If you haven't done this, set the MaxPrice field when sending SMS with an API provider such as Twilio. The message will fail to send if the cost of the sms exceeds the price you set.
Founder of https://www.plivo.com here. We have seen similar patterns of fraud on our customers primarily in the international markets, outside the US & Canada. It typically happens on repeating number ranges that are sometimes not even in service. MaxPrice approach did not work well based on our experience as this would lead to just blocking certain destinations completely. Alternatively, what we found better was have a geo permissions related options where customers could block destinations that are never used at a network level and additionally introduce rate limits for those networks, so its not open to an attack. Plivo's console screenshot here: https://www.dropbox.com/s/kbw3l0oyw7fcjmr/plivo_console_sms_...
That's up to you; Twilio's pricing varies from country to country. US is less than a penny per text; Russia is $0.70 each. Set according to your needs.
Some folks build (or use) telecommunication systems that work for (cell) phones. Believe it or not but for receiving a notification via text message you nobody needs to install any apps or even require a smartphone and/or internet access :)
It's still mostly used for malicious tracking. In many countries you have to use your identity to get a phone number, and SMS verification exploits this to track users.
This is not possible in most of EU markets, KYC is mandatory and even prepaid SIM cards must be registered and verified with ID before SIM is used for data or calls. Old SIMs without registration were blocked until they would be registered. Some exceptions may exist, but this will be harder and harder in future.
I don't think that folks so much "moved" to SMS 2FA as much as were with it from the start.
SMS 2FA is so ingrained in the finance/fintech industry that it's pretty rare for me to see a financial company offer the option to set up an Authenticator 2FA. Also, there is always some part of the consumer population that is still not on a smartphone and even if they are, they may not be "app-savvy" where they know how to install or use an authenticator app. For this reason, I think most finance companies will steer clear of the Authenticator app and go directly for SMS 2FA or worse, email 2FA.
Nobody in my family - parents, kids, spouse - knows what an authenticator app is or would what to do if presented that as an option, although my teen could probably figure it out.
For everyone else, it would be a cascading series of installation and password and app switching and immediacy problems. This would create a great deal of frustration, and ultimately a call to family tech support (me) or the service provider if human tech support is an option which is not the case for many companies such as Google and social media firms.
The biggest hurdle to authenticator app adoption for the masses is the one that only bites you a year or more down the road when you get a new phone. If you didn't transfer your seed info over to the new phone before trading in the old one, you are locked out of all your accounts.
for this reason I've kept storage in keepass and backed it up in more than one place, but admittedly it's possible to lose everything. You need to expose yourself to a little more risk just to mitigate that possibility.
The other issue is that many smartphone owners don't have a computer they would back things up to. Just "cloud".
I finally got my 75-year-old mother to add 2FA/SMS to her online banking account. She calls me (from her landline) every time she tries to login. I have to walk her through the process. We usually have to request a new auth code be sent at least twice. It generally takes 10 or 15 minutes, although, admittedly, half the time is her complaining.
So, yeah, there's no way I could get her to use an Authenticator app. (Also, there's, "...all these apps scare me.", which isn't a bad thing considering the first (and last) app she installed on her Android phone was a malicious 'flashlight' app that kept displaying some sort of crypto ads.)
Wait until you mother is 89, like mine! It just gets worse. She is unable to retrieve a text message once it times out off her screen. (She uses a flip-phone).
> it's pretty rare for me to see a financial company offer the option to set up an Authenticator 2FA
As a data point, USAA (which is not the biggest bank, of course, but it is not tiny either) has supported TOTP for years. There are probably others, but at least some banks support relatively modern security.
My credit union supports TOTP. They also sent me a one time code generator thingy that I can use as a 2nd factor. Trouble is, there's a big link on the login screen that will allow anyone to bypass those options and fallback to SMS or email.
And the other weak link -- people. My wife had several thousand dollars stolen from her account at USAA because someone called and managed to convince the phone rep to give them the login name and reset the login password. You'd think this kind of request would end up in the security department (where presumably the base level of suspicion is much higher), but nope. Took them six tries to reach a phone rep that would do it. Again, you'd think that multiple consecutive calls and getting denied would cause all future calls to automatically end up in the security department, but nope.
The head security guy at USAA and I had a talk where he explained in some detail how it all went down. He was refreshingly honest, and they didn't balk at getting our funds restored, but still -- humans are often the weakest link when they can defeat all of your security precautions. Probably the bank shouldn't give phone reps that much authority, and always require a dedicated security team response for such unusual situations.
Is email worse? Email for the most part does not require you to enter into an agreement with a predatory or monopolistic phone company, and there are services to generate single use emails that you can segregate between services.
At least for the Apple ecosystem 2FA is built into the iCloud Keychain so you can access it from multiple devices. While there are security implications, in general it is a good trade off that the Safari or apps will only offer to auto-fill on the matching site. For the general population it is a far nicer, safer, and faster solution than waiting for the matching SMS code to login.
The biggest downside is if the site isn't set up correctly it is a long trek into Settings to get the code and it makes the site seem less trustworthy.
Obviously custom non-TOTP authenticators are dumb and not much better than SMS 2FA. I was mainly asking why anyone would opt for SMS (or a custom authenticator app) over just a TOTP authenticator.
2FA works well with the geolocation service SS7 [1,2], so when your text message and OTP code arrives, the firm could also be using SS7 to get your location.
Have they? It seems the trend is to support Authenticator apps (i.e. one-time scan a QR code to a TOTP URL that I store on my own device). I haven't seen too many products that support TOTP 2FA but require SMS 2FA.
Some companies do require a phone number to setup an account (because it's the best proxy we have for "one per real person" or "expensive for one person to get many of"), but if they're competent then you can remove it as a 2FA option if you replace it with a TOTP code. [0]
If you ask me, it should be illegal to require SMS 2FA without an opt-out to TOTP. Perhaps relatedly, I'm also curious about the percentage of Twilio revenue from 2FA messages.
[0] RANT: Google, in typically creepy fashion, makes it difficult to enable TOTP without first either providing a phone number, or downloading a Google app to "tap to login!" on your phone. But they do allow you to setup a hardware token, so I found a workaround [1] to configure TOTP without providing a phone number, which is (perhaps ironically) to use Chrome DevTools to create a virtualized WebAuthn device and add it as a hardware token 2FA option. Then it's possible to setup TOTP and remove the virtualized device, leaving you with only TOTP 2FA and no com.google apps begging you for entitlements on your phone.
> It seems the trend is to support Authenticator apps
Oh, I wish that were true for financial institutions. But for my sample size of 3 credit unions, 1 large bank, and 1 brokerage, only one (small CU) supports TOTP. All the others have SMS as the only, mandatory 2FA. It drives me crazy how backwards that is.
People lose their phones and then your authenticator app doesn't work anymore, even if you restore from backup. And then the recovery mechanism is often a giant pain.
Yes, that's pretty user unfriendly.
It's a lot more common to lose your phone than lose your phone number.
There are numerous tools, Google Authenticator and Authy for example, that protect against this by securely storing the keys. In fact, I would venture to say that MOST users of authentication apps are using ones that provide a backup in case the phone is lost.
No, Google Authenticator does not securely store keys anywhere but your physical phone. If you lose your phone, they're gone.
The only thing it provides is a way to export from one device to another, but that requires having the first device still with you. [1]
On the other hand, yes fortunately Authy does provide cloud backups. But your average end user generally doesn't have the slightest idea of why they should use one authenticator app over another. Expecting them to do the research to figure out that they should use Authy over Google Authenticator in case they lose their phone is asking way too much. Again, completely user unfriendly.
Note that the export on the source device doesn't seem to have any way to actually know whether or not you are actually setting up a new phone. It just makes QR codes with the keys for groups of accounts that Google Authenticator on a new device can scan to import those accounts.
I can't see any reason you couldn't start the export process without having a new phone and take screenshots of the QR codes, then back those screenshots up to some secure place.
You should be able to later use those screenshots to restore those accounts to a new phone without needing to have the old phone.
I don't use Google Authenticator so have not tried this.
While the above should work, I'd recommend saving the QR code for each site when you sign up for TOTP at that site. That way you can easily transfer to any other TOTP authenticator. The Google Authenticator export seems to make QR codes that combine multiple accounts and I'm not sure any other authenticators would know what to do with those.
But in practice it's utterly ridiculous. I already do all this work to store passwords in a password manager.
Now I'm supposed to have an entire separate backup strategy for 2FA that depends on screenshotting QR codes or remembering to save their text equivalents? It's just crazy user-hostile.
Everyone with a cell phone has SMS. It's already set up. And it's recoverable plus someone else's problem to recover. Add that's it's a pretty good universal id.
