There’s a terrific short story by the sci-fi writer Ray Bradbury called The Crowd. At the start a man is involved in a car crash. As he comes around, a crowd gathers. He is frightened by this gathering of ghouls. They seem threatening – like circling hyenas. Later in the story, we realise that a crowd assembles after any accident – and they are always the same people.
I think of this story when I hear about some new form of malpractice in the business messaging space. Whenever our industry finds an exciting new market for its services, you can bet that – shortly after – the fraudsters will descend. Quite often, they are the same bad actors as before.
The fraudsters have come up with a new twist on fake traffic. And this time, they’re targeting the authentication messages sent by (mostly) OTT (Over The Top) companies. This is an obvious target since hundreds of billions of these texts are sent every year.
Here’s how it works.
The fraudster develops an emulator that signs up as a new user to an OTT service. For the sake of argument, let’s say Facebook.
The emulator fakes the behavior of a real person. It signs up, and waits to receive its one time passcode. It enters the passcode and is approved as a new user.
Thereafter, it obviously does nothing. No posting. No sharing. However, it might ping Facebook to report a lost password, so that it can go through the entire process again.
Clearly, this user is of no use to Facebook (and its advertisers). It’s not a real person. But unlike other fake traffic, this ‘user’ does at least appear like a real human. It completes the sign-up process after all.
Simple. With this scam, the fraudster – in a collaboration with an unethical aggregator – gets paid by the OTT for traffic it never routes through the MNOs (Mobile Network Operators).
This is how. The OTT signs up with an aggregator to buy authentication messages at extremely low market rates. With the deal signed, the aggregator then uses an emulator to fake sign-ups. The OTT registers its new users and instructs the aggregator to send authentication SMS codes to them. The aggregator enters the codes itself. It doesn’t route any SMSs via the operators, but still reports these transactions as converted.
This way, it gets paid for thousands of transactions that cost nothing. It is pure revenue.
And it’s a difficult scam for the OTTs to detect. To repeat, while these users are not human they do behave like real users to a degree. This makes them tricky to identify and block.
Ultimately, the OTT loses out in a number of ways. There’s the cost of course, but the fake user base also distorts its stats. When there is emulator fraud, how can the affected enterprise know exactly what percentage of their user base is real? And what are the knock-on effects for their advertising models and investor relations?
Regrettably, this type of fraud is not new. It’s really a new twist on the international premium rate services scams we saw a decade ago. Back then, fraudsters used SIM farms or hacked PBXs to generate machine calls. Their aggregator partners would then claim back the premium rev share (this time from the MNOs) for non-existent subscribers.
Cost saving is the obvious answer. When an aggregator is using emulators to bump up its traffic numbers, it can offer fees below the market rate. For the procurement department of an OTT, it’s hard to resist a vendor offering you 7c per SMS when everyone else is offering 8c or more. Meanwhile, departments in charge of boosting sign-ups are also delighted at the rate of conversion.
And, yes, other departments might notice strange traffic patterns and inactive accounts. But these are huge companies. Maybe it’s hard for them to join the dots and take action to stop it.
I speak from experience. About 18 months ago, we started getting complaints from OTTs about our conversion rates and prices. They were getting better rates and higher conversions elsewhere – 95 per 100 rather than the usual 85.
But I knew our stats were as good as could be. That started a bell ringing. We looked at all the traffic running across one of our MNO partners. I could see how messages were being routed and terminated. We did investigations and could still see that a good part of the OTT’s overall traffic was not going through the MNO.
I believe emulators could be faking as much as 10% to 20% of an affected OTT’s user base. We need to do something about this before enterprises lose faith in SMS as an authentication medium and move on to other solutions.
Consider this blog the first action in the battle: raising awareness. In Part 2, I’ll be talking about what solutions. Tune back in to find out how we can beat the vultures, restore trust and ensure SMS remains the best possible option for companies looking to do secure authentication and sign up.
Written by Ehsan Ahmadi, CEO and Founder of Vox Carrier