| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by ksajadi 1899 days ago

Sorry to hear. Twilio has changed since its early days. Last month, our bill went from $20 per month to $16,000. The reason: fraudsters use Twilio to setup premium numbers, then use Twilio customers (like us) to send OTPs to those numbers using bots. The result is us out of pocket, fraudsters and Twilio making money.

Twilio is also the only Pay as you Go SaaS vendor that doesn’t have spend limits on accounts and advises customers to implement their own any fraud measures themselves.

While this was going on, we got an email from their sales rep, congratulating us for increasing our spend by more than 8000% and wanted to have a chat. So I guess they do have the systems to monitor unusual patterns, they just turn a blind eye.

You’d never know, someone in Twilio might even be selling customer lists on the black market to the fraudsters so they know who to target.

8 comments

chmod775 1898 days ago

> While this was going on, we got an email from their sales rep, congratulating us for increasing our spend by more than 8000% and wanted to have a chat. So I guess they do have the systems to monitor unusual patterns, they just turn a blind eye.

At this point we're entering criminal territory. Enriching yourself when you should reasonably know something criminal is occurring (like someone being defrauded), and helping the perpetrator by providing your service anyways, can make you a criminal yourself very fast.

As far as judges will be concerned, you're now a perp yourself.

paulcole 1898 days ago

In the United States I don’t think there are many jurisdictions where an automated marketing email will get anyone put on the most-wanted list.

I have a very hard time seeing the criminality of this. Can any lawyers provide more insight?

ballenf 1898 days ago

It only takes one.

One young prosecutor seeking to make a splash in a jurisdiction with a twilio customer.

Twilio might win in court, but they’d lose in the big picture.

paulcole 1898 days ago

Interesting. Have you ever seen this happen in your practice as a lawyer?

ChoGGi 1898 days ago

> we got an email from their sales rep

That doesn't sound automated.

paulcole 1898 days ago

I think sales emails can be automated.

Isn’t this a major selling feature of pretty much every CRM?

samdung 1898 days ago

You could try AWS SNS SMS. This is also PAYG. A wrapper like https://sendwithses.com might make your work easier.

EDIT: With AWS SNS SMS you can set a spending limit and your bill will never go over that.

grumple 1898 days ago

AWS SNS SMS seems best suited for internal communications (we use it for alerts); it does not seem suitable for commercial use where you require targeted sends, you'd have to create a topic for each customer.

Source: use it and twilio.

wryun 1898 days ago

Are you sure?

https://docs.aws.amazon.com/sns/latest/dg/sms_publish-to-pho...

grumple 1898 days ago

Clearly not.

Looks like we'd need https://docs.aws.amazon.com/pinpoint/latest/userguide/channe...

Which isn't bad, but is much more limited than what Twilio provides.

neom 1898 days ago

I thought AWS SNS SMS was a wrapper around twilio? I recall a big song and dance on the Twilio side about them providing AWS with a service... Could be wrong.

smhg 1899 days ago

FWIW: you can turn off automatic recharge and ask for a different reminder limit. Not ideal, but at least it prevents crazy bills.

ksajadi 1898 days ago

We didn't have automatic charge. We now have an invoice to pay.

gumby 1898 days ago

A Twilio invoice or a lawyer’s invoice?

throwaway2048 1898 days ago

They still bill you no matter what, and if the bill is big enough they will sic collections on you.

mleonhard 1898 days ago

This surprises me. I thought they would disable the service when the balance goes negative. I need to add some more monitoring and a failsafe rate limit...

throwaway2048 1898 days ago

They also continue to bill for recurring services even if your account balance goes to zero, watch out.

blowski 1899 days ago

That's painful for you, but a good thing to know as a community. Is it possible to prevent sending to premium numbers?

ksajadi 1898 days ago

Yes, but it adds insult to injury. One of the suggestions by Twilio is to use their service to check the number and send only to mobile numbers. The issue? Twilio charges per call for that service! So you pay them to "possibly" stop you paying them more and fraudsters. The whole thing stinks

blowski 1898 days ago

Is there some kind of regex for premium rate vs standard numbers?

Symbiote 1898 days ago

In some countries.

For example, all UK mobile phone numbers begin 07 (i.e. +44 7), fixed/special rate 08, and premium rate 09.

