Protecting Against The $6.7Bn SMS Pumping Fraud Scam
SMS pump fraud has exploded in recent years thanks to organised crime spotting and exploiting the inherent vulnerabilities of mobile devices. So, if you’re not already familiar with ‘SMS pumping’, it’s worth investigating because the targets are businesses, not end-users.
Also known as ‘Toll Fraud’ and AIT (Artificially Inflated Traffic), this criminal activity takes advantage of businesses who use SMS One-Time Passwords (OTPs) as part of a two-factor authentication (2FA) process for users or employees.
Criminals have been quick to exploit a previously unknown vulnerability in the online account sign-up process. They create hundreds of thousands of fake accounts and insert premium-rate phone numbers into account sign-up forms and send out SMS OTPs, often to remote destinations across the world. The premium rate charges are billed to the business and the fraudsters pocket all the money; the larger the organisation, the higher the traffic and so the harder it is for them to spot this fraudulent activity.
SMS pump fraud is already big business involving a sophisticated network of participants. The Communications Fraud Control Association (CFCA) estimated that, in 2021, its cost was more than $6.7 billion across the world and it’s still growing.
X (Twitter) is one of very few companies to have gone public about this kind of fraud. In January 2023, Elon Musk claimed that Twitter had lost more than $60m to SMS pumping (not including North America) and implicated over 390 different telecoms firms in the fraud.
The involvement of multiple parties highlights just how sophisticated a scam it is. Unscrupulous smaller or virtual mobile network operators are able inflate their traffic, and therefore revenue, on the back of SMS pumping through a revenue share model with the perpetrator.
This kind of fraud is on the rise because legacy technology creates the vulnerabilities that criminals are quick to exploit. Email and SMS are the two most common mediums for identity verification today but they are both fundamentally messaging protocols.
SMS pumping is just another in the line of threats exploiting the shortcomings of a messaging protocol for security.
Neither email and SMS have anything built-into them related to security and identity verification. While an SMS OTP is a convenient way to authenticate a user’s identity, it’s not the best way - the SIM card in our mobile device is a much safer way to do that.
SIM-based verification operates on the basis of something called Silent Network Authentication (SNA). It verifies a mobile phone number directly with the network operator over an encrypted connection. This makes it a secure form of authentication and takes advantage of the ease of a mobile device without risking the vulnerabilities of SMS or email. It’s invisible to the end-user because it happens automatically in the background.
Silent Network Authentication has proven its security credentials; it’s what allows us to make a call on our mobile phone or use it when we switch it on in the morning without needing to identify ourselves. Network carriers use this SIM-based authentication to conduct security checks without interrupting or asking anything of the end-user. Since SNA operates in the background, the vulnerability associated with passwords, pin codes and authenticator app passcodes - and malware - is removed; there’s no room for error and nothing to steal. It can also be used to detect SIM-swaps.
However, SIM-based authentication isn’t the answer to SMS pumping in all situations - it’s ability to protect against this fraud is 100% only in a mobile-first set-up where mobile applications are at play. But in these cases, Silent Network Authentication not only completely removes the threat from scams like SMS pumping, it actually also improves the user experience since the user never leaves the app to be authenticated. And it’s a much cheaper and easier security solution than hardware biometrics.
By accelerating our shift to a ‘mobile-first’ approach we are all better placed to take advantage of newer, smarter approaches to authentication like SNA, helping us to move completely away from the need for passwords and SMS, and our security reliance on messaging protocols. This has an especially big upside in emerging markets like India and Mexico where being mobile-first is already widespread.
While new measures to prevent scams like SMS pump fraud slowly get introduced across the global telecoms industry, Silent Network Authentication presents a simple, secure and quick solution using the existing and secure mobile network infrastructure to bring fraud like this to an end.
This doesn’t mean businesses should be complacent - it’s critical that we scrutinise our network traffic immediately for anomalies and take appropriate action but there is an effective next step for prevention that we can take which is positive for our bottom line and brand.
Paul McGuire is CEO of TruID Image: Andrey Metelev
You Might Also Read:
Mobile Authentication: The Good, The Bad & The Ugly:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible