Today, I will be sharing an attack named SMS Pumping, an attack in the SMS area. So, what is SMS Pumping? Actually, SMS pumping is a type of fraud where attackers use a single or a range of phone numbers to flood a service provider with OTP requests (can be other scenarios), which can result in financial losses.
OTP is a common authentication approach in most applications. People usually send OTP in an SMS message to the users. But, sending SMS is not cheap. If you configure your OTP implementation wrong, it might cause financial loss. Do you know how people earn your money via your OTP implementation?
As the diagram shows, an attacker triggers OTP in the service provider’s app, and the app sends OTP via its SMS provider. Behind the SMS provider, there is a Mobile Network Carrier. The mobile network carrier has a revenue share agreement with the attacker in this fraud. The mobile network carrier will share the revenue with the attacker if the attacker can send SMS to a range of numbers that is controlled by the mobile network carrier.
This is actually happening in the real world, for example:
Twitter was under SMS Pumping Fraud and caused financial loss.
How to mitigate?
Bot detection - Use a bot detection library like CAPTCHA to identify bot traffic.
Rate limit - Set a reasonable rate limit for the OTP API by phone number, IP, and phone number prefix to mitigate bot traffic.
Check phone number type - Only send SMS when the phone number type is a mobile number to avoid sending SMS to a non-mobile number.
Monitoring and alert - Monitor the OTP conversion rate like number of OTP sent and number of OTP validated. If the conversion rate is abnormal, trigger an alert for human review.
Exponential delay for Resend OTP - Implement an exponential delay mechanism for resending OTP for the same phone number.
💡 Leave your comment below to share your thought about mitigating SMS pumping.
Thanks for reading Awesome Software Engineer! Subscribe for free to receive new posts and support my work.
Wondering content, Roy.
SMS vendors see a lot more SMS traffic around the world across different industries, hence they are also a potential solution provider to SMS pumping fraud by leveraging Machine Learning capabilities with their own network of data. The larger the traffic, the better the detection.
For example, in a solution called Twilio Verify, when Twilio sees a pattern of attack happening at Uber, the same kind of traffic will also get identified and flagged for other the customers to attain network effect.