20.12.2022 - Last week, the NCSC received roughly the same number of reports as in the previous week, with 635 in total. One case in particular stood out: attackers attempted to obtain money from app registrations by using "SMS traffic pumping" and foreign phone numbers.
Attacks on apps that use registration via phone numbers
Registration via phone number is a method widely used by smartphone apps to uniquely identify an account. After the user has registered, the app provider sends a text message with a verification code. The app can be used only after this verification code has been entered. This simple registration without a password or email address is user-friendly and relatively secure, because registrations with invalid phone numbers can be detected quickly.
Once again, the NCSC received reports about the abuse of this registration by text message for one app provider. The attackers performed several hundred thousand automated registrations using foreign phone numbers. The text message with the verification code was then sent to phone numbers in various countries, specifically to numbers that charge for sending text messages (roaming or interworking charges). As network usage increases, so do the costs. The app providers are obliged to pay for the data traffic generated by the registration text messages, even if they are fraudulent. The attackers receive a proportion of the charges generated in this way.
If they do not take appropriate measures, app providers can find themselves facing significant costs from such attacks. Artificially inflating network traffic is known as "traffic pumping" or "SMS traffic pumping".
Recommendations for app providers:
- Always set limits for sending text messages – how many messages can be sent in quick succession, for example.
- Limit phone registration to only those phone numbers that would be usual for your app – phone numbers with Swiss prefixes, for instance.
- Ask your provider to block the sending of premium rate text messages.
- Agree cost ceilings with your text message provider, so that the sending of text messages is blocked once the limit is reached.
- Set up a monitoring arrangement to keep track of the dispatch of these text messages.
Current statistics
Last week's reports by category:
Last modification 20.12.2022