[CaveTech]

We've been hit by this exact issue, especially over the last month.

We tried to mitigate as cleanly as possible for our users, adding one-time nounces to signup requests, adding rate-limiting rules, locking down regions, but we still faced an onslaught of tens of thousands of fraudulent signups per day. On our tier we don't have the ability to set block rules ourselves - it requires a support request that takes 2-3 days to get a response on. Our choices are to eat thousands of dollars per day in toll fraud, or disable sign-ups until we can add more fraud prevention on top of what Twilio enables. The problem is the fraudsters are using real browsers across thousands of IPs located in dozens of different countries.

Similar to the OP, Twilio tries to say this is our fault and leaves it up to us to both pay for the issue and to try and fix it.

[charcircuit]

If you told Twilio to text a number and they text it, I don't see how Twilio is at fault.

It would be valuable if they let you avoid texting premium numbers, but that's just a feature on top of the service they provide.

[CaveTech]

They should be better equipped to detect and prevent the abuse. It's an order of magnitude higher request volume for phone #s located in remote regions of the world. Twilio knows full-well where those numbers go, and can see them being abused simultaneously across many customers. I don't possess the same ability to know this... unless I use Twilio to run a reverse-lookup, which would of course still incur a cost.

[charcircuit]

Yes, it would be helpful if they helped fight abuse, but that is not necessary of them. Having the capability is a competitive advantage so it would be in their interest to invest in it.

[csharpminor]

Just curious because you didn't mention it - have you considered putting a captcha in front of your OTP flow? Are the fraudsters also defeating that?

[CaveTech]

We were trying to avoid the use of a captcha; originally believing that our API infrastructure was the target. A captcha did end up being the solution, but is not particularly user friendly, and I was also trying to avoid pulling developers out of bed on Christmas to implement - but we're protected now!