4

We run online contests and want to eradicate cheating (yeah right), or at least mitigate it. I've asked the question regarding user experience here: https://ux.stackexchange.com/questions/15980/ways-to-avoid-online-contest-voting-fraud-is-sms-account-verification-too-much/15991#15991.

Now I want to know about the viability of my original premise: people typically only have access to one phone number that can receive SMS messages; they cannot create numerous viable numbers on the fly. Is this true?

Background: I understand that Google Voice and Gmail both allow users to send/receive text messages through numbers Google assigns. In the case of Gmail, you cannot receive texts from a number you have not previously sent to; the outside sender just gets an error. And Google in general does not currently recognize short codes as valid, so you simply can't send to them at all. So, "viability" of a number to us means that it can be used with our short code system.

Community
  • 1
Taj Moore
  • 391
  • 1
  • 4
  • 7
  • 2
    Using SMS entails alienating international users (or maybe you are ready to pay for international SMS ?). The Web is worldwide ! – Thomas Pornin Jan 11 '12 at 20:35
  • 3
    Anyone can cheat if they're willing to invest enough money into it. Approximately how much should someone have to pay to cheat? $1? $100? $1,000,000? – Gilles 'SO- stop being evil' Jan 11 '12 at 21:17
  • Our contests are U.S. only. Prizes are hundreds to low thousands of dollars. I'm not too worried about "burner" phones, but I hadn't considered them, before, either. – Taj Moore Jan 11 '12 at 23:07
  • 1
    A $0.01 charge on a credit card to take part is another option, you may even be able to verify that the mobile phone number belongs to the card holder. – Ian Ringrose Jun 30 '16 at 10:48

4 Answers4

6

Think about the fact that you can buy "throw-away" mobiles including SIM cards. Buying 100 phones and therewith 100 numbers would not really be a problem. In fact, it started to become one of the annoying things in Germany since last year: spammers buy hundreds of mobiles and (ab)use these to sens spam SMS.

Looking at your question, you need to know that SMS verification is somewhat like email verification. The only thing that makes SMS verifications "a bit more useful" than regular email verifications is that - as you stated yourself - it's easier to create a dozen of emails "on the fly". Yet, if it's interesting enough to do so, you can bet people will start trying to cheat by simply organizing themselves a truckload of mobiles with individual SIM cards and phone numbers.

So, to wrap it up in a simple answer:

It's true no one (except phone-providing companies themselves) can create phone numbers "on the fly". But it is easy possible to buy several (throw-away/one-time/whatever-they-call-it-in-your-country) mobile phones and use/abuse those phone numbers.

In the end, you have to think like "them" and decide if it would be worth the effort to invest money for mobiles and SIMS just to get past SMS verification. In most cases, it's not... but in some cases, it is.

As long as you don't expect too much from an SMS verification and as long as you're only aiming for "something better than email verification", you'll be more than fine with SMS verification.

  • 2
    Actually the number is usually bound to the SIM card not the IMEI - so you don't need to buy a new phone, just a new sim card – symcbean Jan 13 '12 at 13:13
  • @symcbean : "some countries" (like Germany) restrict users buying more than 7 sim-cards; no matter which provider. They even restrict it if you try to buy 8 sim cards, each from a different provider. The only way around that is buying phones that come with sim cards and as the price only differs about 1 Euro from buying the SIMs alone, that's what many SMS spammers do. But you're correct, some countries don't have such restrictions and it's easier to cause havoc. But: it's questionable if someone will invest that amount of money to bypass a simple verification when there's no cash to gain. ;) –  Jan 16 '12 at 03:43
3

I mean...it depends on what you mean by verify "unique identity". It's pretty easy to pickup a Tracfone et al. and a few SIM cards and have plenty of identities which is really no different from if Google Voice were a viable solution.

But even if not there are other free web based SMS solutions that may not have the same restrictions in place as Google.

doyler
  • 602
  • 4
  • 11
  • I've looked into some free SMS services, but I haven't found one that let's me create a unique number and receive a text from a short-code sender. Can you point me in the right direction to find something like that? – Taj Moore Jan 11 '12 at 23:04
  • 1
    @tajmo I'm sorry to be the one breaking the news to you, but what you're looking for is not available for free. –  Jan 16 '12 at 03:45
3

As per elsewhere, the number relates to the sim card - not the phone - so it's not expensive to acquire multiple phone numbers - indeed, many operators will actually give away sim cards on a pre-pay basis - and if your model is based on an MT text, an attacker does not even have to put the account in credit - just activate the SIM.

A further way to subvert your methodology is that routing to the mobile only relies on the first N digits of a phone number (which varies by country and depending on the dialling prefix) so if the user has a phone number of (using UK format) 07012345678 they (depending on the routing between origin and termination) may receive messages sent to 070123456781, 070123456782, 070123456783...

OTOH it's rather difficult to fake the subscriber number on a MO SMS (i.e. sent FROM rather than TO the phone). So if your customers vote by SMS, its a lot more difficult to compromise and adds additional overheads for anyone trying to subvert the system since there is a cost to them for each SIM / subscriber number

symcbean
  • 18,278
  • 39
  • 73
2

Depends on what you're trying to protect whether mobile numbers is strong enough. If it's some kind of poll or game with no financial gain, SMS would be enough I would say. However, if an attacker has more to gain, I would say SMS is not enough. Unfortunately, in such a case solving it and keeping it usable is quite a challenge.

In such a case, you have to start working with credit cards, social security numbers and other things where people are ought to have only one. But again, if you're up against criminals, even with that you're going to have a tough time.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Henri
  • 1,525
  • 10
  • 11
  • 1
    I have multiple credit cards. Any website that requested my social security number wouldn't get my real social security number ( outside of specfic national and state government ran websites ). – Ramhound Jan 25 '12 at 18:53