I think I have a pretty good idea what happened with the SMS decision yesterday.
Some people are mentioning Elon talked about fraud creating high costs for SMS 2FA. (Account security via login codes sent to your phone.) This is known as Toll Fraud and is nothing new.
1/14
Some people are mentioning Elon talked about fraud creating high costs for SMS 2FA. (Account security via login codes sent to your phone.) This is known as Toll Fraud and is nothing new.
1/14
How toll fraud works is, someone in a position to collect fees for delivering messages (a phone company) creates a bunch of traffic or pays a bounty to someone else who will do that for them. This happens more intentionally as there are fewer laws and they can charge more.
2/14
2/14
So Unscrupulous Telco, Inc. is in a country where they can charge 5¢ per text delivered to one of their customers. They tell Mr. Hacker they'll give him 1¢ of that for every text sent to his dead number. But how to send a bunch of texts that someone else will pay for?
3/14
3/14
Mr. Hacker writes a bot that just clicks a website's "forgot password" and "I didn't get the code, please send again" over and over. If you can send just one text per second at 1¢ per text, that's $26k/mo. Not bad, right?
4/14
4/14
We've known about this kind of fraud for a long long time. So websites have safeguards such as rate limiting (only ten attempts per day or so), blocking certain countries outright, and blocking certain abusive carriers.
5/14
5/14
But fraudsters are smart. A lot of times probably even smarter than the people tasked to stop them. This leads to a continual game of cat and mouse closing vulnerabilities as fast as they come up. New carriers emerge, new areas of your website allow texts, etc..
6/14
6/14
And here is where we get to Elon and Twitter and the recent panic of SMS 2FA costs. Account security teams have a lot of people. Most of them aren't programmers. Those non-programmers include data scientists, product managers, middle managers, etc..
7/14
7/14
Some of those people specifically have roles to request data, look at data, find new issues, research them, formulate a plan to plug it up, and dish out the work. These are the people who "don't do anything useful" because their name isn't in GitHub.
8/14
8/14
And by now you know where I'm going with this. Someone's job probably included looking at Twilio reports daily and finding new carriers to block. They were laid off and nobody took on this work in the chaos. Then Elon gets a huge Twilio bill and freaks the fuck out.
9/14
9/14
And in typical Elon fashion he doesn't ask WHY this exists in the first place. (Again, it doesn't protect YOU, it protects the people who read your tweets.) He doesn't want to hire someone to mitigate it. He wants to profit off of the problem he created.
10/14
10/14
However, if you've read this far you already know how this will play out. Fraudsters can make a lot of money and have access to a lot of illegal tools. They will gladly pay the $8. Even if a single account is rate limited, they'll use fake or stolen credit cards.
11/14
11/14
You can buy stolen cards off the internet. Fraudsters already don't care how much money Twitter spends to give them a penny. They certainly don't care how many times they'll sign up some rando for Blue with their stolen card. It's just an extra step for their bot.
12/14
12/14
So legitimate users who use SMS to keep their account protected get kicked to the curb. Fraudsters find a way. In a month Twitter's SMS spend is right back where it is now but randos get charged. Twitter spends even more money dealing with chargebacks and CS issues.
13/14
13/14
And the end benefit to you? It's now easier for scammers to use your account to hock crypto scams to your friends. It's now easier for scammers to take over people you follow and shove a bunch of fake charities at you. Enjoy!
fin
fin
There's QRTs taking this as absolute, so I want to be clear. I've never worked at Twitter and this is only my best guess.
However I work on exactly the same kind of team for another large website and this is 💯 what would happen if someone laid off 80% of us at random.
However I work on exactly the same kind of team for another large website and this is 💯 what would happen if someone laid off 80% of us at random.
Balancing security and costs are difficult and unfortunately fraudsters and scammers will take advantage of both ends. Toll fraud is something we, and EVERY site with SMS 2FA deal with constantly. You don't just fix it once and forget about it. We choose to deal with it anyway.
I'm a reply guy and never had an original post pop off like this. I think I'm supposed to drop my SoundCloud? You'll need to hit the yellow button in the top right to activate. 🐕
pets.wilco.org
pets.wilco.org
• • •
Missing some Tweet in this thread? You can try to
force a refresh
