Your Code is 0000: An Analysis of the Disposable Phone Numbers Ecosystem

TL;DR

This study provides a comprehensive analysis of the disposable phone number ecosystem, revealing its widespread use for fraud and account creation across major internet services, based on large-scale data collection and classification methods.

Contribution

It offers the first large-scale, longitudinal analysis of the DPN ecosystem, including a framework for message classification and attribution to over 200 services.

Findings

DPNs are used globally for fraudulent account activities.

The ecosystem affects all major internet platforms.

Over 70 million messages analyzed over 12 months.

Abstract

Short Message Service (SMS) is a popular channel for online service providers to verify accounts and authenticate users registered to a particular service. Specialized applications, called Public SMS Gateways (PSGs), offer free Disposable Phone Numbers (DPNs) that can be used to receive SMS messages. DPNs allow users to protect their privacy when creating online accounts. However, they can also be abused for fraudulent activities and to bypass security mechanisms like Two-Factor Authentication (2FA). In this paper, we perform a large-scale and longitudinal study of the DPN ecosystem by monitoring 17,141 unique DPNs in 29 PSGs over the course of 12 months. Using a dataset of over 70M messages, we provide an overview of the ecosystem and study the different services that offer DPNs and their relationships. Next, we build a framework that (i) identifies and classifies the purpose of an SMS; and (ii) accurately attributes every message to more than 200 popular Internet services that require SMS for creating registered accounts. Our results indicate that the DPN ecosystem is globally used to support fraudulent account creation and access, and that this issue is ubiquitous and affects all major Internet platforms and specialized online services.