Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS pumping and OTP abuse: what should IAM teams change now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: SMS pumping turns verification traffic into a billing attack by abusing OTP send flows rather than stealing accounts, and industry estimates put global losses in the billions while successful verifications remain flat, according to Authsignal. The control problem is not stronger codes, but deciding when SMS should be sent at all, and when another channel should replace it.

NHIMG editorial — based on content published by Authsignal: How to mitigate SMS pumping without breaking signup

By the numbers:

  • Juniper Research put global enterprise losses to artificial inflated traffic at a peak of $2.1 billion in 2023.
  • X said in 2023 that it was losing about $60 million a year to fake 2FA traffic routed through roughly 390 telecom operators.

Questions worth separating out

Q: How should security teams reduce SMS pumping without hurting signup conversion?

A: Start by moving channel selection into runtime rules so SMS is only used when risk and coverage justify it.

Q: Why do SMS OTP flows attract fraud even when accounts are not under attack?

A: Because the delivery event itself creates value.

Q: What breaks when teams rely on SMS as the default authentication channel?

A: The model breaks when every phone-number submission becomes an expensive, abuseable event.

Practitioner guidance

  • Move SMS send decisions into orchestration rules Make the channel choice depend on country code, user state, device reputation, and enrolled authenticators before any SMS is sent.
  • Track verification conversion by prefix and country Measure the gap between codes sent and successful verifications by phone prefix, destination country, and device pattern.
  • Add hard limits on repeated sends Cap sends per phone number, prefix, IP, and device, then lower thresholds for markets with low legitimate volume or known abusive routing.

What's in the full article

Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:

  • Exact routing logic for sending high-risk countries to WhatsApp OTP or email instead of SMS
  • Examples of prefix-level, country-level, and device-level rate limiting rules used to blunt pumping
  • Implementation guidance for silent network authentication and passkey fallback paths
  • Provider-side control checklist covering fraud detection, geo-permissions, and spend caps

👉 Read Authsignal's analysis of how to mitigate SMS pumping without breaking signup →

SMS pumping and OTP abuse: what should IAM teams change now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

SMS pumping is a verification governance failure, not a messaging problem. The article shows that OTP flows become profitable targets the moment the application sends before it knows whether the requester is legitimate. That is exactly where consumer IAM programmes over-trust delivery mechanics and under-govern send authorisation. Practitioners should treat the send step as a policy decision, not a utility call.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who should own SMS pumping risk in an organisation?

A: Ownership should sit across identity engineering, fraud operations, and the business team paying the telecom bill. IAM controls decide whether SMS is sent, fraud teams watch for abusive patterns, and finance needs the spend caps and alerting that expose abnormal traffic before the cost becomes material.

👉 Read our full editorial: SMS pumping exposes the trust gap in phone verification flows



   
ReplyQuote
Share: