Submitted by BasedSweet t3_10opq9o in technology
Comments
Enxer t1_j6gqxye wrote
We get ceo spoof texts all the time how did you perform the trace?
despitegirls t1_j6guslm wrote
I forget which service I used but it was a free reverse lookup that listed the provider as Twilio.
Edit: This site is a lookup for 800 numbers that I've used: https://www.800forall.com/SearchWhoOwns.aspx
crank1000 t1_j6h9bhv wrote
I don’t understand. How did looking up your ceo’s phone number result in linking it to twilio?
Ancient_Hat_6335 t1_j6h9gi4 wrote
Hey don’t ask the logic. It’s difficult when making up a story.
Greggers42 t1_j6hqlf6 wrote
Our company has 800 employees and half can be fooled by spoof attempts were the email being spoofed is “<corporate persons first initial and last name>@gmail.com” where our domain email is completely missing and replaced with a gmail account. When we explain what phishing is, we get replies like, “but they said they were this person. Here, I’ll forward you the email so you can read it!” 🤦🏼♂️
Spoofing doesn’t have to be good, it just has to work.
okvrdz t1_j6i0ivw wrote
Granted that the email spoof is true, crank100 was asking about the tracing of the CEO’s number. Which is what the previous user mentioned as tracing it back to Twilio. That question remains unanswered AFAIK.
Greggers42 t1_j6i6ew5 wrote
Most companies don’t hand out CEO’s cellphone. So a late night text that ID’s itself as your boss and ask for info is not hard and doesn’t require the amount of suggested work earlier post have given regarding changing the caller ID, etc. Not saying that’s what happened, but having seen this done as well, and amaze me people fell for it, I can see this being an option.
okvrdz t1_j6i7m8b wrote
Yes those are all clues on how to detect a possible spoof text. Yet, what some of us want to know is how tracing back a spoofed number that displays a valid existing number, results in determining that the text originated from Twilo. How does it make that distinction?
Greggers42 t1_j6i8o3b wrote
The poster has corrected it to say there were two numbers. Which seems more sus to me but I’ll give the benefit. Personally, I’ve heard the term spoofed number to apply to any number being used in a spoof attempt. Not necessarily the actual number, so that was where I was going with the forgiveness of the explanation.
WhatTheZuck420 t1_j6hxfkc wrote
>Spoofing doesn’t have to be good, it just has to work.
correct. spoofing is what they are doing
being spoofed is what your employees are doing
typing t1_j6hydh9 wrote
I thought just the CEO was being spoofed, or the real/fake employee. The target employees are being phished.
[deleted] t1_j6hjarf wrote
Spoofing can involve setting up a phone (or email) to look as if it came from someone you know. It's not always stealing their exact phone number or email address.
The number/email itself would be different, but the name and location will show up on the caller ID or in the address book as the person whose identity is being used.
despitegirls t1_j6i0vks wrote
Read my correction above. I traced the non-spoofed number.
Which-Adeptness6908 t1_j6h3wut wrote
What they can do is not allow a number to be used without proof of ownership.
Source; owned a niche Telco.
drawkbox t1_j6hj59v wrote
Worked on a bunch of SMS apps including a big one for samples/notifications and it was insane how the approval process was for the short code and all the support you need around it.
I am always amazed that scammers get around all of that. A weak platform could do that if they were allowed or essentially white listed then play plausible deniability about moderating these.
SMS was built off of the network diagnostic codes/network and so they regulate it heavily. The only way these scams are working is due to piggy backing on something that has the ability to spin up new shortcodes without much oversight.
Intelligent_Series95 t1_j6hj5c5 wrote
Yeah not sure because if I tell my PBX to send an unverified from header my calls through twilio fail. I have to verify any number I use.
frygod t1_j6i8fx5 wrote
I've written appointment reminder software that leverages one of Twilio's competitors (Signalwire) for delivery and they seem to do just fine in things like this. In testing use cases, I have to prove ownership of both sending and receiving phone number. They also require all SMS messaging campaigns to be registered as per FCC requirements. I know they filter it too, because when the FCC rule went into effect I hadn't received notification yet, and my first clue was everything suddenly showing up in the logs as being blocked.
RoboNyaa t1_j6hanpn wrote
Sounds like Twilio takes it seriously then. Meanwhile, Onvoy (Inteliquent) continues selling services to scammers and criminals with virtually no repercussions.
If you report an abusive number, they'll put your number on an "opt out" list. Thus, the scammers continue receiving service while the list of potential victims narrows down to people who don't know it's a scam.
If anyone should be disconnected and prosecuted, it's Onvoy.
nbeaster t1_j6hlrxj wrote
There’s still a lot of carriers out there not complying with stir/shaken but have certified they are. There’s going to be a reckoning, its just coming at a snails pace.
icenoid t1_j6idq6k wrote
At my last job, the CEOs phone number got spoofed. When he texted some of us to tell us we were being laid off, we thought it was another prank. Yeah, it wasn’t.
P0RTILLA t1_j6hwgnk wrote
Holy Shit! We got this too but it was sent to my personal number not my work number which I thought was strange but it’s the number listed in our HR system.
0ogaBooga t1_j6i5hne wrote
>Not sure what they can do since they're just the provider of telephony and messaging services,
They due diligence with kyc regulations in the US?
It's not hard to spot when a customer is making illegal calls. You have lots of every number they've dialed for billing purposes, cross check that against the national DNC list and if there is anything that overlaps it's the customers job to provide proof that the person they dialed agreed.
See? Easy.
Black_Moons t1_j6in7lz wrote
Or just call the number they entered as 'calling from' and if the person who picks up doesn't belong to that business, cancel the spammers service.
Its not rocket science, its just telephone companies make money from scammers and not from stopping them.
SeaweedSorcerer t1_j6k4bp0 wrote
Twilio already requires you to authenticate ownership (or have purchased it directly via twilio) of any caller Id numbers.
rabbit994 t1_j6ifsym wrote
In general with all these companies is how they just let anyone sign up without doing serious amount of checking. FCC should enforce serious Know Your Customer regulations and hand out big fines for failing to do these checks.
YnotBbrave t1_j6hf2cr wrote
They can block outgoing texts with callerid not verified to be owned by the god for their business? Maybe not. Security ruins many use cases. But if they don’t, they are responding
SeaweedSorcerer t1_j6k4f69 wrote
They already do that
grumpymosob t1_j6gt5ql wrote
our work phones are non stop robocalls. Fuck anyone who enables this shit. sending their crap straight to my voicemail so I have to dig through their garbage advertising to get messages from the vendors I need to deal with. google twilio all of them they should have to pay damages for lost revenue and lose their right to phone and internet connections. The cost in productivity to small business in this country is huge easily in the billions and these assholes never stop. All they are doing is hoping for that one senile old person they can take advantage of and the fcc does nothing.
Badtrainwreck t1_j6gwhou wrote
So when they were debating outlawing spoofing phone numbers they said that it’s protecting prank calls to allow people to change their number, obviously we know it’s the donors who operate the robocalls that politicians wanted to save, but my answer to this is simple.
You shouldn’t be able to spoof your number without paying a 1$ tax. That way prank calls can continue and robocalls are forced away from this. Then use that $1 tax for funding emergency service dispatchers because their funds are drying up from changes to the cellphone industry.
DirkBabypunch t1_j6h1swb wrote
Why are we worried about protecting prank calls? I don't see anything wrong with them getting caught in the crossfire.
EelTeamNine t1_j6hfjmo wrote
For real? That can't be a real argument
RudeMorgue t1_j6ih30v wrote
Seriously. F them.
SeniorJuniorDev t1_j6j3w0n wrote
Radio DJs sweating
d-givens t1_j6iqhl1 wrote
I use Twilio for SIP trunking. You can’t spoof numbers with them. You’re required to use a caller ID that matches a number on your account.
CondescendingShitbag t1_j6l0g8c wrote
This is supposed to be a mandatory requirement for all VoIP providers thanks to the FCC's STIR/SHAKEN policy of 2019. Remains to be seen how effective the policy will actually be in practice.
