SBN

What is SMS pumping, and how does it impact your business?

SMS pumping occurs when cybercriminals take advantage of the SMS systems connected to web apps and forms, such as the systems that allow users to request a one-time passcode to their mobile phone for verification. In SMS pumping, bots insert premium-rate phone numbers—which charge higher prices to connect—into online forms that send text messages via SMS. 

The mobile network operator (MNO) charges a certain amount for each SMS contact, so the vast volume of numbers inserted by bots can lead to a huge jump in fee income for certain MNOs. Cybercriminals can either exploit unsuspecting MNOs or work with MNOs to artificially increase their revenue from premium-rate phone numbers.

In February 2023, Elon Musk said SMS pumping attacks were his reason for removing two-factor authentication (2FA) via text from Twitter for unsubscribed users.

How to Detect SMS Pumping Attacks

The main indicators of SMS pumping are a sudden spike in the number of SMS notifications requested from your web app, or a change in the types of phone numbers requesting notifications. When you detect a spike in notification requests, you should look for these signs that you might be dealing with an SMS pumping attack.

Claroty
  • Web forms are not fully complete.
  • Phone numbers are from countries your organization rarely/never does business in.
  • Requests are over a very short period of time.
  • Conversion rates are diminishing, even with more requests.
  • Phone numbers in requests are sequential.

How do you protect against an SMS pumping attack?

SMS pumping attacks are bot-driven, so several approaches to dealing with bot traffic can also help stop SMS pumping.

CAPTCHA

CAPTCHAs can help weed out bots by adding a layer of security and capturing additional signals for bot detection. By challenging users with suspicious behavior, a CAPTCHA can also slow down the process of inputting phone numbers—which may make bot operators move to another target. Still, traditional CAPTCHAs (like reCAPTCHA) are not adequate solutions on their own, and can severely impact the user experience.

Rate Limiting

You could set a limit on the number of messages that can be sent to one phone number over a period of time, instead of allowing unlimited messages to one number. However, if the bot is using many different phone numbers, rate limiting will not be effective.

Gather Additional Data

Asking for more information than a phone number can deter cybercriminals from targeting your organization, because it will make filling in the form more time-consuming. But it could also deter your real users from converting. The more information you request, the more steps you add for your real users to complete before giving them what they want, degrading your user experience (UX).

Use an Authentication App

Instead of SMS authentication codes, you can direct users to use a common authentication app, such as Google Authenticator or Authy. These apps come with their own costs, UX impacts, and security flaws.

Bot Protection

Because SMS pumping attacks are only effective at scale, they require bots to make a profit. A powerful bot and online fraud detection solution can sort out which requests are being made by malicious bots and stop them from ever submitting phone numbers in the first place. Stopping the requests will save you the fees you would otherwise be paying MNOs for SMS verification, as well as the time and money you would lose dealing with the consequences of various types  of bot attacks (e.g. scraping) and online fraud. 

Stop SMS Pumping Before More Damage is Done

SMS pumping attacks can cost your organization in a big way, as a major online travel booking customer of DataDome can attest. For them, DataDome’s machine learning powered bot and online fraud protection put an end to SMS pumping attacks. Our real-time solution integrates with your tech stack in minutes, and determines at the edge if a request is made by a human or a bot within 3 milliseconds.

To see if you are facing SMS pumping, or where other attacks to your website, mobile app, and API are coming from, try DataDome out for free to see a real-time dashboard of your threats.

*** This is a Security Bloggers Network syndicated blog from DataDome authored by DataDome. Read the original post at: https://datadome.co/learning-center/what-is-sms-pumping-how-does-it-impact-your-business/