Hacker News new | past | comments | ask | show | jobs | submit login

We've been hit by this at work as well. We had to add CAPTCHA and a several other techniques to defend against this.

How it works:

  1.  Attacker leases 1 or more premium rate numbers in an international country.
      - Attacker can lease a premium rate number for as little as $10/month
      - Typically, the attacker gets to keep 70% of the money generated by the premium rate number.

  2. Attacker then finds companies with OTP (One-Time Passcodes) or 2FA (Two-Factor Authentication) endpoints that require no validation and writes a script to automate the webpage or call the API endpoint
     - Attacker will typically obtain a new IP address per API call using a VPN or a rented botnet from the dark web.

  3. If the premium rate number costs 10 cents, then each successful text message they can send to the number generates 7 cents for them.

  4. The attacker then just needs to send 150 SMS to the premium rate number to break-even on their $10 investment, not counting the cost of the VPN or rented botnet.
There is a lot of money to be made here by an attacker unfortunately. :(



Which seems like a super easy fix for Twilio to implement. Don't allow SMS to premium rate numbers.

If they can identify the premium numbers for billing, they should be able to identify them for blocking.


Down thread someone pointed out that their API allows you to set a max price:

https://www.twilio.com/blog/2015/08/introducing-max-price.ht...

Apparently a lot of people could really use that info.


Why is this not set to zero dollars be default?!?

I agree with other comments here. $0 is the minimum amount people should be willing to pay if they're not disputing charges or reporting fraud to the credit card networks / regulators.

Time is money, after all.


No idea. I think there's a real problem with the whole design of premium numbers because I'm not sure how one is even supposed to know when payment is required or meaningfully accept it, though at least the API apparently allows this.


FWIW, I do think $0 might make a sane default, but you do understand that the user would have to change it from $0 before they could use the account, right? The whole point of using Twilio to send an SMS is because you wanted the SMS to actually be sent, which means you are going to have to pay for the SMS, and SMS is always stupidly expensive.


Even normal phone numbers have a (low) price that varies by country and can change over time, so what would the default be?


I wonder if this is why I don't get SMS OTP from some apps when I'm abroad and roaming...


AFAIK the sender shouldn't have to pay more just because you are roaming. That's between you and your provider.


I would imagine there are rules/regulations about a SMS provider blocking communications before fraudulent behavior is determined? Not saying it shouldn't/couldn't be done, but probably one of those things with a simple tech fix but a complicating social/business aspect.


It could be an option in the API call with a default in account settings. I bet most people who are trying to reduce spam accounts by requiring a phone number would actually prefer to exclude these numbers anyways.


surely not if the customer _explicitly requests_ that the communications are blocked? iirc in Aus it was possible to have your provider block messages to premium rate numbers back in the days when it was popular to buy ringtones.


It isn't just as simple as 'premium rate numbers'.

Some of the criminals behind these attacks will have access to the phone network. They'll pick an expensive route, like a range of phone numbers in Georgia (the country) from the USA, and offer a cheaper route to it. The system will start using their route for those calls. They'll accept all calls to that route, get paid, and never actually connect any calls.

That gives them a range of "normal" phone numbers which helps them avoid throttling on just one number. But they can be just as expensive as premium numbers to call.

At least, this is how it was explained to me as my team fought these attacks a couple years ago. We'd see calls to a large range of a few thousand numbers. Couldn't throttle on a single number.


I think you're conflating toll bypass fraud with IRSF. A grey route that never delivered any calls or only a fraction of them would have bad ACD numbers and people would not use that route. With hacked Asterisk/FreePBX boxes people usually call the international numbers described in OP and split the termination fee with some corrupt carrier/intermediary. There is a related fraud where people use the hacked Asterisk/FreePBX boxes to terminate calls, which from what I understand these actually have pretty good quality until the unwitting owner gets a $40,000 phone bill and shuts everything off. Traditional toll bypass fraud is when countries are expensive to call internationally but have cheap local calls, so people in those countries buy a bunch of sim cards, put them in a box with a bunch of gsm modems, and use those to basically "convert" an expensive international call to a cheap local call (and profit the difference between the two rates).

Edit: Oh, you're talking about number hijacking. I think they usually aren't offering termination services though, usually it goes hand in hand with the kind of fraud described in the OP.


> Traditional toll bypass fraud is when countries are expensive to call internationally but have cheap local calls, so people in those countries buy a bunch of sim cards, put them in a box with a bunch of gsm modems, and use those to basically "convert" an expensive international call to a cheap local call (and profit the difference between the two rates).

Is this really fraud? Is it fraud to offer any VOIP service, or only when it can connect to the phone network, like Skype?

I guess I could see how it might be against the T&C's of the telecom company, to offer a service that undercuts them, but hardly a criminal act of deception.


I consider it to be relatively harmless but how it is classified depends on the country. India is pretty cheap to call even absent simboxes but they still crack down on the practice for “national security reasons” because it makes tracking people more difficult. The UK (Ofcom) banned them outright for some reason a long time ago but that’s being appealed. In some African countries the laws are pretty vague and do not outright ban them, usually they charge people with “unregistered telecommunications business” or something like that.


Fraud is what the government decides it is, the governments have deemed this to be fraud.

Telecom companies don’t necessarily care about this, it’s often the governments who want to tax incoming international calls as an easy revenue source.


How is this a workable system!? Why would anyone pay them. This seems like fraud on the part of the phone networks for billing for service that was never provided or should have been provided cheaper.


while I don't agree with sanctions, this seems like the kind of time where you just block off a country/exchange entirely if you cannot have the confidence of what things cost to send there.


With AI, you won't be able to tell humans and computers apart anymore.

Anyone with enough determination can execute a sybil attack on any service that doesn't require in-person verification.


Can someone post an example of a premium rate number ?

I am curious if the Twilio 'lookup' API call will identify it as such:

  /usr/local/bin/curl -s -X GET "https://lookups.twilio.com/v1/PhoneNumbers/$number?Type=carrier&Type=caller-name" -u $accountsid:$authtoken | /usr/local/bin/jq '.'
... which would be a very fast and simple way to validate a number before you (or your process) use it ...


I don't understand why twilio cannot simply set a flag on their phone company account saying "under no circumstances will we pay for these shenanigans", and why the phone company billing stuff cannot simply block sms messages to such scam accounts.

In particular, email (smtp) to sms gateways exist. Why doesn't twilio just use one of those (and maybe pre-arrange a flat monthly payment to avoid being blocked for going over quota).


> I don't understand why twilio cannot simply set a flag on their phone company account saying "under no circumstances will we pay for these shenanigans", and why the phone company billing stuff cannot simply block sms messages to such scam accounts.

Everyone has the idea "just don't pay for fraud" but in practice it is difficult because there are many different carriers in the typical international call chain, which means to dispute charges you need everyone to agree. Also carriers have long term agreements with eachother about billing and it is not as easy to just dispute the charges like you can with a credit card.


> premium rate number costs 10 cents

wut, the absolutely most ordinary (in the realm of single telecom) text costs me ~6.5 cents


You’re talking about the fee your carrier charges for normal texts. These are “premium” charges, meaning the user is charged an extra fee on their bill regardless of their SMS billing plan.


Can I ask where?

I'm in the US and any of the big carriers offer unlimited texting as a baseline, and we have pretty crappy carriers compared to a lot of the world.


In Germany the standard price for an SMS is 9 cent, of which somewhere around 2-3 cents are paid to the recipient's carrier. Unlimited plans are common, but only because nobody texts anymore (same applies for phone calls).


It costs me around 3 cents to send a domestic SMS and 40 cents to send an international one, on an unlimited data 5G plan in Japan.

That said, I don't care, since I literally can not remember the last time I sent an SMS. It must have been years ago.


That makes sense, I guess I forgot that lots of the world effectively moved on from SMS to other messaging/apps.


Maybe on prepaid plans? Been a while since I've heard of SMS costing anything on subscription plan, outside of roaming charges. Mobile Internet effectively cannibalized that income stream for the phone companies.


yea, it's prepaid in Poland. But to be fair, I pay $12 a year for 50GB of data and don't call/text much


> an international country

Hmmmm... haven't encountered that phrase before.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: