with a
| card, it 's one of the few consumer powers you have.
| charcircuit wrote:
| Why would the card providers be in the customer's favor.
| The customer paid for a text to be delivered to a phone
| number and Twilio did that and then charged the customer
| for it.
|
| If you pay someone to mow your lawn, then they mow your
| lawn and charge you. You can't just chargeback after the
| fact to get that service for free.
| 0x62 wrote:
| In your analogy it would be more like paying someone to
| mow your lawn because your neighbour got it done for $10,
| then being charged $100 because your house number is
| even.
|
| It might be in the terms and conditions, but it's bad
| faith to not give any warnings or controls before the
| services are rendered.
| 8n4vidtmkvmk wrote:
| if they mow your lawn 10 times in a row and bill you 10
| times... you should charge back 9 of them
| dahfizz wrote:
| Is that what's happening? You ask twilio to send one text
| and they send ten?
| helsontaveras18 wrote:
| And then you switch to another SMS provider, which may be
| costly from an engineering perspective, but clearly worth it
| if you're getting slammed with botnets and Twilio doesn't
| care.
|
| Absolutely, dispute the charge.
| acover wrote:
| Which providers don't have this problem? Does AWS prevent
| you sending SMS to premium numbers?
| CaveTech wrote:
| We've been hit by this exact issue, especially over the last
| month.
|
| We tried to mitigate as cleanly as possible for our users, adding
| one-time nounces to signup requests, adding rate-limiting rules,
| locking down regions, but we still faced an onslaught of tens of
| thousands of fraudulent signups per day. On our tier we don't
| have the ability to set block rules ourselves - it requires a
| support request that takes 2-3 days to get a response on. Our
| choices are to eat thousands of dollars per day in toll fraud, or
| disable sign-ups until we can add more fraud prevention on top of
| what Twilio enables. The problem is the fraudsters are using real
| browsers across thousands of IPs located in dozens of different
| countries.
|
| Similar to the OP, Twilio tries to say this is our fault and
| leaves it up to us to both pay for the issue and to try and fix
| it.
| charcircuit wrote:
| If you told Twilio to text a number and they text it, I don't
| see how Twilio is at fault.
|
| It would be valuable if they let you avoid texting premium
| numbers, but that's just a feature on top of the service they
| provide.
| CaveTech wrote:
| They should be better equipped to detect and prevent the
| abuse. It's an order of magnitude higher request volume for
| phone #s located in remote regions of the world. Twilio knows
| full-well where those numbers go, and can see them being
| abused simultaneously across many customers. I don't possess
| the same ability to know this... unless I use Twilio to run a
| reverse-lookup, which would of course still incur a cost.
| csharpminor wrote:
| Just curious because you didn't mention it - have you
| considered putting a captcha in front of your OTP flow? Are the
| fraudsters also defeating that?
| CaveTech wrote:
| We were trying to avoid the use of a captcha; originally
| believing that our API infrastructure was the target. A
| captcha did end up being the solution, but is not
| particularly user friendly, and I was also trying to avoid
| pulling developers out of bed on Christmas to implement - but
| we're protected now!
| hartator wrote:
| > They added a toggle for "fraud guard"
|
| Where do you find this? I've spent 10 minutes on our Twilio
| account and couldn't find the toggle.
| billychasen wrote:
| Their console is very confusing, but if you are using Twilio
| Verify, you select your Service and tab over to SMS.
| yashap wrote:
| We've had the same problems. We use Twilio for SMS based OTP
| login, lost lots of money to toll fraud, and spent lots of time
| putting up various mitigation strategies to reduce it. Now we
| only lose a bit of money to toll fraud, but if was lots of
| engineering effort and $$ down the drain.
|
| My main suggestion would be to avoid any sort of flow, like SMS
| OTP login, that allows triggering SMS messages without being
| logged in. Just do a more traditional login, SMS OTP isn't worth
| the headaches.
|
| Haven't tried Twilio Verify, didn't exist when we were solving
| these problems ourselves. But like most fraud prevention, it's
| probably far from perfect, better to just avoid fraud-prone
| workflows if you can.
| trulyhnh wrote:
| Yep, I remember getting pinged by a coworker asking why is our
| Twilio bill so high all of sudden. It turns out to be Toll Fraud
| through 2FA messages. Malicious actors sign up new accounts and
| setup 2FA number and just keep requesting 2FA through SMS to
| profit.
| downrightmike wrote:
| Insane
| tersers wrote:
| Nothing would make me dispute a charge faster than being told not
| to dispute a charge
| jjjjjjjjjjjjjjj wrote:
| I spent a lot of time playing cat and mouse with this type of
| toll fraud in 2022.
|
| 1. Rate limited SMS by number/ip: bypassed by large number of
| proxies/vpn.
|
| 2. Added captcha: bypassed by attacker manually signing up
| thousands of accounts (mechanical turks?) over months and then
| iterating over them for login OTP.
|
| 3. Identifying what carriers/operators are involved and blocking
| them asap (usually obscure ones).
|
| 4. Careful monitoring of SMS send rates and alerting of anomalies
| to investigate.
