Hacker News new | past | comments | ask | show | jobs | submit login

https://nitter.kylrth.com/benjaminnetter/status/153085292888...

If you want to read the tweet on how it works.




I'm surprised/confused: Why is it hard to detect premium rate numbers, or at least set a flag to not allow sending to them? Like, I can't think of a time when twillo should ever be sending to a premium rate number; why is this even possible?


There are 200+ jurisdictions in the phone network and everybody has their own conventions on what a "premium" number is.

For comparison, imagine if each domain in the world could set its own rates for much doing a DNS query would cost you, and governments regulated this only by designating a few second level domains as "premium". That's pretty much the scale of the problem.

Edit: To be clear, this is a very well known problem and Twilio should be doing much better at it. But it's by no means an easy problem, and all the other side needs is one (1) number to exploit.


> There are 200+ jurisdictions in the phone network and everybody has their own conventions on what a "premium" number is.

They know how to charge you for these numbers so apparently they do have that data, no?


Depends what you mean by "premium rate." Every number costs money to call in Twilio. Some numbers cost more, in lots of these frauds numbers in ordinary ranges are used (Is a rural number in Chile that costs $0.20/minute to call premium rate/fraud? Because that's what it looks like a lot of the time. How about $0.05 a minute in Austria?). IRSF, the industry term for this kind of fraud causes billions in losses a year and there is no easy answer but Twilio should probably have more infrastructure in place to reduce massive surprise bills.


Block any number that costs more than 25th percentile would be a start and so on... I can come up with plenty of heuristics that would be better than nothing.


Yeah, I mean, with the number of users they have world-wide, they probably have good per-country or even per-county distributions of call rates...


Yes, or let the user define a max cost



Reassuring, thanks for sharing. I've not used Twilio in a number of years.


That seems like it ought to be a knob provided to the user…


Telco billing is postpaid, so they actually won't find out for at least a month.


That's inconsistent with the OP getting 40 emails a day about charges, though?


Solving this is squarely Twilio's business!

They know how much to bill the customer, so they must know how much it costs to send to a number.


> They know how much to bill the customer

I don't mean to do Twilio's work of defending them, but in my experience it's possible they actually don't know how much to bill the customer. What they may know is the generalized per-minute or per-session rate they've agreed with another operator alongside a general "premium rate numbers will be settled at a later date" kind of clause.

My employer got bit by this several years ago, purely on calls within the +1 country code. Before this practice was largely banned, some small carriers were allowed to designate certain rate centers as higher cost. So our VoIP carrier would say that a call to a given area code was $0.003/minute but the calls would later settle out at $0.25/minute because of a 1,000s block of numbers being (unknowing to us our our carrier) as higher cost and being settlement billed back at the higher rate.

Twilio could agree to carry some or all of this risk for its customers as part of their value-add and fees. That way, Twilio has the incentive to make the proper changes for its customers and would have the experience of looking at all of the return billed rates for all of the calls or messages across its entire customer base to help prevent toll fraud.


This is the case, the telephone billing system is perhaps the most complicated pile of softwareshit you have ever seen in your LIFE - and some of it is insane.

There have been people who got printed bills from their cell phone provider for every single kilobyte of data, each individually indexed and billed: https://en.wikipedia.org/wiki/300-page_iPhone_bill


When I was an intern, I was working for a big company on a project to optimize some call center management. Basically put mainframe reports on an intranet.

The company had made a change of some sort where whatever EDI connection between the telco and the company stopped working. I learned this when and angry facilities guy came up looking for my boss’s boss to sign for a delivery. I was the only person there, so I did. 15 minutes later, two pallets of bankers boxes came up - thousands of single sided pages of itemized call details.


My favourite was getting charged for an sms my iPhone sent which was a phone home to an Apple headquarters short code for iMessage. iOS hides these from the user. Most providers don’t charge for this, but some do.

Really sucks when you carefully load 10 EUR of credit to buy a 10 EUR prepaid plan for the month and see 0,05 deducted despite being incredibly careful to not do anything that would incur a charge before buying the plan.