Yeah that's the problem - TOTP with a basic app is pretty easy to use, but making sure you're protected from a phone suddenly lost or broken scenario is tougher, and you may not know you need to do it until it's too late. How many people actually store those backup codes properly or go to the trouble to use a third-party app that supports backups and actually do backups?
Wouldn't most people just use Google Authenticator and have it automagically back up to google's nigh unlimited storage space?
Obviously not something anyone who respects their privacy would subject themselves to, but it seems to me like the easy path leads to these things being backed up.
Obviously if google has your 2FA keys and you were using 2FA keys to log into your google account then you would need to recover your account, but you would be stuck in the same situation as if you had damaged/lost your SIM (e.g. if you lose your phone).
Google Authenticator does not back up TOTP state to Google. In fact, AFAIK, the app does not talk to the internet, at all, much less does it associated with a Google account.
You can transfer your Google Authenticator state to another phone. This is accomplished through scanning QR codes -- no data is transferred over a network. This is a relatively new feature; for many years, Google Authenticator refused to provide any way to extract the authenticator state from the phone at all. You literally had to root your phone to get the state out.
It's designed this way because if your TOTP state were backed up to your Google account then it would no longer provide any additional security over Chrome's password manager, which is also backed up to Google. The two factors in "two factor" are supposed to be "something you know" (password) and "something you have" (phone, or security key). In order for the authenticator app to really be "something you have", it has to be hard to copy.
> It's designed this way
Its a bad design then :) . I dropped gauthenticator years ago because of the ridiculously user unfriendly inability to transfer/backup auth codes. What a braindead UX assumption. If you pursue security purity too far, people just wont use it.
You can transfer the state between phones now, they relented on that (a good thing, IMO).
Again, if you want auto backup to the cloud then you might as well just not use 2FA and rely on your password manager alone.
Personally I use hard keys wherever possible. Much better UX (and security) than any authenticator app. Just have to buy and register a few of them so you have backups if one breaks.
I'm a programmer and when I was told to store backup codes, I saw the site still has a "Forgot Password?" button so I dismissed it as a QUICK way to recovery, Not the ONLY way!
The only one who told me losing backup codes means losing your data forever was my bitcoin wallet. (Ironic)
Because lots of us upgrade phones every couple years, or have dropped a phone and had it break, or get water in it or something.
It's all too easy to realize after the fact you needed to transfer something between the old phone to the new phone to keep the authenticator working. Sometimes that's not available (phone damaged), or don't realize you need it until after you've already sent the phone in for trade in.
See what happens to your authenticator app after a factory reset. It is extremely risky to use them for 2FA. SMS always works.
If this is work related authentication and they expect you to use your personal property to run an app, then you're just playing a role as a puppet in their useless security theater. If your employer was serious about security then you'd be issued a dedicated device for auth.
With authenticator apps, if you lose your phone, you lose access to everything. Your life is fucked. With SMS, you just get a new sim (free in my country).
Basically authenticator apps create a much bigger problem than getting hacked, and there's a far greater probability of me losing my phone (has happened before) than getting hacked.
AIUI, EU regulation requires 2FA in finance now, but the 2FA must also confirm details such as a target account and/or amount.
Authenticator apps (at least those that use TOTP/HOTP) can't do that. SMS can. So can card readers but people hate having to carry them around. So we're stuck with SMS.
authenticator apps come with privacy concerns. Right now, Microsoft has no means to collect my location data, they don't have any access to my phone, including my phone's camera. The moment I install Microsoft authenticator that situation changes. No thanks.
SMS has even more privacy concerns. To be able to receive SMS, the network must know your location. You are also forced to use proprietary firmware for most radio components. SMS is also subject to attacks against the telecom, such as by tricking their staff into producing a new sim card with your number.
> To be able to receive SMS, the network must know your location. You are also forced to use proprietary firmware for most radio components.
These are risks you have just by owning a cell phone, having an authenticator app doesn't change that.
> SMS is also subject to attacks against the telecom, such as by tricking their staff into producing a new sim card with your number.
This is absolutely a legitimate concern, and the lack of security in carrier practices in particular honestly makes me want to avoid 2FA entirely. Fortunately, I've never needed it for account recovery. I use a password manager so all accounts get unique logins and I'm savvy enough not to fall for your typical phishing scams which helps. There's no guarantees my luck will hold out though so I'll be looking into privacy preserving options for the most critical things or for cases where I'm not left with any choice.
