Bots are killing the SMS one time passcode market. Time to fight back
The text passcode is the world’s most convenient authentication method. Now fraudsters are undermining it with a hack called ‘artificial inflation of traffic’. Lee Suker, head of number intelligence and authentication at Sinch, dives into the problem and looks at potential fixes.
In 1993, theNew Yorker ran a cartoon featuring a mutt sitting in front of a computer. The caption read: ‘On the internet no one knows you’re a dog’.
How prescient that light-hearted sketch proved to be. The issue of identity has plagued the online world ever since. When the physical element is removed, how can you be sure who you are talking to? Or, more significantly, transacting with?
This problem of identity is the root cause of the fraud that has skyrocketed in the broadband era. Scammers exploit the flaw in two ways. They either assume the identities of real people – or they invent entirely fictional new ones. And, thanks to bot technology, they can do the latter at scale for virtually no cost.
The scourge of bot fraud has been around for years. It takes many forms. One of the newest is a scam that targets the SMS authentication codes sent by the mobile messaging industry. This is 'artificial inflation of traffic'.
Here's how it works. A brand hires a messaging specialist to send one time passcodes (OTPs) to every new or existing user that wants to sign up for (or sign into) its service. The dishonest intermediary then uses bot technology to create thousands/millions of fake accounts. It then charges the usual fee to the enterprise to handle the SMS traffic generated by these non-human users.
Elon Musk puts AIT in the public domain
Artificial inflation of traffic has been growing steadily for years. Mobile analyst firm MobileSquared estimates that 20 percent of OTP traffic globally is AIT. This might even be a modest estimate. However, few outside of the messaging space were aware of the issue until recently.
That all changed in December 2022 – thanks to Elon Musk. During a conversation onTwitter’s Spaces channel, Musk claimed that “Twitter was being scammed to the tune of $60 million a year for SMS texts, not counting North America”.
He followed up by withdrawing his business from the worst offending mobile operators. Meanwhile other big buyers of SMS passcodes also re-considered their contracts. This was painful for the business messaging channel (also called the A2P – for application to person – channel). But it was a necessary correction.
Now, the industry leaders are wrestling with how to defend itself against AIT, and ensure that its most valued customers feel able to trust the SMS channel again.
SMS for OTP: ubiquitous and easy to use
There is every incentive to do so. The truth is: SMS is an extremely powerful channel for authentication. Why? Because its ubiquitous and easy to use. Virtually every adult in the world is reachable by SMS. Texts arrive – and are responded to – almost instantly. With SMS, there's no learning curve or app to download.
In fact, one time passcodes now form the biggest part of an overall business messaging market that was worth$48 billion in 2022 – and will increase to $78 billion by 2027. Meanwhile consumer research by the trade body MEF says89 percent of consumers now regularly receive texts from brands – and that most receive two to 20 a week.
Clearly greed is the motivation for the AIT fraudsters. But there are specific reasons why the practice has worsened in recent times. The most impactful is probably the price hikes in some markets. The fees for sending A2P texts vary wildly across the world. They can be as low as 1c. But there are now regions wherethe price is edging towards 20c. This not only limits demand for legitimate traffic, it also acts as a powerful incentive for fraudsters to create bot accounts.
The fraud fightback begins
So what can be done? Firstly, aggregators can monitor customer conversion rates. Why? Since conversion is the purpose of entering an OTP of any given application and AIT bots don’t convert. So when the percentage rate drops below the expected norm, this can be an indicator of AIT fraud.
Of course enterprise customers can – and should – closely monitor conversions too. Honest actors in the messaging space now offer services to help them, Enterprises can use these tools to establish the true origin of their user authentications. They can look at IP address, browser and other markers such as Conversion Rate Monitoring to mitigate fraudulent sign-up attempts. In Q1 this year, a (Sinch) customer identified AIT activity and saved $500K. Moreover in a recent trial of user-agent fingerprint solutions, we identified as much as 1 in 20 onboarding attempts to be fraudulent.
Enterprise customers might also consider adding more security to their OTP processes. This is tricky since brands are understandably reluctant to load any more steps (and therefore friction) into the sign-up UX. But they should still weigh up the value of captchas, browser fingerprinting and richer forms.
Finally, there's the option to try something else. In the last year or two Flash Calling has been gaining traction. This is a method of authentication that uses voice, rather than text. Here, the messaging company makes a dropped call to the end user. Digits in this dropped call create a one-time passcode, which is verified in seconds with no interaction required.
It's estimated that flash calls can be 25 percent cheaper and 70 percent faster than SMS OTP authentication. Some operators block them, while others see them as a powerful new service to sell. Most importantly, these types of authentication are not as vulnerable to AIT as SMS OTP.
Surely the best outcome is for the industry to have both. In other words, Enterprises should use SMS OTP from trusted providers that offer effective AIT mitigation solutions as well as alternative authentication techniques like Flash Calls. All legal players (messaging providers and customers) need to strive towards a cleaned-up and trustworthy SMS channel for those who want it. And a well-managed flash calling option for those willing to try something new. For all its challenges, nothing can do authentication as well as the mobile phone. Let’s keep it that way.