We're getting personal in our latest eBook, check it out for insights and stats on how personalization is switching up messaging! Read more
Secure Verification

Preventing Fraud on your Sinch Services using our Verification API

Fraud and Security · 08/12/2017 · 4 min read

by Sinch

Since 1957, when a five-year-old boy with perfect pitch first phreaked AT&T switches and invented phreaking, phones have been a target for different types of fraud that costs customers and phone companies billions of dollars. However, if you’re using the Sinch Verification API, we’ve got your back! We watch systems using Artificial Intelligence (AI) and actual live employees 24/7, 365 days a year to detect fraud and block fraudulent activity.

In this blog post, we wanted to share the most common fraud scenarios, to provide a solid understanding of the most common fraud / spam activities that we see in our systems at Sinch. This information can be used to help prevent other types of fraud in your apps. We don’t want to scare you, but there’s always people out there trying to break and steal your stuff!

Premium Rate Traffic Pumping

This is the most common scenario we see at Sinch, regardless of whether you’re building an app to phone solution or on-boarding with Voice or Flash Calls.
Here is how it works:

A fraudster generates calls to a shared revenue destination. For every call, the fraudster gets a piece of rate and we get charged. This kind of fraud is intense, with huge spikes of traffic and can usually be spotted by looking for patterns such as the same, or similar number series in very quick succession.

Attack points for this:

  1. A security problem in your API
  2. Request replay
  3. UI testing frameworks

Ways to Prevent Traffic Pumping

Blacklist

Sinch maintains blacklists containing thousands of different premium number lists. We block all shared revenue and premium rates that we know of. Even if Sinch block these numbers, it’s still good practice to have your own logic to keep the fraudsters at bay. We also keep a close eye on strange traffic patterns, but nobody will have a better understanding of your traffic patterns than you.

Only allow access to the countries you have a market in. If you know you don’t have any users or services certain countries, block them.

Below are the most common fraudulent traffic countries:

  1. Latvia
  2. Lithuania
  3. Serbia
  4. Estonia
  5. Somalia
  6. Congo
  7. Pacific / Caribbean Islands

These countries provide low cost access to premium numbers.

Rate limiting

Often attacks come from just a few IP addresses, so make sure you rate limiting in:

  1. Your APIs calls - sign up flows based on IP or other unique identifiers like Serial number on a device etc.
  2. Country and SIM card country - compare country location to SIM card country. If you see many attempts, someone is trying to figure your system out.

HLR lookups

As an add on service Sinch can provide HLR-lookups to provide insightful information such as Operator, type of number etc. You can use information gained from an HLR Lookup to block GVoice numbers, certain carriers etc.

Velocity checks

Another scenario for fraudsters is to attack phone verification, fail the verification on purpose and try again. The best way to protect against this kind of fraud is to have control logic built into verification callbacks which don’t allow more than three attempts to verify.

Number validation

Use either the Sinch phone number validator or Googles libphonenumber –this is the one we use in the Sinch verification API to make it easier for you. A common tactic fraudsters use is to add extra numbers to the end of a phone number to generate calls to a premium number. By verifying that a number is correctly formatted, fraud attempts can be stopped before they even hit your server.

Reputation

A common way to prevent fraud in e-commerce and other services is to limit accounts until you trust the user. A few tactics are:

  1. Do not let the user make calls until they have verified the phone number.
  2. Do not let the user make calls until they have made one successful payment and limit the amount of payments until the user has a solid track record.

For OTT calling apps, this last point is one of the most important. Fraudsters will attempt to buy minutes with stolen credits cards – unless you know the banks, don’t take risks!

Usage triggers

Build your own system and apply rules for your specific traffic patterns in callbacks. If the rules trigger, why not send yourself an SMS using Sinch to check the system. If everything is working as it should, maybe your app is on the front-page of TechCrunch and its real users, but more often than not, it will be someone trying to break your system.

Always use callbacks for both calling and verification

By far the most important thing you can do to protect yourself against fraud is to use Sinch’s Voice and Verification Callbacks to enable control of call and verification flows.

Verification Callbacks – /docs/verification/rest#verificationcallbackapi
Voice Callbacks – /docs/voice/rest/#callbackapi