Protect your GatewayAPI account against scammers

Back to all posts
Protect your GatewayAPI account against scammers

SMS fraud is a major problem worldwide, with many either being harassed or scammed via SMS.

Increasingly, the scammers have also started to target companies that send A2P SMS traffic, where the scammers use the companies’ accounts as part of various scams.

At GatewayAPI, we take security very seriously and have introduced a number of security measures, including requirements for URL whitelisting and 2FA when logging in, as well as providing tools that can help protect your account from abuse. In addition, we continuously monitor traffic and intervene if there is something that differs from the normal patterns. 

With that said, we cannot catch everything, and we therefore also encourage our customers to review the security of their GatewayAPI account as well as review the security of the systems connected to our APIs to ensure that there are no vulnerabilities.

Below we will go over the different types of attacks taking place today, and then we will detail what you can do to protect yourself against them.

sms fraud verified whitelisting

Examples of SMS scams

There are many different types of SMS scams and the aim of the attacks is usually to enrich the scammers via various ingenious methods.

To give you an understanding of what fraudsters can gain by accessing your account or exploiting your signup flow, we have included some of the most common SMS scams:

  • SMS phishing messages (also called Smishing) that contain a link where the aim is to extract information from the user or get the user to download malware.
  • SMS spam that promotes, for example, payday loan services and pages with adult content or contain political messages.
  • SMS traffic pumping, also known as SMS toll fraud, SMS 2FA Premium Rate Fraud or Artificially Inflated Traffic, where one-time passwords (OTPs) are used for signup flows. Here, a bot is used to request thousands of verification codes, which are sent to numbers where the scammers receive a share of the revenue generated.

Below you can read more about what you can do to help ensure that your account is not involved in one of the above scams.

Increase security agains sms fraud via IP whitelisting

IP whitelisting

In your GatewayAPI dashboard, you have the option of setting up IP whitelisting, which dictates that only approved IP addresses can send SMS messages from your GatewayAPI account.

This security measure ensures that even if your API keys or systems have been compromised, other parties will not be able to use your account to send SMS messages. It is thus a fast and efficient method to greatly improve the SMS security of your GatewayAPI account.

Read more about how to set up IP whitelisting on the GatewayAPI platform here.

Increase the security of systems connected to APIs

We often see that hackers gain access to systems that have been connected to our APIs. This way, fraudsters are able to send SMS traffic through GatewayAPI, even though the security of the GatewayAPI platform has not in fact been compromised.

We have therefore collected a number of the most important security-related focus areas, which you can review and assess the relevance of in relation to your system and your setup. Often, a combination of these security measures will cause hackers and bots to move on to easier targets, unless of course you have been specifically singled out.

 

Set up extra protection on login flows

Protect your login flow against brute force attacks, where a bot tries to guess the password by going through thousands of combinations. This can be easily countered by setting a limit on how many times a user can enter an incorrect password before a time-out is inserted on login attempts. It can be, for example, three attempts before a time-out of one minute is implemented. 

In addition, you can encourage or require two-factor authentication when users create an account and afterwards log in to your system. Here it is also important that you use several of the other security mechanisms, so that you are not vulnerable to traffic pumping, which was described above.

You can also consider implementing reCAPTCHA or hCAPTCHA to counter attacks from bots.

 

Insert a rate limit

Set up protection against that the same messages can be sent thousands of times within a short period of time. This is achieved by setting a rate limit on the number of SMS messages that can be sent per second/minute/hour from a user or collectively from your account, allowing you to halt the broadcast in due time. It is particularly relevant if, for example, you offer software solutions where SMS communication is integrated, which the end users can use.

 

Set up geographic boundaries

With this security measure, you simply have to select the countries in which SMS messages can be sent to and block all others.

This can be done by blocking all countries as a starting point, and then manually selecting which countries you allow traffic to be sent to. It can also be done the other way around, where you have to manually select which countries you want to block. That method may be relevant if it is not obvious which countries traffic will be sent to.

We do not currently offer this feature in the GatewayAPI platform, so you have to set it up in your own system.

 

Limitations on API Endpoints

It can also be beneficial to keep track of all API endpoints. Even if an API endpoints is in a testing phase, there should be a limit on how many messages that can be sent through the endpoint. 

best practices against sms fraud

Best practices

To conclude this blog post, we have listed a number of best practices when it comes to IT security:

  • Choose a strong password for your GatewayAPI account and the systems connected to the APIs belonging to GatewayAPI.
  • Update your passwords regularly.
  • Ensure that the right people have access to GatewayAPI and systems connected to GatewayAPI and that their access level matches their use.
  • Make sure that login information or credentials are not shared with third parties or via channels that are not safe. If they are, create a new password or generate new API keys.

Thank you for reading this post! We hope that it has enlightened you on what additional security measures you can implement to avoid that your GatewayAPI account is involved in an SMS scam.