Securing the messaging ecosystem from artificial inflation of traffic

When Elon Musk says Twitter lost $60 million a year because telcos used bot accounts to pump A2P SMS, heads were bound to turn. And turn they did. This bombshell brought to the fore a type of fraud that has immense consequences for the entire mobile and messaging ecosystem, artificial inflation of traffic (AIT).

Artificial inflation of traffic uses bots to generate one-time PIN requests to generate undue costs and financially benefit the fraudster. Fairly simple, but the impact is much wider than this and has a huge detrimental effect on the overall trust in the digital and mobile ecosystem, affecting reputations of telcos and businesses alike, not to mention the security aspect. It raises the question whether A2P SMS 2-factor authentication can be trusted and could consequently undermine the viability of A2P SMS as a business messaging channel.

The stakes are high, to put it bluntly. Telcos have for a long time seen A2P SMS as a reliable revenue stream, not least because of SMS-based one-time PIN delivery. On the other hand, AIT fraud could drive enterprises to look at other types of authentications which may be unavailable to some, if not most users – the biggest advantage of A2P SMS for 2FA is its ubiquity and ease of use. Cutting it might leave their accounts without protection, and that should not be an option.

The irony of the situation is that despite the cost associated with artificial inflation of traffic, everyone in the ecosystem can be a potential beneficiary. And while enterprises are most commonly the victims of this type of fraud, there are a few who use it to boost their user count and show growth.

However, in the long run this has detrimental effects on the entire messaging ecosystem. Ultimately leading to fake A2P SMS traffic, revenue loss for enterprises, and reputational damage for telcos and tier one communication providers. But more than anything also undermines the usage of SMS as a channel for business messaging.

To combat these rising threats, telcos, communication providers and enterprises must work together to protect their customers and businesses from fraud and abuse, secure the business messaging ecosystem and win back trust.

Artificial inflation of traffic (also known as SMS pumping) is a type of SMS fraud that inflates the number of requests for one-time PINs from businesses. This type of fraud is typically perpetrated by fraudsters who use automated software programs to send out large numbers of PIN requests to generate revenue from businesses. Businesses have challenges distinguishing the “fake” inflated requests from genuine user requests.

The complex ecosystem of messaging could lure various parties to utilize AIT:

Businesses: Brands could misuse AIT to mispresent their customer base, as it could be an indicator of customer base growth. 

Communication providers: CPaaS providers could misuse AIT to inflate the number of OTPs which could directly or indirectly bring them more revenue. 

Mobile Network Operators: MNOs could misuse AIT to inflate the number of OTPs which could directly or indirectly bring them more revenue. 

Conclusion: All involved parties could benefit from AIT, so it is hard to point fingers at anyone expressly. However, if we all work together, we can make the secure channel out of it again. 

Why do Businesses and Telcos fall into the trap of AIT?

We can identify two sources for artificially inflated traffic.

The first one is businesses who are proactively looking for the cheapest rates and provider options on the market, and this leads to them partnering with lower tier aggregators. Like they say if the offer is too good to be true, you could be getting scammed.

The logic here is cheaper routes to deliver traffic will help save costs. However, with these low-costs, aggregators may find it difficult to break even after paying the telco operator for the brands’ traffic usage. And that’s where pumping artificial traffic to the brand with certain user generated messages comes handy. As the lower tier aggregator does not send the traffic to the telco but keeps the profit for that traffic to themselves.

And for the business working with the low-cost aggregator and not with a reputable one with direct connections or the telco directly, there are cases where bots are being created to request for OTP pins and inflating the number of messages being sent.

In the second scenario, at times telcos put high A2P SMS revenue targets, and this leads to intentional or unintentional partnerships with aggregators that are pumping artificial traffic for them. This brings the telco more revenue and businesses inflated bills.

And both these scenarios damage the A2P messaging industry’s reputation.

The main type of messages that are used for artificial inflation of traffic are time-sensitive user generated messages – such as one-time passwords. Or a user getting a message on suspicious activity message triggering them to initiate a conversation.

Why is 2FA and OTPs the main use case for artificial inflation of traffic?

Businesses generally use OTP to onboard new users, login users and reset passwords. With high SMS rates in some markets, all that is required from a bad actor is to create bots to ask to generate fake traffic.