But SMS also has "short codes", which is probably what's being abused here. 5 or 6 digit numbers, usually used for things like "Text 12345 to donate €2 to this charity" or "Send 'CXM' to 12345 and receive a message telling you when the next bus comes to this stop, costs 10¢".

https://en.wikipedia.org/wiki/Telephone_numbers_in_the_Unite...

https://en.wikipedia.org/wiki/Short_code

sk5t 1898 days ago

Might libphonenumber be of some help?

Rastonbury 1899 days ago

How the the fraudster make money, not familiar with the concept of premium numbers. EDIT: Oh premium numbers charge the sender

ovi256 1899 days ago

The fraudsters setup premium numbers with some other telephony provider, possibly in another country. Then they use those numbers to receive 2FA (two factor auth) passwords (either SMS or read aloud in calls). Because the defrauded party's servers called those premium numbers through Twilio, the defrauded party has to pay Twilio.

AFAIK there's no easy way to always, securely detect premium numbers. The fraudster can setup a forward from a normal number to a premium one anyway. So checking number prefix is useless. One could listen for the "After the beep, this call will be billed at X c/min" recording that premium numbers in honest countries have. The fraudsters manage to find less honest premium number providers that skip these.

This is a well enough known issue that Twilio has a page about it: https://www.twilio.com/learn/voice-and-video/toll-fraud

roblabla 1899 days ago

The real fraud here seems to be the telephony industry's concept of a premium number. That there isn't an enforced standardized way to tell that a phone number will incur extra fees to contact is a failure of the industry. This shouldn't be a hard problem.

t0mas88 1898 days ago

There is such a system, countries are supposed to report all premium number ranges to the ITU. The problem is that some countries/carriers don't actually do that and then still charge the high amount.

If Twilio wanted to stand up for their customers they would refuse to pay for any premium number that's not in an ITU registered premium range. It will cause a few lawsuits with telecom carriers, but then probably ends this problem once and for all.

Twilio claims this isn't possible, but most mobile operators offer an option to disable calling premium numbers. So either the providers are very customer friendly and eat the cost (unlikely, it would open them up for huge amounts of fraud) or the mobile operators figured out how to block it or push the cost back to the upstream provider.

suvelx 1898 days ago

Couldn't you not support SMS 2FA for noncompliant countries, and then check that it's not in an ITU registered premium range?

ZephyrBlu 1899 days ago

Wow. That's a lot of words for Twilio to say "we won't help you mitigate toll fraud".

BuildTheRobots 1898 days ago

> the fraudsters can set up a forward from a normal number to a premium number

Doesn't this mean that your call from Twillo to the normal number would be charged at your usual rate, and the fraudster would pick up the cost for the forwarding?

srmarm 1898 days ago

> The fraudster can setup a forward from a normal number to a premium one anyway. So checking number prefix is useless.

Would the forwarding party not have to pay the premium rate part in this case?

t0mas88 1898 days ago

Yes, in all telco systems I know the one that sets up call forwarding pays for the part from forwarder to destination.

devit 1898 days ago

I think most consumer telephony companies let you block calling premium numbers, so presumably Twilio could just ask their telephony provider to do so.

scrollaway 1898 days ago

Sucks. But then again, anything that puts a nail in the coffin of SMS/Voice call 2fa, probably for the best. I feel bad for the genuine uses of phone tech that are targeted though.

plasma 1898 days ago

I've only briefly played with Twilio, but would it be possible for your app/TwilML to intercept the request to send a text to those numbers, and detect a volume of X messages being sent to the same number (highly unlikely) and abort?

ksajadi 1898 days ago

That's one of their recommendations. So the idea of Twilio is just drop a library and we take care of telephony for you, but then they suggest you implement cooldown periods, exponential backoffs, use their other services (paid) to check if the number is a mobile etc. And they tell you this, after you get the nasty bill.

julianilson 1898 days ago

We had this issue as well. Out tens of thousands of dollars. For a tiny startup, this almost killed us.

calidreams 1898 days ago

We’re tiny too and now worried. We only offer 2FA with SMS. Did they abuse your SMS OTp?

ggvvfdde 1898 days ago

Twilios base prices are way higher than their competitors so I don't know why you would use them in the first place