At Bonanza.com, we've been using Twilio since 2011 to perform automated phone verification on our new sellers. For the past 8 years, our relationship with them has been blissfully uneventful, as we've averaged about $30/month in fees, $250/month at our peak.
That changed quickly on July 18th.
On that day, in about 3.5 hours time starting at 4pm, we incurred $4,500 worth of charges 💸 via Twilio as the result of a type of attack called Toll Fraud. Any current customer of Twilio's voice verification product is vulnerable to this attack vector unless they've taken specific steps to prevent it. With 65k current customers claimed by Twilio, there's plenty of fraud to go around.
The basic idea of Toll Fraud is that an attacker finds a site that offers voice verification through a vulnerable provider like Twilio. The attacker determines which POST request initiates the verification call. Then, they spam that endpoint with http requests as quickly as the servers can process them. If your servers spin up more resources upon higher load, it won't end well. The attacker's http requests cause a flood toll numbers (think 1-900-PORN) to be "called for verification," where even a minute of phone call can cost ~$5.
Had it not been for a few lucky breaks, like our DDOS protection system, the charges against us could have been much greater. If you are currently using Twilio, it's worth knowing that the company you are purchasing services from has strong incentives to allow attacks against you, just as they were allowed against us. These attacks can easily cost an unsuspecting business $10k or more in one unlucky night.
linkThe problem of conflicting incentives
After we received the fallout from our Toll Fraud attack -- a $4,500 bill -- we began a conversation with Twilio about how much we should owe for the fraud perpetuated against us via their platform. Here was their first email to us (with names deleted):
The last question was the one that stuck with me: "what measures have you taken to stop the activity and avoid it in the future?"
Why would Twilio expect an online marketplace like Bonanza to implement its own anti-fraud system to guard against a specific type of phone hacking? Do they really believe that the best response to an attack on their system is to require every customer to implement their own home-baked solution to a phone platform fraud vector? Why can't they just add a simple checkbox like "disable calling toll numbers"?
It didn't make sense why Twilio wouldn't just fix this themselves, given the impact of a single attack, and the long history of such attacks. But that's when our CTO reminded me of the incentives at play in these attacks.
In this four hour attack, we "spent" 10x more on Twilio than we had in the past year. Whenever a Twilio customer is defrauded in this manner, revenue for Twilio increases. It's not a good look to be the direct beneficiary of the fraud that plagues your customers. The fact that $1,500 of our $4,500 bill was accumulated after we disabled billing on Twilio is another cruel twist that underscores the futility of Twilio's current approach to mitigating these attacks.
linkWho should protect Twilio's customers?
Through a series of emails that followed the above, it was eventually decided by the Twilio Powers That Be: we would pay $2,261 for the three hour Toll Fraud attack endured. Should we turn voice verification with Twilio back on (fat chance), we will need to implement a custom system to deter Toll Fraud attacks against it. Just like any Twilio customer should if they want to avoid a surprise $5-10k fraud charge.
I disagree with Twilio expecting each of its customers to implement a set of anti-phone-fraud measures. Authy, a property of Twilio, has already recognized and fixed Toll Fraud. Twilio could absolutely fix this themselves.
I believe that if these attacks took money from their bank account, instead of depositing money into it, they would have already fixed it.
Until Twilio decides to take responsibility for the safety of their customers, I would strongly recommend that developers and businesses choose a different VoIP provider for phone verification. If Twilio clarifies or improves upon their current policies, I will post an update.