AmHoomon t1_j6ks805 wrote
Sooooo how are they abusing our lines then?
drawkbox t1_j6lsn93 wrote
These scammers must be either swapping out the numbers regularly, using one time verified numbers or they have some holes in twilio that are getting around this.
Would seem that most patterns for detecting this would be pretty obvious, twilio is just letting it slide probably for that revenue. Now that they got an FCC hit, revenue is threatened, and they will have to close the hole or stop allowing these patterns.
There might be a reason to constantly swap out numbers, but not many... Those should be highly looked at like when you make an app and have background geolocation services on, Apple really prods you to make sure you aren't abusing that. Twilio just seems to let this slide.
The fact that they have these plausible deniability policies that are letting scammers slide, probably due to more political spam demand, is another reason to not trust them for SMS/Authenticator authentication codes over Twilio SMS or Authy app.
There was a big Authy hack not too long ago.
Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.
Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.
> U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.
> Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.
> Now, Twilio has confirmed that Authy users were also impacted by the breach.
> In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.
> The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.
Okta breached as a result of the Twilio/Authy breach
> Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.
> In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.
DoorDash also caught up in it
> DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.
The_Yogurtcloset t1_j6ijnrf wrote
Just a note, malware can be a source of robocalls. Make sure your work computers are clean!
[deleted] t1_j6i6q7k wrote
[removed]
drawkbox t1_j6ls1h4 wrote
Yeah they target work phones because people have to answer more frequently. A message or call that is sent to a work phone that goes opened/unanswered then it looks like someone is slacking.
Most personal phones people just let go to message or just delete (without opening to evade image based tracking) unknown numbers, with business or work most numbers are new or unknown.
Sucks how they target them. Any phone number or text recipient they send to that answers/views will get more and more and more spam.
WeAreProbsFucked t1_j6g6td4 wrote
Twilio is actually a godsend for our small family business, sucks if they end up blowing it
jackzander t1_j6gvweg wrote
Twilio is actually a godsend for our small family Twilio PR Team, sucks if they end up blowing it
WeAreProbsFucked t1_j6gwzea wrote
It's actually just a drycleaner lol
Black_Moons t1_j6inc45 wrote
You'll prob be stuck paying checks notes $25/month for a cellphone like me instead.
qwe304 t1_j6gx09b wrote
What if the primary cell carriers offered an option to block incoming calls from twillo numbers
[deleted] t1_j6g9evc wrote
[removed]
[deleted] t1_j6gtdqo wrote
[removed]
9-11GaveMe5G t1_j6g8orh wrote
If your "godsend" is a company performing illegal marketing, you need better partners
abk111 t1_j6g94az wrote
Based on the article it sounds like it’s not twilio doing that but customers using their infrastructure?
xinco64 t1_j6gt1s1 wrote
“industry insiders should notice how the FCC blamed Twilio for having inadequate know your customer (KYC) procedures.”
This is actually a pretty big deal. The onus is on Twilio for preventing this.
They aren’t like Reddit or an ISP. The are a telecommunications provider and have much more restrictions (as they should). You have control over your ISP or what posts you look at on Reddit. You don’t have control over what spam calls you get.
JuiceColdman t1_j6gvzzr wrote
It’s just the tip of the iceberg. I was selling software for a competitor in the same space and did a little opposition research on Twilio. The number of CAN-SPAM compliance issues I saw was overwhelming
chanelwescoast t1_j6gvcl7 wrote
It's on Twilio to make sure their platform isn't getting abused
reversiblehash t1_j6gei7n wrote
Twilio provides a saas product that enables developers to interface with communications services like sms texts and phone calls for things like automated directories, 2FA, and appointment reminders. The issue is that there isn't ample detection for customers using their tech for illegal means.
This in part because there are a bunch of local and federal laws regarding telecommunication. Twilio can't listen in on it's customer's calls or read their texts to determine if the communications are legit appointment reminders or the illegal robo calls.
So you really can't blame twilio after all, they've been trying to reach you concerning your vehicle's extended warranty. You should've received a notice in the mail about your car's extended warranty eligibility. Since we've not gotten response, we're giving you a final courtesy call before we close out your file. Press 2 to be removed and placed on our do-not-call list. To speak to someone about possibly extending or reinstating your vehicle's warranty, press 1 to speak with a warranty specialist.
9-11GaveMe5G t1_j6gm4lm wrote
God. Damnit.
JuiceColdman t1_j6gwaip wrote
Thought there was gonna be a hell in a cell, crashing into a table reference, from all the way back in 1998
reversiblehash t1_j6icwh2 wrote
I knew I needed a common robo message and to embed it in an otherwise innocuous reply. Landed with a we've been trying to reach you....
Philip_Marlowe t1_j6gwb5s wrote
That cracked me up. Well done.
reversiblehash t1_j6id5kx wrote
I was hoping to get more of y'all. It's a shame my msg auto collapsed under the heavily downed patent comment.
[deleted] t1_j6gvc8a wrote
[removed]
Fast_Championship_R t1_j6gaab1 wrote
This would be a pretty big problem if this gets enforced. I know quite a few systems that utilize Twilio on a regular basis.
KittyBizkit t1_j6gs1cn wrote
Sounds like those systems need to migrate away ASAP. Or at least have a plan, because it is a very real possibility at this point.
PM_ME_FIREFLY_QUOTES t1_j6gsz9k wrote
If you think an 11 billion dollar company is going to just roll over, rather than react and adapt...
KittyBizkit t1_j6gu3jo wrote
Well they need to do something to fix the robocall problem. They can’t just allow them to continue operating like it isn’t happening. If threatening them with annihilation is what it takes, then so be it.
To be clear, I sincerely hope that the existential threat is enough to get them to clamp down on the problem themselves. But if they refuse to do that, I have no sympathy for them or their shareholders.
WeAreProbsFucked t1_j6gxrw8 wrote
We just had it text people when their drycleaner order was ready early instead of an employee calling. Too busy to be waiting on phone calls
cannibal_man t1_j6i8h1u wrote
>FCC Threatens to Disconnect Twilio for Illegal Robocalls
Don't threaten them. Just fucking do it!
Fucking parasites...
Unfadable1 t1_j6inq90 wrote
Your personal emotions aside, this is easier said than done since plenty of non-robo call businesses rely on Twillio for their back-end. IT security is man-made, and therefore there is no silver bullet when it comes to stopping workarounds.
Not sure why you support all the jobs and small businesses this move would actually crush…
Hookstomped t1_j6ipmle wrote
That’s not actually how this works. It’s not like Twilio’s network is being used without them knowing. By allowing Developers to build instantly without checking their backgrounds or company information, They are actively opening their APIs to thousands of unknown companies without enough due diligence. Hence they can fire up 1000’s of numbers and spam the heck out of everyone. Others in the space have a far more rigorous approach to ensuring this doesn’t happen. I worked in Cloud Telephony for 10 years and was responsible for $150M of Twilios connectivity. They are absolutely a problem.
Unfadable1 t1_j6j0qz3 wrote
Anyone can get around the checks through simple botting. You’re asking to resolve an unsolvable problem by burning the building down.
IMO your personal experience works more as a hindrance than a boon in this exact scenario. Objectively, you’re probably too close to it, tbh.
Hookstomped t1_j6juj93 wrote
Listen Telephony isn’t new, offering it to the world through an open API with free credits to enable developers causes this problem within the ecosystem. Twilio is an abstraction layer on top of actual telecom infrastructure. There are 100’s of companies that operate in this space with far less TCPA complaints/violations.
To your misguided and uniformed metaphor, this is more similar to putting a sign up in your front yard that you’re not home and leaving the back door to your house open, and then wondering why dirty mike and the boys turned it into a fuck shack.
ontopofyourmom t1_j6kfa0k wrote
fucken' dirty mike
psynautic t1_j6kgqah wrote
my whole company would rapidly collapse if this happened lol
cannibal_man t1_j6ixr6t wrote
> Not sure why you support all the jobs and small businesses this move would actually crush…
Lol, well now that's a first. 😄
Not sure why you're defending a bunch of spammers who consistently defy FCC rules & regulations.
They made their bed. Now let 'em lie on it.
Unfadable1 t1_j6j06kf wrote
I’m not supporting anything, because I’m not taking a biased/jaded/obtuse perspective on the matter, no matter how I feel personally about robocalls.
See the difference?
cannibal_man t1_j6j0v1w wrote
Nope. No sympathy for any of them. None, whatsoever.
If anything, their CEOs belong in jail. And they wouldn't be the first.
Unfadable1 t1_j6j12uy wrote
You simply don’t understand the issue beyond what you’ve read, so technically your opinion is literally moot, although I hate to say that because obviously arguing opinion at all is mostly a fools errand.
This isn’t a black-and-white issue, but headlines and blogs won’t teach you that, because that’s not engaging, and clicks rule.
Your suggestion is like banning alcohol manufacturers because kids get access through back-channels and drive drunk. Nice making your acquaintance, nonetheless.
FWIW: I don’t use twillio, but know plenty of non-robo-call companies (that have hundreds of thousands of customers who also are) relying heavily on it. It’s as simple as that. 🤷🏿♂️
Velgus t1_j6jex6s wrote
People in this thread are just raging at things that their only understanding of comes from a single article combined with their hatred for robocalls. They seem to think that Twilio exclusively works with/for these spam robocall farms - your prohibition analogy is a good one.
There are plenty of legitimate things Twilio is used for. A company a friend of mine works for, for example, uses Twilio to remind patients of their upcoming appointments/procedures, and vitally, if they have to take drugs, or fast, or such, before coming in.
618smartguy t1_j6ju9t0 wrote
>They seem to think that Twilio exclusively works with/for these spam robocall farms - your prohibition analogy is a good one.
What's giving you this impression? I have no problem thinking a business should be shut down if they are massively profiting off unethical behavior, regardless of what else they are doing. Who cares if they are doing good too? Seems to me like their good deeds are actually bad deeds if ultimately they are allowed to continue operating based on the argument you are presenting.
Velgus t1_j6kihjt wrote
Your basic argument is again, just like their prohibition analogy.
Twilio isn't performing good or bad deeds in this context - they're offering a service. The service is being taken advantage of by good and bad actors. By the logic you're presenting, we might as well shut down all telecommunications entirely, or any form of electronic communication that could be used by bad actors. Who cares if good stuff is being done with it if bad actors are being supported as well?(/s)
Sure, I'm fine with penalizing Twilio for not making sufficient efforts to block bad actors. In fact they SHOULD be made to provide information and proof on the efforts they take to mitigate bad actors, and penalized if those efforts are not sufficient. But bad actors will always find loopholes and ways to get through - it's not a one-time-fix scenario.
Any penalties should be financial however, not just outright shutting down the company. And it's totally fine if penalties are steep - I'm in the camp that believes corporate fines should be a % of revenue, instead of a flat amount, so they can't be written off as a "cost of doing business".
Shutting them down entirely for simply being a telecommunication service/API doesn't address the root of the problem in any case, since bad actors would just move to various other platforms (MessageBird, Plivo, etc.), which would debatably have even less capacity/capability for detecting bad actors, due to being smaller and having less potential resources to put towards doing so.
ontopofyourmom t1_j6kffm7 wrote
The innocent third parties who depend on them need time to switch to other platforms
DTHCND t1_j6lpk2a wrote
> Your suggestion is like banning alcohol manufacturers because kids get access through back-channels and drive drunk.
Or better yet, it's like banning cars because some people drive drunk. Like cars, Twilio is a critical utility for a lot of legitimate businesses and individuals.
cannibal_man t1_j6j2k1d wrote
You protest too much. Lol, you sound like a Twilio employee being disingenuous here.
When it comes to spam, they gotta play hardball. Not like the old days playing cozy with Ajit Pai.
It's a new FCC now....