| colinclerk wrote:
| If anyone's facing this in their auth flows, we're happy to help
| at https://clerk.dev
|
| We're in the same cat-and-mouse game with the attackers as
| everyone else, but since we're an auth company, we have full-time
| folks monitoring for issues and resolving when they come up.
|
| It's worth mentioning that Twilio is in an understandably tough
| position here. They only receive API requests from your server,
| and real requests look the same as attack requests except for the
| phone number.
|
| Clerk is in a better position to help because our API accepts
| traffic directly from the attacker (e.g. POST /verify-phone-
| number). We know their IP, user agent, whether they're connecting
| from AWS, etc, etc. We very much rely on this data to help stop
| them.
| andrewstuart wrote:
| When I recently wrote Twilio code the first thing I did was add
| in as much stuff as I could to prevent this sort of thing
| happening. I think I put in captcha and also IP address
| throttling and request counting.
|
| At the time I wondered if I was overengineering or gold plating
| but apparently not.
|
| I do seem to recall that Twilio writes about this issue quite
| alot and includes strategies in its best practices for avoiding
| the issue.
| snake_plissken wrote:
| I've read through a lot of the responses and I am still kind of
| confused how the fraud actually works:
|
| 1) Scammer leases a "premium phone number" from a provider. From
| doing some reading, premium numbers are where the caller/texter
| pays extra for interacting with the service at this number. So
| like a 1-900-phone-sex line from back in the day, where if you
| call, you get charged like $5.00 a minute. The provider leased
| the number to the phone sex operator for $1 per minute. The phone
| sex operator runs the service and charges access via your telco
| at $5 a minute, and ends up netting $4. The telco bills you $5
| for your 1 minute call.
|
| 2) In Twilio's case, they get a request to send a text to a
| premium phone number leased by the scammer. This text is actually
| initiated by the scammer, via something like requesting a new
| one-time password. Twilio sends the text.
|
| 3) Twilio then determines that the destination number is a
| premium phone number. Twilio charges you extra for sending the
| text because of this. Twilio then remits a payment to someone,
| either the scammer or the premium phone number provider.
|
| 4) Scammer repeats step 3 a very large amount of times and
| collects. Twilio bills you for all of those texts they sent, on
| your behalf, to the scammer's premium number.
|
| Step 3 is where I am confused. How do the payment flows work. Is
| Twilio remitting the money to the scammer, who then needs to pay
| for the leased number? Or are they remitting the payment to the
| premium phone number provider, who then pays some portion of that
| to the scammer?
|
| And come to think of it, how does the phone sex line example
| work? Which entity actually contracts with the telco to set the
| cost/toll?
| woofcat wrote:
| https://nitter.kylrth.com/benjaminnetter/status/153085292888...
|
| If you want to read the tweet on how it works.
| yjftsjthsd-h wrote:
| I'm surprised/confused: Why is it hard to detect premium rate
| numbers, or at least set a flag to not allow sending to them?
| Like, I can't think of a time when twillo should _ever_ be
| sending to a premium rate number; why is this even possible?
| rippercushions wrote:
| There are 200+ jurisdictions in the phone network and
| everybody has their own conventions on what a "premium"
| number is.
|
| For comparison, imagine if each domain in the world could set
| its own rates for much doing a DNS query would cost you, and
| governments regulated this only by designating a few second
| level domains as "premium". That's pretty much the scale of
| the problem.
|
| Edit: To be clear, this is a very well known problem and
| Twilio should be doing much better at it. But it's by no
| means an easy problem, and all the other side needs is one
| (1) number to exploit.
| askvictor wrote:
| Twilio works with phone companies across the globe; this is
| not something that would be that difficult for a company of
| their size to implement (even if it means one employee
| whose job it is to keep this up to date). Consider that the
| timezone database (a similar problem) is administered by
| one person (a volunteer no less)
| purpleblue wrote:
| This is NOT hard. Not at all.
|
| Twilio knows which numbers will charge customers, THEY HAVE
| THE DATA. They can make a list of numbers that charge
| customers, and then have a flag that disallows SMSes to
| those numbers.
|
| They also have relationships with phone providers in every
| market that they are in, and those providers can provide
| that same information and then allow a blacklist to those
| numbers or whatever format the premium numbers occur in.
|
| It's not hard at all. It's a nice value-add feature and I'm
| sure if a competitor like MessageBird implemented something
| like this, it would be an easy differentiator if Twilio
| doesn't want to provide this.
| globalreset wrote:
| > There are 200+ jurisdictions in the phone network and
| everybody has their own conventions on what a "premium"
| number is.
|
| They know how to charge you for these numbers so apparently
| they do have that data, no?
| from wrote:
| Depends what you mean by "premium rate." Every number
| costs money to call in Twilio. Some numbers cost more, in
| lots of these frauds numbers in ordinary ranges are used
| (Is a rural number in Chile that costs $0.20/minute to
| call premium rate/fraud? Because that's what it looks
| like a lot of the time. How about $0.05 a minute in
| Austria?). IRSF, the industry term for this kind of fraud
| causes billions in losses a year and there is no easy
| answer but Twilio should probably have more
| infrastructure in place to reduce massive surprise bills.