Apple DOES say that, when you set up FaceTime and iMessage!

There is a pop up that says "Your carrier may charge for the messages used to activate iMessage and Facetime" You can choose to not activate and do it later.


That warning did not appear in the early days.


That warning actually depends on the “carrier profile”, a configuration file the phone silently fetches (or has cached in firmware builds) based on certain attributes of the SIM like the ICCID or MCC/MNC.

There’s a field in there that configured whether that warning should be shown.


Correct, and it didn't appear for carriers which were whitelisted (who zero-rated the iMessage activation SMS).

My memory, which may be wrong, is telling me that the first major version of iOS which included iMessage did not include the warning at all, and that it was added for non-whitelisted carriers (aka those which did not sell the iPhone) to prepare the user for the possibility that they will be billed, based on user feedback precisely like the comment to which I was replying.


Fun fact: +1 is not a country, but all of North America. For a long time it was entirely possible to dial a perfectly ordinary looking +1 258 xxxxxxx number and get charged up the wazoo because (258) is Antigua and Barbuda, not New Jersey.


Pissed me off how American Airlines wouldn't send me SMS updates to my Canadian number, even though it should cost only slightly more than than a USA number. I guess they got burned sending updates to some caribbean island number in the past.

Ugh.


Surely they can aggregate this across all customers though.

If Twilio cops an unexpectedly high settlement for sending an SMS to +1234567890 in January, can they assume that a separate customer sending an SMS to that number in February will end up in the same boat?

I'd be very surprised if the toll fraudsters weren't using the same numbers to hit multiple Twilio accounts.


Is it banned? Isn't this part of how FreeConferenceCall works with IIRC dial in numbers on a little LEC somewhere in Iowa?


Yes, the rule became effective in 2019: https://www.fcc.gov/document/fcc-adopts-reforms-further-redu...

(FreeConferenceCall and similar companies lobbied heavily against this rule, but AT&T and Verizon were able to lobby it through.)


Twilio works with phone companies across the globe; this is not something that would be that difficult for a company of their size to implement (even if it means one employee whose job it is to keep this up to date). Consider that the timezone database (a similar problem) is administered by one person (a volunteer no less)


This is NOT hard. Not at all.

Twilio knows which numbers will charge customers, THEY HAVE THE DATA. They can make a list of numbers that charge customers, and then have a flag that disallows SMSes to those numbers.

They also have relationships with phone providers in every market that they are in, and those providers can provide that same information and then allow a blacklist to those numbers or whatever format the premium numbers occur in.

It's not hard at all. It's a nice value-add feature and I'm sure if a competitor like MessageBird implemented something like this, it would be an easy differentiator if Twilio doesn't want to provide this.


Wrapping abstractions around hard problems is pretty much Twilio's value prop.


Twilio should help their customers with this (and it looks like they do have something, but maybe not enough)... but it's also something you can do a first pass through libphonenumber metadata[1], which was pretty reasonable at my last job.

[1] https://github.com/google/libphonenumber/tree/master/metadat...


Honestly, I can’t think of a legitimate use case for toll SMS.


Paying for things?


What's in it for the fraudster here?


They own the premium number that the victim is texting... and thus earning the charged money.


Ah, it's like a 900 number, but for sms.


Has been going on against voip companies since the beginning.

Here’s a story from 2005:

https://www.forbes.com/forbes/2005/0919/058.html?sh=5531184c...


Now if only I could sign one of those premium rate numbers to get robocalled …


Google "international premium rate number" and you can get one in any country for free. Up to $0.7 a minute on some satellite and Albanian numbers if you opt for net 30/45 day payment in some places! This stuff happens everyday - I'm surprised no one has talked about it here till now. It is a very difficult problem to address if you want to accept international users and limit false positives.


I remember reading an article where a guy in the UK set one of these up with a bot like Lenny to make money off the scam calls. It was kind of shocking to me you could just setup any number like that, not just 900 numbers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: