Mar 03, 2023 07:00:00

What kind of mechanism is ``fraud that requires two-factor authentication SMS'' that Twitter is said to have suffered damage?

On February 15, 2023, Twitter announced

a policy to change two-factor authentication using short message service (SMS) to a service limited to subscription 'Twitter Blue' subscribers. Regarding the reason for this specification change, CEO Elon Mask suggested that malicious SMS fraud related to two-factor authentication was prevalent and burdened Twitter, but on earth this SMS fraud Technology writer Apurva Chitnis explained what it is and how it works.

How SMS Fraud Works and How to Guard Against It
https://apuchitnis.substack.com/p/how-sms-fraud-works-and-how-to-guard-against-it

Two-factor authentication is an authentication method that requires a code delivered by SMS or a one-time password in addition to a password when logging in to an account. Two-factor authentication is used not only by Twitter but also by many Internet services because it is more secure than simply requiring a password. Two-factor authentication using SMS is available only to Twitter Blue subscribers, and other accounts can continue to use two-factor authentication using authentication apps or physical keys.

According to Mr. Titonis, ' a phone number with a premium price ' may be used for two-factor authentication fraud using SMS. This is a phone number that charges callers a premium when calling, and is often used for support chats and adult chats. The extra money paid by the caller is paid not only to the carrier, but also to the operator of the support chat or adult chat.

Unscrupulous traders set this phone number as their own number and then find an internet service that sends SMS. Here, Twitter, which uses SMS for two-factor authentication, is selected as a target.

When the merchant impersonates the user and performs two-factor authentication, the net service will send an SMS. The additional SMS transmission fee will be billed to the Internet service, and the money will be paid to the provider. Using this mechanism, merchants create bot accounts to request SMS in bulk and steal SMS fees from online services.

Titonis also offers several ways to prevent SMS fraud. For example, if you use a third-party service like Auth0 for two-factor authentication, you can obfuscate the endpoint used to send SMS. This method does not completely prevent attacks, but it can make them more difficult.

It also helps to block all requests from bad IPs. 'This should be fairly easy to implement,' said Titonis, since there are many services that can assess the quality of IP addresses. Sending SMS only to paid accounts, which Twitter has adopted, is also effective.

“Just as bike thieves target bikes that are easy to steal, good hackers take advantage of internet services that are easy to hack,” Chitnis said. , it is important to prioritize in consideration of time and effectiveness.”