Hacker News new | past | comments | ask | show | jobs | submit login

Huge problem we see at my current company, Stytch (https://stytch.com/). Toll fraud/traffic pumping can result in huge costs, mid thousands to millions per year.

One thing that surprised me a lot to learn, and is covered in the article, is that the primary bad actor is the telecom provider! I had no idea that the telecoms were sharing revenue with hackers that found unprotected SMS channels and exploited them. A really wild thing.

We have a bunch of built in protection against SMS toll fraud for our OTP product as well as more in-depth fingerprinting tools if your app ever runs into this problem. When you get that first surprise bill from Twilio, give us a shout and we can help!




The wild thing about this is that this isn't just a B2B fraud, but regular joes are hit with it as well and regular operators don't care.

My phone got stolen in Naples last year, just as I was about to board my plane. It was 11PM, so when I called my boss from my gf's phone he decided to block the number the next morning as he was in bed already. By the time the SIM was blocked, 10 hours had passed, and thieves had managed to place over 100 hours of very expensive toll calls to numbers in Algeria. It cost the company over 10k, and our operator was not willing to accept any responsibility over it. Admittedly, I turned off the PIN lock because my phone at the time would overheat and restart multiple times a day, but operators really should have lockouts on foreign payphone numbers, especially once they're being placed faster than a human can dial them.


That's terrible!

Rate limits and billing limits should definitely be included, even on personal numbers.


I tend to disable premium services in my billing when available, and/or the provider will mention that they're just not available on my service.

Although (fraudulent) CLI overstamping is still a mess here (Australia, and probably everywhere else) despite attempts to fix it with industry code.


> Admittedly, I turned off the PIN lock…

You gave the operator an out. While this shouldn’t prevent remedy, in some cases it will.


The Prophet years ago wrote in 2600 telecom informer that there were solutions to telemarketing calls/spam but the phone network operators liked the profit and don’t want to solve this problem for their customers


I'd definitely believe it. My impression is that the problem is tough for providers but the incentive alignment is unfortunately broken.


Happened to us as well a while back. We tracked originating IPs to the same telco that was sending SMS to their own numbers through our platform. I couldn't believe it.


WOW. I haven't ever seen a telco sending to themselves, that is so bold and in such bad faith.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: