[HN Gopher] How SMS fraud works and how to guard against it
___________________________________________________________________
How SMS fraud works and how to guard against it
Author : apuchitnis
Score : 74 points
Date : 2023-02-28 18:13 UTC (4 hours ago)
(HTM) web link (apuchitnis.substack.com)
(TXT) w3m dump (apuchitnis.substack.com)
| AdamJacobMuller wrote:
| This makes the assumption that Twitter blocked it due to SMS
| fraud. While that's a plausible theory an equally plausible
| theory is that they were worried about account hijacking and
| security (and allowed twitter blue subscribers to continue to use
| it on a you can pay me to be stupid context) which seems equally
| plausible.
|
| I take issue with a lot of the assumptions in the article but
| this is funny:
|
| > Identify and block premium rate phone numbers, using
| libphonenumber. Whilst this seems promising, I don't know how
| reliable the data and how effective this approach is.
|
| here's this purpose-built and well maintained* library from
| google which does exactly what I want but i'm not even going to
| consider it.
|
| * the actual number database has been updated 5x so far this
| year:
| https://github.com/google/libphonenumber/commits/master/meta...
| apuchitnis wrote:
| author here: Hey Adam - Elon has mentioned SMS fraud being the
| reason for blocking it on several occasions. See here:
| https://commsrisk.com/elon-musk-has-radical-solution-
| for-a2p....
|
| Re libphonenumber: I think you misread me? I was definitely
| saying consider it :) I just don't have much personal
| experience with that approach.
| cfn wrote:
| Elon Musk said that they were being fleeced by SMS fraud when
| the change was announced.
| singleshot_ wrote:
| Fraud requires that someone make a misrepresentation. Who makes a
| misrepresentation when SMS fraud is committed? What is the
| misrepresentation?
|
| Is there any chance that this isn't actually fraud and that
| companies who send out tons of text messages to any number a
| person specifies are just paying for their extraordinarily poor
| design?
| Tijdreiziger wrote:
| The attacker misrepresents themselves as a legitimate user who
| just wants to set up 2FA on their account.
| apuchitnis wrote:
| I think the fraud here is that the user isn't an actual,
| legitimate user of the web service. Maybe 'user fraud' is a
| better term to use here.
| robust-cactus wrote:
| It's definitely fraud and it's definitely detectable when a
| 10000 block prefix of numbers sends 100x more SMS than every
| other prefix out of the blue.
|
| It's basically a referral marketing campaign where the
| fraudster does revenue share with local sketchy infrastructure
| providers.
| pg_bot wrote:
| If you haven't done this, set the MaxPrice field when sending SMS
| with an API provider such as Twilio. The message will fail to
| send if the cost of the sms exceeds the price you set.
|
| https://support.twilio.com/hc/en-us/articles/360014170533-Us...
| apuchitnis wrote:
| author here: awesome, thanks for sharing this pg_bot! :)
| kyledrake wrote:
| What would be the reasonable value to set maxprice to?
| ceejayoz wrote:
| That's up to you; Twilio's pricing varies from country to
| country. US is less than a penny per text; Russia is $0.70
| each. Set according to your needs.
| toast0 wrote:
| Depends on where you send SMS. Ten cents should cover most
| of the world, but there will be exceptions.
| grammers wrote:
| Ignore SMS from anyone. Done.
|
| Noone send them anymore.
| jalk wrote:
| You should probably read the article - it's about tricking
| services to send SMS' to your premium number so that you earn
| money every time you trick the service into sending a text
| message to you
| JohnFen wrote:
| > Noone send them anymore.
|
| Except for the overwhelming majority of everyone I know.
| waynesonfire wrote:
| Good, SMS for auth is terrible. Let me use my yubikey or
| authentication app.
| Arch-TK wrote:
| I really want to know, why has everyone moved to SMS 2F"A"?
|
| What was wrong with authenticator applications?
|
| Were they really THAT user unfriendly?
| lotsofpulp wrote:
| Because phone number also provided a universal identifier that
| can make the data worth more when selling it.
| crazygringo wrote:
| People lose their phones and then your authenticator app
| doesn't work anymore, even if you restore from backup. And then
| the recovery mechanism is often a giant pain.
|
| Yes, that's pretty user unfriendly.
|
| It's a lot more common to lose your phone than lose your phone
| number.
| mcherm wrote:
| There are numerous tools, Google Authenticator and Authy for
| example, that protect against this by securely storing the
| keys. In fact, I would venture to say that MOST users of
| authentication apps are using ones that provide a backup in
| case the phone is lost.
