Battling SMS pumping fraud: a never-ending story on a million scale

Your login code is 1230815, please do not share your login code with anyone.

We have all been there, simple, and widely used SMS-based system for authentication.

How could this be fraudulent, and what could possibly happen if you receive such an OTP code without requesting it or sharing your code details with anyone? No harm done, right?

It depends on who you ask, but this type of fraud is known also as artificially inflated traffic (AIT) and is a way malevolent actors try to squeeze out extra profit from provider that enables you, the end user, to receive the message.

Even though you aren’t financially harmed, the provider of the OTP service gives you the option to authenticate through SMS.

And who is the Fraudster?

First, let us explain the actors in the process because sending an OTP message is a process that requires a lot of intermediaries in the flow.

The main elements of this flow comprise content providers (like Meta, Google, etc..) who serve their OTP codes and mobile phone number destinations to SMS aggregators. Aggregators offer their expertise to route these OTP codes throughout the world so that in the end it can be terminated. Termination happens through a mobile network provider who has a destination phone number registered on the network and finally sends the SMS to your device.

Sounds simple but there is one more thing, this flow in reality is complex and involves layers of aggregation where multiple interconnected parties are working together to deliver the message to you. A fraudster can be anyone in this process except the content provider who needs to send a message to the end user.

Ok, it is a complex thing and there are a lot of parties involved in the process but there must be a way to stop these fraudsters from causing monetary loss to our clients, right?

There is a way, but by no means is it simple and easily done.

The main problem, from a data science and modeling perspective, is generalization.

Can the system be generalized to efficiently cover a vast modality of clients and their OTP use cases? The simple answer from experience is no, so there needs to be a mechanism in place that will capture general fraudulent patterns or behavior of OTP messages but also be capable of adaptation to specific clients.

A consequent problem that arises from the above-mentioned approach is handling client-specific OTP traffic patterns at a scale. Traffic patterns often differ from client to client based on their use case of OTP messages and of course user behavior.

For example, if the client requires users to use 2FA (2-Factor Authentication (2FA)) every time on login is quite a different pattern (in terms of traffic) than for a client that requires 2FA triggered only on specific events. What first comes to mind is to automatically handle each client’s case and tune the system appropriately for effective fraud prevention based on the client’s OTP traffic patterns.

So we need a system that will be able to catch fraudulent patterns but also be tailored in a client-specific way which is contradictory, but it had to be done. This is where our product, Infobip Signals, enters the scene.

Two separate parts of the system needed to be set in place for this to happen.

The first part is the analytical one, which can catch fraudulent patterns on different aggregation levels and provide appropriate scoring. The second part is a pipeline that can digest client-specific traffic patterns and serve as a feedback loop to the first part for better detection and prevention.

Sounds clear, are we done now?

Not quite, because there is one important thing that makes fraudsters want to innovate hard to bypass detection and get the money. In my experience, fraudsters are eager to innovate and find ways to avoid detection based on known fraudulent patterns. Even though the system has a feedback loop based on traffic patterns, we have seen creative tries and new patterns emerging that bypassed our system.

So, the first part of the system also needs to be modular and expandable with additional ways of catching these newly emerged patterns. However, reverse engineering these fraudulent patterns is also a non-trivial task that requires experimentation and often a lot of creativity.

And why is battling SMS pumping fraud a never-ending story?

Because the main motivation of fraudsters is money, and if there is motivation they will be coming back with novel approaches and tricks to avoid detection and generate profit.

However, the system that we have created and set in place is made to be adaptable and resilient, and we have many bright minds on our side of the team too. And if you want to have a closer look into Infobip Signals, be our guest.

We don’t necessarily have to stop fraudsters completely; by increasing their operational costs, we can make it unprofitable for them to continue their fraudulent activities.