Ask HN: Daily Twilio OTP attacks, why, just why?
We're experiencing daily twilio OTP attacks that create accounts. We block IPs and have throttled rate of account creation. But other than running up our bills (~$10 / day) I don't understand what they gain from this. Why are they doing this? What am I missing? Most likely this is being abused for SMS pumping fraud where rogue network providers/small providers complicit in fraud use the traffic to generate revenue. - https://support.twilio.com/hc/en-us/articles/8360406023067-S... They often take a share of the revenue from those attacks through iprn number or other fraud schemes Interesting! That would explain motivation. Any insight on how to track if we're on one of those lists and remove ourselves? Well phone number can always be re attributed to a real user so it’s rare that a deny list is the only indicator used to prevent fraud, at least that’s not how our antispam works at https://ding.live :) If your business is local, maybe limit the accepted numbers to a specific area or country. Otherwise try to understand if they're automating account creation or are they doing it manually? maybe a captcha/turnstile during sing-up can slow them down? Anyway, Twillio really dropped the ball on this problem, but why should they care as long as it keeps making them money?