SMS pumping fraud: take care how you configure MFA

Twitter’s recent announcement to end SMS-based MFA as a free service should serve as a warning on the costs of SMS pumping fraud.
24 February 2023

Money making scheme: revenue generating mobile numbers open the door for fraudsters to cash in on SMS-based multifactor authentication. Image credit: Shutterstock Generate.

Getting your Trinity Audio player ready...

Getting inside the head of a CEO and trying to decipher their thoughts can sometimes prove to be a challenge. Even more so when that individual is Elon Musk. But his decision, as head of Twitter, to stop providing SMS multi-factor authentication (MFA) as a free service isn’t as strange as it may appear. At face value, SMS MFA might seem like a good idea. Requesting a randomized code sent to a user’s mobile device would, in theory, stop adversaries who already possessed username and password credentials from carrying out an account takeover. But bad actors have figured out a way to cash in on one-time-passwords (OTPs) through a scheme known as SMS pumping fraud.

If reports are true, Twitter may be losing a whopping $60 million per year to fraudsters who are directing SMS MFA requests made through Twitter to revenue generating numbers, such as premium rate services. And what makes this even more shocking is that Twitter introduced SMS two-factor authentication in 2013. So there could be some very rich fraudsters out there who’ve spent nearly a decade adding to Twitter’s losses via SMS pumping fraud.

Rubbing salt in the wounds is the fact that SMS two-factor authentication is vulnerable to SIM swap attacks. In 2019, Jack Dorsey – who was Twitter CEO at the time – had his Twitter account taken over by bad actors who managed to persuade his mobile phone provider to swap his account to a SIM card under their control. Once the account swap has been made, it’s trivial for the adversary to manipulate SMS MFA functionality and carry out a password reset.

Given the losses due to SMS pumping fraud and the risk of SIM swap attacks, one might question why Twitter has persisted with SMS MFA for so long. The US Federal Trade Commission’s website makes for some interesting reading. But it’s also true to say that SMS-based MFA is popular with users. Entering an SMS code that appears on a user’s mobile device is familiar behaviour. The authentication step doesn’t harm the app experience and requires little in the way of IT skills to implement.

Check your SMS API account settings

But what about the developer community? If you’ve signed up to an SMS API, you might want to double check settings to make sure that you don’t become another victim of SMS pumping fraud. If bad actors didn’t already know about the scam, you can be sure that they do now thanks to coverage of Twitter’s decision to charge for SMS-based MFA.

It’s important to consider security when getting started with SMS API’s and identify features that will help to protect you from SMS pumping. The fact that some SMS API providers such as Soprano Design and Twilio (which has faced some criticism by users who appear to have been caught out by fraudsters) have pages on their websites that raise awareness of the risks of SMS pumping and how to prevent fraud, highlights the growing concern. In Twilio’s case, the SMS API provider now has an awareness raising tool that allows customers to calculate potential hidden fraud costs based on estimated OTP volume.

The SMS Works, a UK-based SMS API provider, is one of a number of firms outlining steps that developers can take to understand whether a web form has been the victim of SMS pumping fraud and, importantly, how to protect services from SMS pumping. Good practice includes setting rate limits and making sure that messages are only being sent to countries where genuine users exist. It’s also possible to set exponentially increasing wait times between requests to reduce the potential rewards for persistent bots.

User interface design needs to be considered too. “If you have a web application, the bots’ scripts will try to register numbers on your login page one after another,” writes Plivo in a recent blog post on how users can combat SMS pumping. “To control this behavior you can add challenge-response systems such as CAPTCHAs to your forms or pages to make sure humans and not bots are using them.”

Also, it goes without saying, check the credit limit on your account. And watch out in case an auto top up box has inadvertently been left checked, something that could cause a nasty surprise on a Monday morning or after returning from a week off. It’s also worth running some checks on your list of customer numbers. For example, are there groups of adjacent numbers? Fraudsters may feed their sign-up scripts with blocks of sequential mobile numbers.

Reviewing your number list is also an opportunity to clean up any bad data. Telgorithm offers its application to person (A2P) customers a lookup API that it dubs Number Verification, which can fish out typos, fake numbers, and even a legitimate number that’s gone out of service. Just like developers don’t want to incur losses due to SMS pumping fraud, they also don’t want to be charged for messages that don’t have intended users.