Including additional layers of security in an application’s authentication process is an important step to secure your users’ accounts. One of the most popular two-factor authentication methods is to use one-time passwords (OTP). Twilio offers multiple products to send OTPs such as Programmable Messaging and Verify.
Fraudsters, however, continue to find novel ways of taking advantage of OTP user flows, resulting in billions of dollars of charges each year at the expense of individual companies. One such method of exploiting OTPs is called SMS Traffic Pumping (otherwise known as SMS Toll Fraud, or Artificially Inflated Traffic). SMS Pumping occurs when fraudsters take advantage of phone number input fields to receive a one-time password, an app download link, or anything else that is used via SMS. The fraudsters send SMS to a set of numbers they control and receive a share of the generated revenue.
There are a few actions that you can take internally to help prevent SMS OTP fraud. For example, you could set rate limits, implement geo-permissions to restrict destination countries, and update your user experience to prevent bots with libraries such as botd or CAPTCHAs.
Additionally, you could enable Verify’s SMS Fraud Detection feature. Unlike standard SMS tools, Verify offers built-in fraud detection functionality, an AI-driven solution that leverages our vast network of data to detect and block fraudulent traffic automatically. The unique aspect of Fraud Detection is that it continues to learn as more customers enable the feature - so just as fraudsters adapt to circumvent fraud prevention measures, this tool will continue to find and detect new patterns.
Fraud Detection with Twilio
We have seen some recent customers enable the Fraud Detection feature with staggering results – as much as a 35% reduction in daily spend in some cases – and have had conversion rates as much as double for specific countries or regions as a result of blocked traffic.
One question you might have is: will this tool end up blocking SMS OTP traffic to legitimate users in addition to fraudsters?
In statistical parlance, these types of events are known as false positives: when a user is categorized as fraudulent when they are not. The Fraud Detection feature has an extremely low (near zero) tolerance for false-positive events, so the number of real users that are impacted is very small. The end result of this feature is that you get high block rates of fraudulent traffic and minimal impact on your users.
Get started with Verify
If you’re new to Twilio and want to try Verify, it is easy to get started. You can talk to an expert or jump into the code and look at the Verify API documentation. Verify can be used to authenticate users over several different channels with a single API, providing out-of-the-box carrier-approved message templates and locale-specific numbers along with other flexible custom configurations.
If you’re using Twilio’s Programmable Messaging and would like to switch to Verify, learn how to migrate from Programmable Messaging to Verify.
If you’re currently using Authy, learn how to migrate from Authy to Verify.
Michael Piccirilli is a data science leader with a decade of experience in machine learning, statistical methods and software development. He holds a Masters in Statistics from Columbia University, and has led data science and user experience projects across the traditional finance, crypto, communications, and education industries. You can reach Michael at mpiccirilli [at] twilio.com.