Unfadable1 t1_j6ja1s8 wrote
Totally get it. I don’t expect you to believe we’re on the same side. ;)
You’ve shown your bias/emotion drives your decisions in this regard, and I’ve shown that mine doesn’t.
Nice meeting you, and good luck in the rest of your day!
cannibal_man t1_j6jdw10 wrote
Oh I get it too, bruh. Some people like to be contrarian for the sake of being contrarian, and when the mood strikes me, I like to do that too.
But in this particular case, you are desperately defending the indefensible. Pick better battles to fight, next time.
And have a nice day to you too.
Unfadable1 t1_j6jhd1u wrote
What exactly are you fooling yourself into thinking I’m defending?
cannibal_man t1_j6jhnxd wrote
Well, since I've gotten totally bored with you, I'll leave you to ponder that.
[deleted] t1_j6gv9yk wrote
[deleted]
davesnot_hereman t1_j6i4am9 wrote
Anyone old enough to remember the days when you used to be able to leave your ringer on and answer your phone? Regardless of FCC threats, I don’t see them coming back.
_gen_sec_sucks t1_j6gvzku wrote
Telnyx has very very similar offerings, better support, better pricing and better APIs.
ttluvya t1_j6h529c wrote
I used to be part of one states Covid-19 contact tracing and vaccination campaign and we used twilio to make our calls lol
notliam t1_j6huqsu wrote
Twilio is a very legit business, but any business offering phone numbers that can be automated is going to be at risk of this sort of activity and it's up to twilio to deal with that. However if the FCC can really block twilio from operating in just a 48 hour window that will have absolutely massive impact on businesses of all sizes that rely on it. Not that those companies couldn't find alternative solutions, but imagine just not being able to contact e.g. your banks phone support because the bank has no time to make that change.
Siollear t1_j6i2kg4 wrote
I have worked with Twilio for years on various projects, their team is awesome, I am sure they will rectify this.
mrisrael t1_j6iai1z wrote
Don't threaten, just do. They're gonna keep doing the same shit, they're just going to try to get better at hiding it.
p00ponmyb00p t1_j6iibcg wrote
It’s not twilio, it’s abusive customers. I’m not sure how twilio is supposed to even do anything about it. How do they know the numbers being called are random robocall spam
mrisrael t1_j6ijq6h wrote
Lets all set up spam bots on twilio and have them robocall twilio call centers and execs. I bet they would figure something out right quick.
Black_Moons t1_j6innd9 wrote
Heres an idea: If your calls originate with 100's of different spoofed numbers, you should prob be dropped as a customer.
If when twilio calls those numbers a call is suppose to be originating from, it doesn't belong to the company who signed up, dropped as a customer.
In fact, how about just the standard "We sent number XYZ a text message, please enter the message to confirm you own number XYZ" before allowing to call anywhere using that number as your 'spoof'?
SeaweedSorcerer t1_j6k62km wrote
Twilio already does those verifications. Next idea?
slinkwc2k t1_j6jurew wrote
Threats without action are just empty words…DO IT…
[deleted] t1_j6gr8p5 wrote
[removed]
[deleted] t1_j6gubyc wrote
[removed]
[deleted] t1_j6gxi8e wrote
[removed]
[deleted] t1_j6i3o7z wrote
[deleted]
H__Dresden t1_j6jeukd wrote
Ban anything due to illegal robocalls or texts.
elzissou710 t1_j6jrdv6 wrote
Just cut them off already. Good lord I’m starting to think US lawmakers have a stake in these companies.
JC2535 t1_j6k8g3a wrote
Put humans in prison. Fines and warnings are ineffective.
[deleted] t1_j6ktn3j wrote
[removed]
theflimsysorcery29 t1_j6i39t0 wrote
little they can accomplish given that they are merely a provider of telephone and message services; yet, kudos for their promptness.
MugShots t1_j6igy1v wrote
Seems like the should go after the ones abusing the service.
drawkbox t1_j6hf1o7 wrote
Twilio and Authy are sketch and you don't really want that when login codes (SMS and authy authenticator) are present. This is besides all the spam. Good luck to those using them.
Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.
Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.
> U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.
> Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.
> Now, Twilio has confirmed that Authy users were also impacted by the breach.
> In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.
> The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.
Okta breached as a result of the Twilio/Authy breach
> Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.
> In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.
DoorDash also caught up in it
> DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.
Oscarcharliezulu t1_j6go6a3 wrote
Time for twilio to get approval from its customers to opt into an A.I. that scans messages.
[deleted] t1_j6gkbgo wrote
[deleted]
soberirishman t1_j6gljgl wrote
Because most technology companies use a twilio service of some kind.
[deleted] t1_j6gm0il wrote
[deleted]
soberirishman t1_j6gmahm wrote
You will when you can’t log into any service with SMS MFA because almost all of them are built on twilio. This would impact you as a consumer they’re that big of a deal..
Modest_Ubermensch t1_j6gso1u wrote
Dude is probably 14 and doesn’t really understand how this tech can be used for both good and bad purposes.
jackzander t1_j6gw1ov wrote
Sounds like a Too Big to Fail scenario.
My vote in such scenarios is: Fail.
Philip_Marlowe t1_j6gwyfw wrote
That's a shortsighted way to look at it though. If Twilio goes bust, there will be a mad scramble to replace thousands of MFAs and automated SMS messages for just about every software platform and PPI-protecting app and website on the planet.
We're not only talking corporate software outages, which would grind our economy to a screeching halt, but also major impacts on consumer life when email, online banking, utility billing, chain restaurants, e-retailers, Venmo, Uber/Lyft, eBay, etc. all need to reauthenticate every user all at once.
I'm not as familiar with the space Twilio is in as I would like to be, but I know they're a market leader and they have thousands of enterprise customers. Shutting them down would have a massive ripple effect.
jackzander t1_j6hy66t wrote
Yes, basically the same argument made to defend the existence of any monopoly in history.
If it's an essential service, it surely should not hinge so critically on one for-profit institution.
Philip_Marlowe t1_j6i1cq2 wrote
Absolutely, which is why I think Twilio needs to be regulated instead of shut down. That in itself is also pretty tricky though, because they're legally prohibited from knowing what their customers use their service for.
chingy1337 t1_j6gmne6 wrote
They will if a ton of existing infrastructure randomly stops working.
[deleted] t1_j6gml72 wrote
[deleted]
KittyBizkit t1_j6gs72b wrote
Are there any other viable options for you if Twilio gets the ax? Do any other companies provide a similar service?
_gen_sec_sucks t1_j6gvw50 wrote
Yes! Telnyx for example.
Philip_Marlowe t1_j6gx345 wrote
Found the Telnyx account executive!
_gen_sec_sucks t1_j6ifgld wrote
Just an honestly happy customer :)
Philip_Marlowe t1_j6ighgg wrote
Awesome! As a SaaS account exec in a different industry, it would make me pleased as punch to see a client speak so highly of our product!
[deleted] t1_j6hyi64 wrote
[deleted]
shorterthanrich t1_j6gs5hd wrote
Your comments are an exhibition in why it’s important that people making decisions understand what they’re making decisions about.
Modest_Ubermensch t1_j6gsrz0 wrote
Lol unlike congress critters who are too damn lazy to google a topic before they vote on it
shorterthanrich t1_j6gsz7w wrote
That is is often unfortunately the case, but at least some of them have trusted advisors who’s advice they’ll listen to. Sometimes. I hope.
despitegirls t1_j6gpxcq wrote
Someone spoofed our CEO's number and sent out phishing texts to corporate officers and VIPs. I traced the number back to Twilio, got on the phone with their support, and the texts stopped within 90 minutes. Not sure what they can do since they're just the provider of telephony and messaging services, but good on them for a quick response.
Edit: Correction here. Around this time there were two groups of texts that were going around, one from our CEO's spoofed number, and another from another number. The content of the text messages was the same. I traced the number that was not spoofed and called Twilio on that number and the texts stopped for both. Last year we had a lot of these phishing emails sent to VIPs in our company. We've since hired a security consultant and expanded our internal security team.