We've been hit by this at work as well. We had to add CAPTCHA and a several other techniques to defend against this.
How it works:
1. Attacker leases 1 or more premium rate numbers in an international country.
- Attacker can lease a premium rate number for as little as $10/month
- Typically, the attacker gets to keep 70% of the money generated by the premium rate number.
2. Attacker then finds companies with OTP (One-Time Passcodes) or 2FA (Two-Factor Authentication) endpoints that require no validation and writes a script to automate the webpage or call the API endpoint
- Attacker will typically obtain a new IP address per API call using a VPN or a rented botnet from the dark web.
3. If the premium rate number costs 10 cents, then each successful text message they can send to the number generates 7 cents for them.
4. The attacker then just needs to send 150 SMS to the premium rate number to break-even on their $10 investment, not counting the cost of the VPN or rented botnet.
There is a lot of money to be made here by an attacker unfortunately. :(
I agree with other comments here. $0 is the minimum amount people should be willing to pay if they're not disputing charges or reporting fraud to the credit card networks / regulators.
No idea. I think there's a real problem with the whole design of premium numbers because I'm not sure how one is even supposed to know when payment is required or meaningfully accept it, though at least the API apparently allows this.
FWIW, I do think $0 might make a sane default, but you do understand that the user would have to change it from $0 before they could use the account, right? The whole point of using Twilio to send an SMS is because you wanted the SMS to actually be sent, which means you are going to have to pay for the SMS, and SMS is always stupidly expensive.
I would imagine there are rules/regulations about a SMS provider blocking communications before fraudulent behavior is determined? Not saying it shouldn't/couldn't be done, but probably one of those things with a simple tech fix but a complicating social/business aspect.
It could be an option in the API call with a default in account settings. I bet most people who are trying to reduce spam accounts by requiring a phone number would actually prefer to exclude these numbers anyways.
surely not if the customer _explicitly requests_ that the communications are blocked? iirc in Aus it was possible to have your provider block messages to premium rate numbers back in the days when it was popular to buy ringtones.
It isn't just as simple as 'premium rate numbers'.
Some of the criminals behind these attacks will have access to the phone network. They'll pick an expensive route, like a range of phone numbers in Georgia (the country) from the USA, and offer a cheaper route to it. The system will start using their route for those calls. They'll accept all calls to that route, get paid, and never actually connect any calls.
That gives them a range of "normal" phone numbers which helps them avoid throttling on just one number. But they can be just as expensive as premium numbers to call.
At least, this is how it was explained to me as my team fought these attacks a couple years ago. We'd see calls to a large range of a few thousand numbers. Couldn't throttle on a single number.
I think you're conflating toll bypass fraud with IRSF. A grey route that never delivered any calls or only a fraction of them would have bad ACD numbers and people would not use that route. With hacked Asterisk/FreePBX boxes people usually call the international numbers described in OP and split the termination fee with some corrupt carrier/intermediary. There is a related fraud where people use the hacked Asterisk/FreePBX boxes to terminate calls, which from what I understand these actually have pretty good quality until the unwitting owner gets a $40,000 phone bill and shuts everything off. Traditional toll bypass fraud is when countries are expensive to call internationally but have cheap local calls, so people in those countries buy a bunch of sim cards, put them in a box with a bunch of gsm modems, and use those to basically "convert" an expensive international call to a cheap local call (and profit the difference between the two rates).
Edit: Oh, you're talking about number hijacking. I think they usually aren't offering termination services though, usually it goes hand in hand with the kind of fraud described in the OP.
> Traditional toll bypass fraud is when countries are expensive to call internationally but have cheap local calls, so people in those countries buy a bunch of sim cards, put them in a box with a bunch of gsm modems, and use those to basically "convert" an expensive international call to a cheap local call (and profit the difference between the two rates).
Is this really fraud? Is it fraud to offer any VOIP service, or only when it can connect to the phone network, like Skype?
I guess I could see how it might be against the T&C's of the telecom company, to offer a service that undercuts them, but hardly a criminal act of deception.
I consider it to be relatively harmless but how it is classified depends on the country. India is pretty cheap to call even absent simboxes but they still crack down on the practice for “national security reasons” because it makes tracking people more difficult. The UK (Ofcom) banned them outright for some reason a long time ago but that’s being appealed. In some African countries the laws are pretty vague and do not outright ban them, usually they charge people with “unregistered telecommunications business” or something like that.
Fraud is what the government decides it is, the governments have deemed this to be fraud.
Telecom companies don’t necessarily care about this, it’s often the governments who want to tax incoming international calls as an easy revenue source.
How is this a workable system!? Why would anyone pay them. This seems like fraud on the part of the phone networks for billing for service that was never provided or should have been provided cheaper.
while I don't agree with sanctions, this seems like the kind of time where you just block off a country/exchange entirely if you cannot have the confidence of what things cost to send there.
I don't understand why twilio cannot simply set a flag on their phone company account saying "under no circumstances will we pay for these shenanigans", and why the phone company billing stuff cannot simply block sms messages to such scam accounts.
In particular, email (smtp) to sms gateways exist. Why doesn't twilio just use one of those (and maybe pre-arrange a flat monthly payment to avoid being blocked for going over quota).
> I don't understand why twilio cannot simply set a flag on their phone company account saying "under no circumstances will we pay for these shenanigans", and why the phone company billing stuff cannot simply block sms messages to such scam accounts.
Everyone has the idea "just don't pay for fraud" but in practice it is difficult because there are many different carriers in the typical international call chain, which means to dispute charges you need everyone to agree. Also carriers have long term agreements with eachother about billing and it is not as easy to just dispute the charges like you can with a credit card.
You’re talking about the fee your carrier charges for normal texts. These are “premium” charges, meaning the user is charged an extra fee on their bill regardless of their SMS billing plan.
In Germany the standard price for an SMS is 9 cent, of which somewhere around 2-3 cents are paid to the recipient's carrier. Unlimited plans are common, but only because nobody texts anymore (same applies for phone calls).
Maybe on prepaid plans? Been a while since I've heard of SMS costing anything on subscription plan, outside of roaming charges. Mobile Internet effectively cannibalized that income stream for the phone companies.
How it works:
There is a lot of money to be made here by an attacker unfortunately. :(