Industry experts have warned of a growing risk to corporate profits from so-called SMS pumping scams, which abuse one-time password (OTP) generation to make money for cyber-criminals.
The scale of the threat was highlighted by Elon Musk last month when he claimed that Twitter is getting “scammed” to the tune of $60m per year by fake two-factor authentication (2FA) SMS messages.
While the cybersecurity industry focused on his response – to withdraw text message-based OTPs for non-subscribers – the real issue remains unaddressed, according to Henry Cazalet, director of TheSMSWorks.
“Small businesses and startups are particularly vulnerable to SMS pumping fraud. They are less likely to have the resources required to make their web forms more secure,” he told Infosecurity.
“In the interests of speed and keeping costs down, they are often prepared to cut a few corners, which leaves their service vulnerable to ambush by the fraudsters.”
To carry out an SMS pumping campaign, a fraudster typically signs up to a service or account that requires 2FA, or otherwise generates a OTP or link for the user for security/authentication. If the web form doesn’t have enough controls built in, the attacker can enter premium rate numbers, which generate funds for them and the relevant mobile network operator (MNO).
Sometimes MNOs are party to the scams and sometimes the fraud is perpetrated without their knowledge. Bots are typically used to generate large profits for the fraudsters.
Also known as “artificially generated traffic” (AGT) or “SMS OTP fraud,” the scams account for as much as 6% of all SMS traffic and 10% of revenue, according to Lanck Telecom.
The firm’s research found that for some major brands, as much as 30-60% of overall mobile traffic may be AGT, and for some networks it can reach 80%.
TheSMSWorks said there are several tell-tale signs that a web form is being abused by scammers:
- A sharp increase in web traffic and auto-generated SMS messages
- Large text volumes being sent to unusual countries
- Texts triggered to batches of numbers in numerical order
- Web forms left partially unfilled by bots
“There are a few relatively simple measures that organizations can take to reduce the risk,” advised Cazalet.
“Disable SMS OTPs from countries where you don’t operate. Set rate limits on the number of SMS that can be sent to any range of mobile numbers, and detect and discourage bots. Also, identify and monitor spikes in SMS OTP traffic levels.”