ipasis
Blog/Security Engineering

Defeating SMS Pumping and IRSF: Securing OTP Flows with IP Intelligence

January 26, 20267 min read

The Economics of SMS Pumping

International Revenue Share Fraud (IRSF), often manifested as SMS pumping, is a sophisticated attack where bad actors utilize premium rate numbers to generate illicit revenue. Attackers script bots to trigger One-Time Passwords (OTP) or 2FA flows against your application, directing SMS traffic to numbers they control. You pay the carrier; the carrier shares revenue with the attacker.

Rate limiting based on phone numbers is insufficient. Attackers rotate numbers. Rate limiting based on device ID is unreliable. The most effective immutable signal available prior to a billable event is the IP address.

The Security Architecture

To secure an OTP flow, you must validate the request source before invoking your SMS provider's API (e.g., Twilio, Vonage, SNS). The validation logic should sit at your API gateway or authentication service layer.

The logic pipeline follows this sequence:

  1. Request Ingestion: User submits phone number.
  2. IP Analysis: Query IPASIS to enrich the request metadata.
  3. Risk Assessment: Evaluate connection type, privacy thresholds, and geolocation.
  4. Decision: Block, Challenge (CAPTCHA), or Allow.

Implementation Strategy

We focus on three primary signals to detect bot traffic involved in SMS pumping:

  1. Hosting/Datacenter IPs: legitimate users rarely register for services via AWS, DigitalOcean, or Hetzner IPs.
  2. Anonymizers: Tor exit nodes and commercial VPNs are standard tools for bypassing basic rate limits.
  3. Geo-Velocity/Mismatch: An IP in Vietnam requesting an OTP for a +44 (UK) number is a high-risk anomaly.

Code Example: Python & Flask Middleware

The following snippet demonstrates a middleware function that interrogates the IPASIS API before allowing an SMS trigger.

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)

IPASIS_API_KEY = 'your_api_key'

def check_ip_risk(ip_address):
    """
    Returns True if the IP is high risk, False otherwise.
    """
    try:
        response = requests.get(
            f"https://api.ipasis.com/v2/ip/{ip_address}",
            headers={"X-Api-Key": IPASIS_API_KEY},
            timeout=0.5 # Fail open or closed based on risk appetite
        )
        data = response.json()

        # 1. Block Hosting/Datacenter traffic (Bots)
        if data.get('connection', {}).get('type') == 'hosting':
            return True, "Datacenter traffic rejected"

        # 2. Block Tor and High-Risk Proxy
        security = data.get('security', {})
        if security.get('is_tor') or security.get('is_proxy'):
            return True, "Anonymizer detected"
        
        # 3. Check Risk Score (0-100)
        if security.get('risk_score', 0) > 75:
             return True, "High risk score"

        return False, None

    except Exception as e:
        # Log error
        return False, None # Default to allow in failure scenario

@app.route('/request-otp', methods=['POST'])
def request_otp():
    client_ip = request.remote_addr
    
    # Pre-flight check
    is_risky, reason = check_ip_risk(client_ip)
    
    if is_risky:
        # Return 403 but do NOT tell the bot exactly why to prevent evasion
        return jsonify({"error": "Request denied", "code": "risk_policy"}), 403

    # Proceed to expensive SMS API call
    # send_sms_provider(request.json['phone'])
    
    return jsonify({"status": "sent"})

Handling False Positives

While blocking datacenter traffic is generally safe, blocking residential proxies or VPNs can affect legitimate privacy-conscious users. Instead of a hard block, implement Step-Up Authentication.

If is_vpn is true but is_tor is false, return a response requiring the client to solve a heavy CAPTCHA or provide a proof-of-work token. Only once that token is validated should the SMS API be triggered.

FAQ

Q: Will this add latency to my login flow?

A: IPASIS is built on edge infrastructure with sub-50ms response times. The latency introduced is negligible compared to the 3-5 seconds required for SMS delivery.

Q: How do we handle legitimate users traveling abroad?

A: Do not block solely on Geo-Mismatch (e.g., US Phone, French IP). Use it as a weighted signal. If the IP is French but Residential (ISP) and Clean (Risk Score < 30), allow the request. If the IP is French and Datacenter, block it.

Q: Can we cache the IP intelligence data?

A: Yes, but keep TTL short (e.g., 5-10 minutes). Botnets rotate IPs rapidly; an IP that was clean 20 minutes ago may now be compromised.

Secure Your Budget

SMS pumping attacks can drain thousands of dollars in hours. Do not rely on reactive analysis of your carrier bill. Prevent the fraud at the network level.

Integrate IPASIS today to identify bots, datacenter traffic, and proxy networks before they hit your infrastructure.

Get your API Key

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key