Two-Factor Authentication (2FA) gained widespread adoption due to its effectiveness in addressing the limitation of traditional password-based security measures. 2FA provides an additional layer of security by requiring users to provide not only a password but also a second, time-sensitive code, often sent via text messages.
However, the very channel intended for bolstering security has itself become susceptible to fraudulent exploitation. In this digital age, one big challenging of operating at a global scale, is the increased exposure to fraud.
In this post, we will address the risk of exposing a phone number input field to receive a one-time passcode (OTP) and what measures you can take to fight back.
SMS Pumping
This attack intends to make money out of vulnerabilities exposed by any mechanism that allows attackers to inflate SMS traffic. In some cases a mobile network operator (MNO) is complicit in the scheme and has a revenue sharing agreement with the fraudsters.
There are also cases where bigger mobile network operators (MNO) pay smaller MNOs for subscribers and traffic. Fraudsters can create fake companies that promise huge amounts of traffic to these smaller operators. They take advantage of this situation and send text messages to a range of numbers controlled by an MNO to get a share of the generated revenue.
You are likely to see this happening with smaller MNOs which may not care where the traffic is coming from nor implement any measures to stop it, ultimately ending up supporting the fraud. Hence, in the absence of adequate controls, malicious actors can artificially amplify traffic by capitalizing on vulnerabilities inherent in a website or application.
To determine if you are being the target of an SMS Pumping attack, you will see an increased number of messages sent to a block of adjacent numbers (eg. +1....0, +1....1, +1....2, +1....3) controlled by the same MNO. If you're using text messages for OTP, you will likely not see a completed verification cycle too.
Let's take a look at some mechanisms you can implement to minimize or even prevent this kind of attack.
Request opt-in
Before start sending messages to a phone number, you should always request permission from the recipient. In Notificare, this can be done by requiring verification when you create a phone number. Recipients should opt-in before being eligible to receive any further messages.
Detect Bots
When you expose a form that is able to collect input like a phone number that ultimately generates a text message, you should implement libraries like botd or CAPTCHA that can help detect and deter bot traffic. Most SMS Pumping attacks are performed by automated scripts that can easily be neutralized by implementing these mechanisms.
Don't make it easy
To start sending OTPs via text messages, you should always require users to verify their account via other channels (eg. email). This introduces a small amount of friction for legitimate users but will make it much harder for attackers.
Geo restrictions
If your business only offers services in certain countries, you should prevent creating phone numbers in countries where you don't operate. In Notificare, you can also make sure you only send messages to a list of countries you choose.
If you do offer services globally, and have data on the number of verifications you'd expect per day in a given country, you can implement rate limits on groups of countries, allowing relaxed rate limits in countries where you expect legitimate traffic, and more restricted limits in all other countries.
Block Carriers
Sometimes you simply just want to block MNOs when you see abuse being done on a mobile number range. You could create a block list of carriers and validate phone numbers before storing them.
With Notificare, you can use our GET /sms/info/number/:number endpoint to get information about a phone number's carrier.
Although this endpoint has additional costs, it can help prevent abuse on a granular level.
Rate Limiting
Rate limiting works by imposing restrictions on the number of requests a user or an application can make within a specific time period. Make sure your forms don't allow more than 1 message per X seconds to the same mobile number range, prefix or IP address.
You can use popular CDNs like Cloudflare and CloudFront or implement modules in your web server like Nginx and Apache for basic rate limiting.
Exponential Delays
Similar to rate limiting, incorporating exponential delays between requests sent to the same phone number represents an effective approach in averting sudden surges in traffic resulting from deceitful activities.
Monitor OTP conversion rates
When you offer 2FA via text messages at a global scale, you should monitor the conversion rate of one-time passcodes (used OTPs / sent OTPs). You can then consider blocking countries or carriers when these conversion rates drop significantly.
IP & VPN detection
Analyze IP location, IP owner (ISP/proxy/TOR/cloud provider), and IP addresses against a bad reputation list (there are many services out there) and block TOR/Cloud Providers/proxies/bad IPs.
Additionally, while there are legitimate use cases for VPNs, attackers will likely use one to bypass simple IP address blocking and this is a signal that something might be awry. There are also a lot of solutions for VPN detection out there to choose from.
Conclusion
It is time to stop attackers on their tracks! Employing such mechanisms has the potential to yield significant cost savings for organizations. While no solution can offer an absolute assurance of 100% effectiveness against highly sophisticated attackers, the onus remains on you to fortify your application in a way that maximally deters their exploitation of vulnerabilities.
And if you suspect of fraud while using our SMS service, don't hesitate and reach out as soon as possible.