TOTP does not require internet or a phone, even though it is commonly available as an phone app. It only requires an accurate system clock to work properly.
Most sites that support authenticator apps support the TOTP standard that allows you to use any authenticator app. You don't have to install the app specific to the site, you can find a privacy-respecting one.
If I can find a privacy respecting one that's a good thing! I worked a job that tried to force us to use Microsoft authenticator but we pushed back after looking at the privacy policy and so instead we ended up with perfectly nice key fobs. It's hard to beat that for privacy.
If you operate a mobile app, this allows you to force a data packet over the device’s SIM that the carrier can validate. Platforms like Twilio/Boku have worked with the carriers to provide an API for this.
SMS is completely removed from the process and SMS pumping becomes a non issue.
Another option that could be mentioned in the article is using WhatsApp for OTP delivery. It’s the de facto messaging app in many countries with scketchy carriers, precisely because people don’t enjoy paying 5 cents per SMS.
> using WhatsApp for OTP delivery. It’s the de facto messaging app in many countries with scketchy carriers
I don't think that would go over very well in the less sketchy countries - I know many folks (myself included) who would be up in arms if a service requires WhatsApp just to send an OTP - in that (and any) case I'd prefer 2FA via authenticator apps
I feel like the easiest workaround is to a) not use an email with your name in it for any important login b) don't use those emails for more than one service c) use a separate SIM and device for 2FA (mint mobile etc) / banking apps that aren't up to speed with non SMS 2fa.
It pains me to say this since Bank of America sucks, but their system now supports adding a Yubikey for login, nearly as good as Schwab before they stopped issuing physical TOTP tokens in 2020.
Are you really suggesting having 5 different devices with separate SIM cards to receive 2FA messages? What exactly is the point here, just having different numbers? In that case some kind of text message forwarding service that gives you multiple virtual numbers would (still not free but much more reasonable than dealing with multiple devices)
This makes the assumption that Twitter blocked it due to SMS fraud. While that's a plausible theory an equally plausible theory is that they were worried about account hijacking and security (and allowed twitter blue subscribers to continue to use it on a you can pay me to be stupid context) which seems equally plausible.
I take issue with a lot of the assumptions in the article but this is funny:
> Identify and block premium rate phone numbers, using libphonenumber. Whilst this seems promising, I don’t know how reliable the data and how effective this approach is.
here's this purpose-built and well maintained* library from google which does exactly what I want but i'm not even going to consider it.
The numbers are most of the time not premium in the 1-900 sense of the word. They can just appear to be regular mobile or landline numbers in another country and would not be picked up by that library, at least not reliably. There are databases that track some of these numbers but they are usually sold to telcos and are pretty expensive. The only solution is rate limits per number, per IP, and set a max price per SMS of $0.05-$0.10 or so (make your Papua New Guinea users use an Authenticator app instead).
IMO WhatsApp is also a great option for 2FA in many countries. OTP is one of the approved outbound templates that WA will let you deliver without an inbound message.
And not for blue? It’s just a lame excuse foe the insane price of als using twilio.
If he stated the truth: sms validation is costing millions per week, twillio would lose quite some customers, because companies would finally realize there’s another way that’s cheaper
Blue means they’re spending $10 a month or whatever it is. No fraudster is gonna buy a VCC for Twitter Blue and pay $10 an account when there are a million other sites they could target for $0.
The point is, Elon's rhetoric is that sms is less secure, but then he only allows it for twitter blue. It's utter bs.. It's just that he doesn't want to pay 5-10ct per 2fa request for lal these users.
author here: part of the problem is that there are many countries, each with their own complex scheme for identifying premium numbers. it's not a straight-forward task, though libphonenumber (I believe) aims to make this easier.
You should probably read the article - it's about tricking services to send SMS' to your premium number so that you earn money every time you trick the service into sending a text message to you
Fraud requires that someone make a misrepresentation. Who makes a misrepresentation when SMS fraud is committed? What is the misrepresentation?
Is there any chance that this isn’t actually fraud and that companies who send out tons of text messages to any number a person specifies are just paying for their extraordinarily poor design?
I mean, it feels like stealing but it would be complicated to build a case around a fraud charge given that no one ever actively told a lie.
Maybe this is taken care of in the user agreement or the terms of services? “User warrants that he is not trying to profit by use of the two factor auth system?” I’ve never read an agreement like this one.
https://support.twilio.com/hc/en-us/articles/360014170533-Us...