1

To prevent fraud, we require the users to link their account to a mobile phone number. We send a code by SMS.

Fraudsters use hacked social networks to convince "friends" to send them the code they will receive.

Even if the message clearly say not to give this message to an other person, they still do:

Verification code mysite.com: 12345 Never communicate this code to someone else!

How do you lower the rate of this issue? Or fight it?

EDIT: We run a classified ad website. We only allow national mobile numbers for account verification. We aggressively block virtual (shared) numbers. So Fraudsters use this technic to be able to validate their account with a legit national number. They use elite proxies so it is not possible to geolocate them precisely.

Toto
  • 193
  • 8
  • 2
    You cannot do much besides share stories and teach people all the scary things that can happen if you give keys like that away. I also agree with the answer below. You could set a timer, but that can also be worked around. A 15-30 sec timer is usually an average time span to still allow verification. For some lower security applications, 1 min could be acceptable. – love2phish Feb 13 '21 at 17:24
  • 1
    I would suggest you check out 3-factor authentication. 3-factor authentication is not really present in today's society but I have a feeling it will grow in popularity in the near future. It uses a password and text/message as 2-factor authentication uses but it also requires a biometrics key. It is not used commonly because of the verification types it demands but it may be worth it if one is trying to have even a small amount of faith in their security system. – love2phish Feb 13 '21 at 17:28
  • 1
    It is a classified ad website, so 3FA will not be possible. :( – Toto Feb 13 '21 at 17:43
  • 1
    That's sad to hear... Sorry I couldn't be much more help. – love2phish Feb 13 '21 at 20:34
  • So are they logging into an employee or admin account by taking the SMS text? Are they stealing information from the user? We may be able to think of a way to stop the fraudsters. – love2phish Feb 13 '21 at 20:42
  • Could you set up some security question system or something? You could also try to recognize IP addresses. I know google does this when people login into google. If your web site sees that the user usually logs in on one IP and then they are logging in from another, you could send them a confirmation email with the location the fraudster's IP is located. It might freak out the user enough to not let the fraudster in. Check this IP geolocator out as an example of the data you can get from an IP address: https://tools.keycdn.com/geo – love2phish Feb 13 '21 at 20:49
  • I added some details to better understand the use case. – Toto Feb 13 '21 at 21:16
  • 1
    I see.... Well, I would really like to hear about it if you find a solution because I'm stumped. I am sure there is a way to fix your problem I just have to look harder and might take a while. – love2phish Feb 13 '21 at 21:22

1 Answers1

1

im not sure you can prevent this using your current mechanics.

one solution has a timer on the code, but this is also easily thwarted depending on the bounty ($$) of that code.

Verification code mysite.com: 12345 Valid for 15 seconds.

Keith Kouzmanoff
  • 11
  • 2
  • We tried and it failed in our case because the fraudster stays online with the victim by Instant Messaging (FB, Whatsapp, etc). :( These fraudsters are clever... – Toto Feb 13 '21 at 17:45
  • I don't doubt - you will need to assess "at risk" users - and implement stronger security - you can spot check them by a physical phone call. – Keith Kouzmanoff Feb 16 '21 at 20:12
  • 123456 is your XXXXXX OTP. Do not share it with anyone. (If this is you? I might suggest something.) – Keith Kouzmanoff Feb 17 '21 at 18:46