| bee_rider wrote:
| That seems like it ought to be a knob provided to the
| user...
| globalreset wrote:
| Block any number that costs more than 25th percentile
| would be a start and so on... I can come up with plenty
| of heuristics that would be better than nothing.
| ricardo81 wrote:
| Yes, or let the user define a max cost
| TeMPOraL wrote:
| Yeah, I mean, with the number of users they have world-
| wide, they probably have good per-country or even per-
| county distributions of call rates...
| rippercushions wrote:
| Telco billing is postpaid, so they actually won't find
| out for at least a month.
| yjftsjthsd-h wrote:
| That's inconsistent with the OP getting 40 emails a day
| about charges, though?
| nfm wrote:
| Solving this is squarely Twilio's business!
|
| They know how much to bill the customer, so they must know
| how much it costs to send to a number.
| techsupporter wrote:
| > They know how much to bill the customer
|
| I don't mean to do Twilio's work of defending them, but
| in my experience it's possible they actually don't know
| how much to bill the customer. What they may know is the
| generalized per-minute or per-session rate they've agreed
| with another operator alongside a general "premium rate
| numbers will be settled at a later date" kind of clause.
|
| My employer got bit by this several years ago, purely on
| calls within the +1 country code. Before this practice
| was largely banned, some small carriers were allowed to
| designate certain rate centers as higher cost. So our
| VoIP carrier would say that a call to a given area code
| was $0.003/minute but the calls would later settle out at
| $0.25/minute because of a 1,000s block of numbers being
| (unknowing to us our our carrier) as higher cost and
| being settlement billed back at the higher rate.
|
| Twilio could agree to carry some or all of this risk for
| its customers as part of their value-add and fees. That
| way, Twilio has the incentive to make the proper changes
| for its customers and would have the experience of
| looking at all of the return billed rates for all of the
| calls or messages across its entire customer base to help
| prevent toll fraud.
| fencepost wrote:
| Is it banned? Isn't this part of how FreeConferenceCall
| works with IIRC dial in numbers on a little LEC somewhere
| in Iowa?
| techsupporter wrote:
| Yes, the rule became effective in 2019:
| https://www.fcc.gov/document/fcc-adopts-reforms-further-
| redu...
|
| (FreeConferenceCall and similar companies lobbied heavily
| against this rule, but AT&T and Verizon were able to
| lobby it through.)
| rippercushions wrote:
| Fun fact: +1 is not a country, but all of North America.
| For a long time it was entirely possible to dial a
| perfectly ordinary looking +1 258 xxxxxxx number and get
| charged up the wazoo because (258) is Antigua and
| Barbuda, not New Jersey.
| bombcar wrote:
| This is the case, the telephone billing system is perhaps
| the most complicated pile of softwareshit you have ever
| seen in your LIFE - and some of it is insane.
|
| There have been people who got printed bills from their
| cell phone provider for every single kilobyte of data,
| each individually indexed and billed:
| https://en.wikipedia.org/wiki/300-page_iPhone_bill
| Spooky23 wrote:
| * * *
| Scoundreller wrote:
| My favourite was getting charged for an sms my iPhone
| sent which was a phone home to an Apple headquarters
| short code for iMessage. iOS hides these from the user.
| Most providers don't charge for this, but some do.
|
| Really sucks when you carefully load 10 EUR of credit to
| buy a 10 EUR prepaid plan for the month and see 0,05
| deducted despite being _incredibly_ careful to not do
| anything that would incur a charge before buying the
| plan.
| csunbird wrote:
| Apple DOES say that, when you set up FaceTime and
| iMessage!
|
| There is a pop up that says "Your carrier may charge for
| the messages used to activate iMessage and Facetime" You
| can choose to not activate and do it later.
| ThePowerOfFuet wrote:
| That warning did not appear in the early days.
| nfm wrote:
| Surely they can aggregate this across all customers
| though.
|
| If Twilio cops an unexpectedly high settlement for
| sending an SMS to +1234567890 in January, can they assume
| that a separate customer sending an SMS to that number in
| February will end up in the same boat?
|
| I'd be very surprised if the toll fraudsters weren't
| using the same numbers to hit multiple Twilio accounts.
| toast0 wrote:
| Twilio should help their customers with this (and it looks
| like they do have something, but maybe not enough)... but
| it's also something you can do a first pass through
| libphonenumber metadata[1], which was pretty reasonable at my
| last job.
|
| [1] https://github.com/google/libphonenumber/tree/master/meta
| dat...
| Spooky23 wrote:
| Honestly, I can't think of a legitimate use case for toll
| SMS.
| wizwit999 wrote:
| What's in it for the fraudster here?
| woofcat wrote:
| They own the premium number that the victim is texting... and
| thus earning the charged money.
| nipponese wrote:
| Ah, it's like a 900 number, but for sms.
| Scoundreller wrote:
| Has been going on against voip companies since the
| beginning.
|
| Here's a story from 2005:
|
| https://www.forbes.com/forbes/2005/0919/058.html?sh=55311
| 84c...
| [deleted]
___________________________________________________________________
(page generated 2023-01-05 23:00 UTC)