If you haven't done this, set the MaxPrice field when sending SMS with an API provider such as Twilio. The message will fail to send if the cost of the sms exceeds the price you set.<p><a href="https://support.twilio.com/hc/en-us/articles/360014170533-Using-MaxPrice-with-Twilio-SMS" rel="nofollow">https://support.twilio.com/hc/en-us/articles/360014170533-Us...</a>
The article is describing one type of SMS Fraud, but I think Twitter got attacked using SMS Traffic Pumping Fraud. Twilio has the explanation
<a href="https://support.twilio.com/hc/en-us/articles/8360406023067-SMS-Traffic-Pumping-Fraud" rel="nofollow">https://support.twilio.com/hc/en-us/articles/8360406023067-S...</a>
I really want to know, why has everyone moved to SMS 2F"A"?<p>What was wrong with authenticator applications?<p>Were they really THAT user unfriendly?
Another technology to read up on is Silent Network Auth: <a href="https://www.twilio.com/blog/silent-network-authentication-sna-overview#technical-overview" rel="nofollow">https://www.twilio.com/blog/silent-network-authentication-sn...</a><p>If you operate a mobile app, this allows you to force a data packet over the device’s SIM that the carrier can validate. Platforms like Twilio/Boku have worked with the carriers to provide an API for this.<p>SMS is completely removed from the process and SMS pumping becomes a non issue.<p>Another option that could be mentioned in the article is using WhatsApp for OTP delivery. It’s the de facto messaging app in many countries with scketchy carriers, precisely because people don’t enjoy paying 5 cents per SMS.
I feel like the easiest workaround is to a) not use an email with your name in it for any important login b) don't use those emails for more than one service c) use a separate SIM and device for 2FA (mint mobile etc) / banking apps that aren't up to speed with non SMS 2fa.<p>It pains me to say this since Bank of America sucks, but their system now supports adding a Yubikey for login, nearly as good as Schwab before they stopped issuing physical TOTP tokens in 2020.
OT: what do people do who sign up for a site from their phones or tablets do when the site gives them a QR code to scan to set up TOTP?<p>I've only ever signed up for such sites from my desktop, so it was easy to use my phone or tablet camera to get the QR code from my desktop's screen.<p>How do you scan a QR code that is on your phone's screen using your phone?
This makes the assumption that Twitter blocked it due to SMS fraud. While that's a plausible theory an equally plausible theory is that they were worried about account hijacking and security (and allowed twitter blue subscribers to continue to use it on a you can pay me to be stupid context) which seems equally plausible.<p>I take issue with a lot of the assumptions in the article but this is funny:<p>> Identify and block premium rate phone numbers, using libphonenumber. Whilst this seems promising, I don’t know how reliable the data and how effective this approach is.<p>here's this purpose-built and well maintained* library from google which does exactly what I want but i'm not even going to consider it.<p>* the actual number database has been updated 5x so far this year: <a href="https://github.com/google/libphonenumber/commits/master/metadata/metadata.zip">https://github.com/google/libphonenumber/commits/master/meta...</a>
how is this even possible? must be usa?right?<p>in finland non-standard numbers must start with different numbers so its easy to block them as invalid.
Fraud requires that someone make a misrepresentation. Who makes a misrepresentation when SMS fraud is committed? What is the misrepresentation?<p>Is there any chance that this isn’t actually fraud and that companies who send out tons of text messages to any number a person specifies are just paying for their extraordinarily poor design?