While some may look at artificial inflation of traffic as a revenue stream, it’s not doing the industry any good and raises questions on trust and compliance. Hence, to mitigate the risk of artificial inflation of traffic, telcos, communication providers and businesses should implement a comprehensive fraud prevention strategy. This includes monitoring for suspicious activity, implementing authentication protocols, using advanced analytics to detect anomalies in traffic patterns, and new features for recognizing AIT.

Finally, they should ensure that their systems are regularly updated with the latest security patches to protect against any potential vulnerabilities.

What can businesses do to protect the ecosystem?

As mentioned earlier the onus lies with all three organizations, including businesses. As a business it is important to responsibly choose the communication provider to help fight AIT. While cost is always a factor in choosing a communication provider or aggregator, it shouldn’t be the only one. So, what can a business do?

What can telco operators do to protect the ecosystem?

Telcos or mobile network operators are one of the key stakeholders in the messaging ecosystem.

What can aggregators and communication providers do?

To secure the entire eco-system aggregators and communication providers can add the seal of security by having a zero-tolerance policy towards artificial inflation of traffic and providing consultancy and solutions to help monitor and secure the ecosystem.

Artificial inflation of traffic can be difficult to detect and prevent but there are some best practices and solutions that can help reduce the risk.

SMS firewalls are an effective tool for preventing artificial traffic inflation. Firewalls can detect and block suspicious SMS traffic patterns, such as large volumes of messages sent from and to the same destination. This helps to protect businesses from malicious actors who may be attempting to inflate their traffic numbers by sending out fake messages. Additionally, firewalls can be used to detect and block messages containing malicious content, such as spam or phishing links.

Rate Limits are important safeguards used to stop fraudulent behavior and prevent attackers from targeting applications. Setting a limit on the number of messages that can be sent to certain numbers or prefixes helps keep malicious activity at bay – particularly in regard to financial services, where fraudsters may try to use vulnerabilities to access sensitive data or resources. Setting rate limits needs to be monitored in an intelligent way with the help of AI and machine learning and not by setting a static limit. This way the rate limits can be changed dynamically and in real-time making it difficult for fraudsters to breach.

The prevention of bots from sending artificially generated traffic or requesting OTPs is important to safeguard the ecosystem. Libraries such as BOTd or CAPTCHAs can assist in spotting and frustrating bot traffic by applying minor alterations to the user experience, for instance necessitating users to validate their email address before signing up for 2FA. Even though this results in a minor amount of effort for valid users, it deters automated scripts and bots.

In addition, there are machine learning solutions available that can help identify bots by monitoring the time between OTP request, checking the sequence of numbers and traffic history.

Implementing exponential gaps between authentication retry queries is significant in hindering rapid transmissions. This kind of rate regulation guarantees that the same telephone number is not overwhelmed with an excessive number of messages within a short duration and help spot bot-initiated actions versus human customers. By carrying out exponential delays, the gap between each query rises exponentially, furnishing more control over how often notifications are distributed. A good practice while implementing SMS 2FA is specifying a maximum number of attempts and utilizing back-off algorithms to identify the time span between each attempt.

Examining conversion ratios of single-use codes is an integral part of safeguarding any set up that utilizes OTPs for authentication. To make sure that OTPs are properly utilized, it is essential to monitor the conversion rates and create alarms when utilization breaches a determined limit.

To protect businesses from artificial traffic of inflation, we are developing a solution to detect fraudulent traffic and prevent reputational and monetary damage caused by it without affecting normal traffic. The solution is as simple as plug and play and requires no development effort. Signals uses volumetric and rate-based approaches to detect any suspicious activity, intelligence-led techniques such as analyzing risk profiles, contact ratios, saturation densities, and suspicious account behavior to mitigate attacks, and detects and prevents artificially generated traffic in real time with machine learning and advanced algorithms.

In conclusion, to create a secure messaging ecosystem and win back trust, telcos, businesses, and aggregators need to work together and deploy solutions to prevent artificial inflation of traffic. The communication industry is growing, and the continued tolerance towards artificial inflation of traffic could result in a loss of credibility and messaging use cases being moved to other OTT channels.

Businesses need to be aware about the risks of using low-cost routes, telcos need to align their expectations with their markets organic growth and aggregators mustn’t put their reputation in questions to save a few dollars.

At Infobip, we work directly with telcos and businesses to secure ecosystem. Our 800+ direct carrier connections and firewall solutions helps us, help you limit fraud and ensures no third-parties benefit from artificial traffic.