Last week, we posted an article on our research into companies with two-factor authentication (2FA) processes that are often bypassed using open SMS websites.
Firstly, it’s important to know if people are able to bypass your security process, and even more important is to understand how they are doing so. Once you know how your security system is being breached, you then need to find and implement effective solutions to eliminate these breaches.
One very effective solution, that we use here at RingCaptcha, is a blacklist. A blacklist is, essentially, a list of numbers that are not allowed to receive one-time passwords (OTP) or phone verification codes through RingCaptcha. Every RingCaptcha customer has their own unique blacklist which is generated as follows:
- Customer adding phone numbers to the blacklist:
RingCaptcha customers can log in to their RingCaptcha dashboard and add phone numbers to their blacklist.
- RingCaptcha adding phone numbers to its customers’ blacklists:
RingCaptcha adds phone numbers from two different sources to each of their customers’ blacklists.
(i) Open SMS Sites
We periodically scrape websites that offer open SMS phone numbers that any user can utilize to bypass phone verifications to populate our blacklist and keep it updated. Phone numbers from these open SMS sites are applied to all customers’ blacklists.
(ii) Fraud Analytics & Heuristics
We also have algorithms that check for phone number abuse. They look for suspicious phone number ‘behavior’. Phone numbers from these algorithms are only applied to the blacklist of the customer whose site or app the customer requested the OTP on. Some examples of suspicious phone behavior that prompt our algorithms to add a phone number to the blacklist:
- Excessively requesting for OTPs but never proceeding to successfully verify the phone number with the OTP that was sent
- Requesting for OTPs only once but always together with a similar set of phone numbers.
Note that this blacklist undergoes some tweaking to produce our Effective Blacklist (described next). This is where the handling of nuances in blacklisting, such as a blacklisted phone number being recycled into the hands of a new and genuine user, a phone number being blacklisted due to misappropriate use by attackers who don’t own it, etc., happens.
Incorrectly putting a phone number into a blacklist results in a genuine user not being able to verify their phone number whether it be during signup, login etc. This is a situation we want to avoid. To help ensure we don’t block genuine phone numbers, we store additional information about each phone number when possible and with our customers consent. For example:
- User’s location (IP) at time of request
- Time and date of OTP request
- Type of device the request was made on
- Was the phone number denied service at that time
This additional information helps us to make more accurate decisions, and handle the nuances of whether a phone number should be in our Effective Blacklist at any given time. The Effective Blacklist is dynamic and is generated periodically to enable our system to quickly determine whether a phone number should be blocked from receiving an OTP.
Our blacklist has proven very valuable to our customers in helping them combat fraud on their websites and apps. Below is some data about our blacklist and the value it provides.
RingCaptcha Effective Blacklist Breakdown by Source:
- 79% of numbers are from suspicious behaviour and activity.
- 19% of numbers are from free open SMS sites.
- 2% of numbers are from customers adding these numbers to their blacklists.
RingCaptcha Effective Blacklist Performance:
Monthly average percent of OTP requests blocked: 1.7%.
Taking a RingCaptcha customer in the E-commerce industry as an example, RingCaptcha effectively rebates all the credit card fees the customer has to pay due to these fraudulent users (by avoiding them and their negative impact).
Blacklist is just one of our many tools that make up our fraud analytics and monitoring suite. Have further questions about our blacklist? Or would like to learn more about how else we help to prevent fraudulent users on your site? Just drop us a line – firstname.lastname@example.org 🙂