We're experiencing daily twilio OTP attacks that create accounts. We block IPs and have throttled rate of account creation. But other than running up our bills (~$10 / day) I don't understand what they gain from this. Why are they doing this? What am I missing?
Most likely this is being abused for SMS pumping fraud where rogue network providers/small providers complicit in fraud use the traffic to generate revenue.<p>- <a href="https://support.twilio.com/hc/en-us/articles/8360406023067-SMS-Traffic-Pumping-Fraud" rel="nofollow noreferrer">https://support.twilio.com/hc/en-us/articles/8360406023067-S...</a>
If your business is local, maybe limit the accepted numbers to a specific area or country.<p>Otherwise try to understand if they're automating account creation or are they doing it manually? maybe a captcha/turnstile during sing-up can slow them down?<p>Anyway, Twillio really dropped the ball on this problem, but why should they care as long as it keeps making them money?