Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Cellphones Privacy The Internet

The Virtual Phone Farms Scammers Use To Set Up Fake Accounts (vice.com) 22

Posted by BeauHD from the bypassing-SMS-verification dept.
An anonymous reader quotes a report from Motherboard: When a scammer wants to set up an account on Amazon, Discord, or a spread of other online services, sometimes a thing that stands in their way is SMS verification. The site will require them to enter a phone number to receive a text message which they'll then need to input back into the site. Sites often do this to prevent people from making fraudulent accounts in bulk. But fraudsters can turn to large scale, automated services to lease them phone numbers for less than a cent. One of those is 5SIM, a website that members of the video game cheating community mention as a way to fulfill the request for SMS verification.

Various YouTube videos uploaded by the company explain how people can use its service explicitly for getting through the SMS verification stage of various sites. The videos include instructions specifically on PayPal, Instagram, Facebook, Telegram, and dating site Plenty of Fish. Instagram told Motherboard it is concerned by sites that suggest people can use services to bypass Instagram's measures to then abuse the platform. Instagram said it uses SMS verification to prevent the creation of fake accounts and to make account recovery possible. "We have many measures in place to protect against scripted account creation and block millions of fake accounts at registration every day," an Instagram spokesperson said.

Some online services don't allow users to perform SMS verification with VoIP numbers, presumably in an effort to mitigate against fraud. 5SIM's numbers, however, are just like ordinary phone numbers, the site claims. When people buy 5SIM's services, they must only use it for receiving texts related to an online account. "Different SMS will [be] rejected," the website adds. 5SIM also offers an API to automate parts of the service. 5SIM's rules say that customers are "Forbidden to use the service for any illegal purposes as well as not to take actions that harm the service and (or) third parties." The website also includes a denylist of words that its service may block. In an email to Motherboard, 5SIM said: "5sim service is prohibited to use for illegal purposes. In cases, where fraudulent operations with registered accounts are detected, restrictions may be imposed on the 5sim account until the circumstances are clarified. 5sim is used by those who want to get a discount or bonus, webmasters, SMM specialists, owners of business for advertising and increasing business loyalty."
This discussion has been archived. No new comments can be posted.

The Virtual Phone Farms Scammers Use To Set Up Fake Accounts More

The Virtual Phone Farms Scammers Use To Set Up Fake Accounts

Comments Filter:

  • SMS verification prevents aliases (Score:5, Insightful)

    by Okian Warrior ( 537106 ) on Tuesday November 30, 2021 @08:23PM (#62035031) Homepage Journal

    SMS verification doesn't make you more secure, it just makes it impossible to have aliases online. (It passes your phone number around to multiple companies, which then get hacked, and the hackers can cite your phone number verbally to convince tech support they're you and the phone was stolen.)

    If the providers can link all the aliases you use to a single phone number, then using aliases no longer affords you a level of privacy.

    I have a perfectly useable YouTube account that's several years old that I can't get into now because Google changed their TOS and I refuse to give them my phone number. AFAICT, there's no way around it. Maybe I'll try 5sim from the OP.

    I have a perfectly useable online banking page from TD bank that I could use (I don't mind giving them my phone number), but it wants me to verify by SMS Every. Single. Time. It's too annoying to use, so I don't use it.

    SMS is the wrong solution to a perceived problem. It lets the companies *say* they're protecting your account, but in reality it lets them better target you for advertising while making you less secure.

    • Re:SMS verification prevents aliases (Score:5, Informative)

      by markdavis ( 642305 ) on Tuesday November 30, 2021 @08:57PM (#62035091)

      >"SMS is the wrong solution to a perceived problem. It lets the companies *say* they're protecting your account, but in reality it lets them better target you for advertising while making you less secure."

      Indeed.

      If you need a really secure 2FA, then it should be done through an open-source app that has no access to anything else on your device, no ties to the site/company you want to use, no "cloud storage", no server-side connection, is based on actual open standards, and has no need for a phone number. Something like FreeOTP is a good example.

      https://en.wikipedia.org/wiki/... [wikipedia.org]
      https://freeotp.github.io/ [github.io]
      https://play.google.com/store/... [google.com]

      If you don't need that level of security, then just freaking allow the use of an Email address.

    • Same here. I almost lost access to my G accounts for the same reason. I figured out a way around it somehow for current accounts. I had to finally give it when creating a new business related account.

      Perhaps I should look into a paid email service that also provides temp accounts. I looked into an app once that provides temp phone numbers, but there was too much rigamarole involved to be able to get my SO to use it, who of course is the one who really needs it.

      I remember waybackwhen my bank started SMS veri

      • Same gmail problem. How to get around it for current account?

        • It may depend on when it was created. When they upgraded their systems to use SMS authentication, the few accounts that I had were probably grandfathered in. I don't know how to get around it with newly created accounts.

