I spent a lot of time playing cat and mouse with this type of toll fraud in 2022.
1. Rate limited SMS by number/ip: bypassed by large number of proxies/vpn.
2. Added captcha: bypassed by attacker manually signing up thousands of accounts (mechanical turks?) over months and then iterating over them for login OTP.
3. Identifying what carriers/operators are involved and blocking them asap (usually obscure ones).
4. Careful monitoring of SMS send rates and alerting of anomalies to investigate.
Good advice. By the way, the reason captcha didn't stop it is because Recaptcha is $2 per 1000 solves on 2captcha.com (or any other solving service), at $0.02/SMS this only lowers their profitability by 10%.
1. Rate limited SMS by number/ip: bypassed by large number of proxies/vpn.
2. Added captcha: bypassed by attacker manually signing up thousands of accounts (mechanical turks?) over months and then iterating over them for login OTP.
3. Identifying what carriers/operators are involved and blocking them asap (usually obscure ones).
4. Careful monitoring of SMS send rates and alerting of anomalies to investigate.