How to Fight Two-Factor Authentication PIN Code Attacks

Two-factor authentication PIN code attacks, SMS bot attacks, SMS PIN spam fraud, Artificially Inflated Traffic (AIT) – there are several names for this type of fraudulent activity that now affects so many online services and applications.

If you’re thinking, “Why are there random numbers in [random country] requesting PIN codes from us?” the chances are that your application is among those being impacted. SMS PIN code attacks are a costly problem that seems to worsen (and become more widespread) as time goes on.

Why are SMS bot attacks so prevalent?

This is a tricky question. Artificially Inflated Traffic is where a rogue third-party uses mobile-originated interconnect revenue share to generate profit, and it usually affects premium phone numbers through voice calls.

However, this type of scam is now seeping over into SMS technology with artificially inflated SMS PIN code requests. It’s one of 11 types of fraud crippling A2P messaging.

Initially, it seemed that fraudulent SMS PIN code requests got sent to a small subset of premium numbers where each SMS message generated income for the hacker. Here at Messente, we became aware of the problem, and as a defence mechanism, we’ve put filters in place that block the same phone number from receiving too many SMS PIN code requests.

Following on from this precaution, we’ve analysed the most common cases of SMS PIN spam fraud. And we discovered that fraudulent SMS PIN code requests are sent to either consecutive phone numbers (e.g., containing 001, 002, 003, etc.) or totally random, yet large, sets of numbers belonging to the same provider’s range. They’re also sent to phone numbers that don’t follow the correct format for a specific country.

These PIN code requests are triggered automatically through ‘bots’, and every now and then, they manage to ‘hit’ an actual phone number and reach a real person, who of course, is confused to receive a PIN code from a company they’ve never heard of. For businesses affected, this doesn’t convey a great impression.

The fact that most of the phone numbers targeted aren’t actually premium numbers (where an income can be generated) leads us to believe that these hackers aren’t in it for financial gain. Instead, they want to cause financial harm to companies – or they’re simply ‘bored’ and want to exploit businesses for ‘fun’.

What’s the financial impact of two-factor authentication PIN code attacks?

The financial impact is often severe. We’ve seen this problem affect companies across various industries, including logistics, financial services, health tech and so on. The costs can escalate to tens of thousands of euros!

Here’s an example: one health-tech client of ours experienced a sudden hike in SMS traffic to Uzbekistan and neighbouring countries over a two-week period. It cost a total of 13,000 €. The fraud was difficult to spot because the SMS content itself was legitimate. As a quick fix, we disabled SMS traffic to all markets except for the one the business operates in. And the client worked to put in place a more permanent fix through CAPTCHA verification

A similar case occurred for a ride-hailing app provider very recently. Thousands of SMS requests were triggered to phone numbers in Bangladesh, costing the company over 2,000 € in total. If we didn’t notice the unusual traffic hike towards this particular destination, the financial impact could’ve been far more damaging.

What are the top country numbers affected?

SMS PIN code messages are often requested to phone numbers in a wide selection of countries, including France, Denmark, Spain, Russia, Kazakhstan, Georgia, Peru and Iraq… to name a few.

A good approach to help you spot SMS PIN spam fraud is to check whether text messages are being requested to countries where your company doesn’t typically operate.

Danger symbol on a smartphone screen

How to avoid SMS bot attacks and Artificially Inflated SMS Traffic

These tried and tested measures below will help you avoid costly SMS PIN spam fraud. We recommend you do all three:

1. Set up CAPTCHA verification

Presenting CAPTCHA each time someone requests a PIN code via SMS on your website or application is the best way to avoid two-factor authentication PIN code attacks.

While this is an extra step for real users, it will eliminate the possibility of someone running a spam bot attack and continuously requesting PIN codes to different phone numbers. A single person requesting PIN codes to different numbers and completing CAPTCHA would be simply too time-consuming for a hacker.

2. Limit the number of SMS PIN code requests

Another thing you could try is to set a limit on the number of SMS requests per IP address or per session. So, if a hacker tries to request more than five SMS PIN code requests from the same IP within, say, 30 minutes, all additional requests could be rejected internally.

While public IP addresses can be spoofed, potential hackers would need to switch IP addresses after a set number of requests – which would be a lot of hassle.

3. Disable SMS delivery to destinations you don’t need

The SMS service is global in its nature but if your clients are based only in selected countries, there isn’t a need to enable worldwide SMS delivery.

Messente can easily disable SMS delivery to all destinations where you don’t want to send SMS messages. Then, whenever someone tries to send an SMS to a ‘disabled’ country via Messente, we reject the request at our end, at no cost to you. While this won’t protect you from SMS bot attacks in your target market, this method will reduce the risk to your business.

Person using an old-school mobile phone

Messente can help you tackle SMS PIN spam fraud

It’s not possible to automatically detect which SMS requests are made by a bot and which come from a real user (because the content is identical and coming from the same source). However, monitoring your account and message statistics is one way to see whether hackers are targeting your company.

Messente’s Key Account Managers always keep a keen eye on your statistics, but if the SMS volume generated by hackers/bot attacks is low, SMS PIN spam fraud might go undetected for a while.

If you think two-factor authentication PIN code attacks are impacting your application or business, reach out to us immediately – we want to help! Rest assured, we’ll do our best to find a solution for your case.

Heimar Lecht
2022-02-25 00:00:00 UTC