| rlpb wrote:
| AIUI, EU regulation requires 2FA in finance now, but the 2FA
| must also confirm details such as a target account and/or
| amount.
|
| Authenticator apps (at least those that use TOTP/HOTP) can't do
| that. SMS can. So can card readers but people hate having to
| carry them around. So we're stuck with SMS.
| velavar wrote:
| I don't think that folks so much "moved" to SMS 2FA as much as
| were with it from the start. SMS 2FA is so ingrained in the
| finance/fintech industry that it's pretty rare for me to see a
| financial company offer the option to set up an Authenticator
| 2FA. Also, there is always some part of the consumer population
| that is still not on a smartphone and even if they are, they
| may not be "app-savvy" where they know how to install or use an
| authenticator app. For this reason, I think most finance
| companies will steer clear of the Authenticator app and go
| directly for SMS 2FA or worse, email 2FA.
| claytongulick wrote:
| I prefer SMS for 2FA because some authenticator apps get tied
| to a device.
|
| I'm worried about losing my phone and being locked out.
|
| With SMS, I can show my ID to the Verizon rep, get a new
| phone, and I'm good to go.
| tester457 wrote:
| Only downside is the verizon rep giving your sim to someone
| who deepfaked your voice.
| ilamont wrote:
| Nobody in my family - parents, kids, spouse - knows what an
| authenticator app is or would what to do if presented that as
| an option, although my teen could probably figure it out.
|
| For everyone else, it would be a cascading series of
| installation and password and app switching and immediacy
| problems. This would create a great deal of frustration, and
| ultimately a call to family tech support (me) or the service
| provider _if human tech support is an option_ which is not
| the case for many companies such as Google and social media
| firms.
| chatmasta wrote:
| Have they? It seems the trend is to support Authenticator apps
| (i.e. one-time scan a QR code to a TOTP URL that I store on my
| own device). I haven't seen too many products that support TOTP
| 2FA but _require_ SMS 2FA.
|
| Some companies do require a phone number to setup an account
| (because it's the best proxy we have for "one per real person"
| or "expensive for one person to get many of"), but if they're
| competent then you can remove it as a 2FA option if you replace
| it with a TOTP code. [0]
|
| If you ask me, it should be illegal to require SMS 2FA without
| an opt-out to TOTP. Perhaps relatedly, I'm also curious about
| the percentage of Twilio revenue from 2FA messages.
|
| [0] RANT: Google, in typically creepy fashion, makes it
| difficult to enable TOTP without first either providing a phone
| number, or downloading a Google app to "tap to login!" on your
| phone. But they do allow you to setup a hardware token, so I
| found a workaround [1] to configure TOTP without providing a
| phone number, which is (perhaps ironically) to use Chrome
| DevTools to create a virtualized WebAuthn device and add it as
| a hardware token 2FA option. Then it's possible to setup TOTP
| and remove the virtualized device, leaving you with only TOTP
| 2FA and no com.google apps begging you for entitlements on your
| phone.
|
| [1] https://superuser.com/a/1759306
| cultofmetatron wrote:
| my phone recently just died. only two years old. all my
| authenticator stuff is gone. sms is fine, I just move the sim
| to a new phone
| lotsofpulp wrote:
| I use Strongbox to backup TOTP in Keepass databases.
| malfist wrote:
| That's good for you, is grandma going to do that?
| ufmace wrote:
| Yeah that's the problem - TOTP with a basic app is pretty
| easy to use, but making sure you're protected from a phone
| suddenly lost or broken scenario is tougher, and you may not
| know you need to do it until it's too late. How many people
| actually store those backup codes properly or go to the
| trouble to use a third-party app that supports backups and
| actually do backups?
| malfist wrote:
| Because lots of us upgrade phones every couple years, or have
| dropped a phone and had it break, or get water in it or
| something.
|
| It's all too easy to realize after the fact you needed to
| transfer something between the old phone to the new phone to
| keep the authenticator working. Sometimes that's not available
| (phone damaged), or don't realize you need it until after
| you've already sent the phone in for trade in.
|
| So yes, they are user unfriendly.
| molodec wrote:
| The article is describing one type of SMS Fraud, but I think
| Twitter got attacked using SMS Traffic Pumping Fraud. Twilio has
| the explanation https://support.twilio.com/hc/en-
| us/articles/8360406023067-S...
| lgats wrote:
| where can i get a premium sms phone number? ( for research
| purposes )
___________________________________________________________________
(page generated 2023-02-28 23:00 UTC)