          • Re: (Score:2)

            by Agripa ( 139780 )

            It may depend on when it was created. When they upgraded their systems to use SMS authentication, the few accounts that I had were probably grandfathered in. I don't know how to get around it with newly created accounts.

            As far as I can tell, the only solution is to not use Google services.

      • Re: (Score:2)

        by AmiMoJo ( 196126 )

        Google periodically asks me to add a recovery phone number to my account, but I keep declining. It seems to me like it would be a security downgrade, because my cellular provider does little to protect my number from being hijacked.

        I have 2FA enabled with recovery codes stored safely. I'd rather give the SMS a miss, thanks.

      • Re: (Score:2)

        by Agripa ( 139780 )

        Same here. I almost lost access to my G accounts for the same reason. I figured out a way around it somehow for current accounts. I had to finally give it when creating a new business related account.

        I lost access to my Gmail account and everything that relied on it including Ebay and Paypal.

    • Yeah, it's not just "scammers" it's "normal people who want to not have their data mined". The real "scammers" here are the companies like facebook and google who can basically just lie and say they want your cell phone number for "security" but are just going to turn around and use it to match you into other people's contacts.

      • Absolutely! Add to this the banks that require a mobile phone number to open an account and real estate companies for any interaction what-so-ever. They all have excuses for the requirement, but, one of the real reasons is harvesting mobile numbers for marketing purposes (and, of course, to sell to their "business partners").

        Pure slime.

    • Glad it's not just me. Various services like Facebook, YouTube, and Instagram have all almost successfully lured me back in, only for me to give up when they demand a phone number. The free SMS services don't work and I'm not going to pay to sign up for a burner number so it's a very effective way to keep me off the evil platforms that want my data.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Just buy a pre-activated burner SIM on eBay for a quid, and use that. Once activated you can remove it from your YouTube account and throw it away.

    • Re: (Score:2)

      by kbahey ( 102895 )

      I have a perfectly useable online banking page from TD bank that I could use (I don't mind giving them my phone number), but it wants me to verify by SMS Every. Single. Time. It's too annoying to use, so I don't use it.

      They were doing the same for me for a while.
      I thought it was my browser's user agent saying Linux or something.

      So I called them and described the problem, and they fixed it.
      Only occasionally do they want verification now.

    • Re: (Score:2)

      by Agripa ( 139780 )

      SMS verification doesn't make you more secure, it just makes it impossible to have aliases online.

      I does not just prevent aliases; SMS verification also makes you less secure. I allows untrusted third parties, including the phone company and anybody they are beholden to, to steal your identity.

  • It's almost as if automation can be bad... (Score:3)

    by putnamca ( 5596549 ) on Tuesday November 30, 2021 @08:26PM (#62035037)
    ...ad absurdum. Ad infiinitum. Add whatever you want...

    • Absolutely, and a point that is useful to be made on occasion. [Ed: insert pithy Einstein quote here about infinity, the universe, and human stupidity]

      But, of course, with automation we also get ad astra, ad posterum, etc. I'm not sure if *any* tool can't be used for Evil(TM). It devolves to the human problem of how we wield our tools.

  • Make a list of these phone numbers ... (Score:3)

    by 140Mandak262Jamuna ( 970587 ) on Tuesday November 30, 2021 @08:46PM (#62035059) Journal
    A big company like Google with its data collection farms, it should be able to find the list of all the phone numbers bought and sub leased by these companies. And this will allow big companies to be even more evil and offer services to authenticate using real phone numbers and not the farm numbers.

    To be truly evil the big companies themselves can set up these free to use SMS time share and deny revenue to these farms. And they have their own list of numbers they use for farmed out numbers and their clients will get real phone authentication. Competition will be swamped by fake accounts!

    Do I really have the evil twisted mind to be a vulture capitalist? Or these ideas are just babe-in-wood things and don't even come close to be a true vulture?

  • >"Sites often do this to prevent people from making fraudulent accounts in bulk."

    More often than not, sites do this for mostly for the purpose of just HAVING YOUR FREAKING MOBILE PHONE NUMBER under the GUISE of security. So they can then spam the s*** out of you later and sell it to their "partners", too.

    It is becoming increasingly frustrating for those, like me, who believe sites/companies have no right to expect access to my phone number, and especially not my mobile number. I try not give that numbe

  • We're allowing fraud and abuse (Score:3)

    by Virtucon ( 127420 ) on Tuesday November 30, 2021 @08:49PM (#62035065)

    Translation

    We're allowing fraud and abuse but say clearly in our TOS that it's against their policy to do so. I'm sorry, these kinds of services are allowing telemarketers to scam us on a wholesale level. There are quite a few of these line houses and the classic "your car warranty has expired scam" and others leverage them for pennies.

    To protect yourself you now have to buy other subscription services, i.e., nomorerobo et al. to keep your phone life sane.

    • Their service does get abused, but it's a net positive if you consider what the large-scale crooks (Facebook, etc) use your phone number for.

  • Finally, a post that may be relevant to your interests!

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close