Twilio has been complicit in this problem for years, and up until very recently put 0 effort behind tooling to allow customers to block it off from the top.
Instead the world toiled away on what is surely several hundred engineer lifetimes of hours building the same fraud guard solutions in front of Twilio.
Wonderful piece of propaganda that Twilio can put out to pretend to be a thought leader in the space while turning a blind eye to the tens of thousands of dollars of fraud passing over their wires on the daily.
Not only that, but they now have an "SMS Pumping Risk" API endpoint(1) that costs 3.5c per request(2). I guess the demand is there... but feels pretty exploitative at this point.
100%, my current company had to build fraud protection specifically for our Twilio SMS OTP flow. I’m sure essentially every Twilio customer that does SMS OTP flows with them has had to do the same. Took them forever to build their own feature for this, despite it being SUCH a common issue, and now they charge extra for it.
The most innocuous explanation is someone in management asking "if someone tells us (via API request) to send an SMS to a certain number, and we don't send that message because we're 99% sure they're being defrauded, how do we communicate that to the customer, and what about that 1% chance we're wrong?"
Although the most likely explanation is someone in management going "hold on, we have to spend money to build these safeguards, and we're going to make less money after we deploy them?"
Couldn't agree more. Twilio has been profiting from these scammers for years. We had several calls with our account manager and "fraud expert", and the answer was always the same - migrate to Twilio Authy. The problem is that with Twilio Authy you are basically paying the same amount, it's just that the cut or "protection fee" is not going directly to scammers, but to Twilio.
The last time we talked to them, they bragged about how good their algorithm to detect fraud is and that we should take advantage of it by onboarding to Authy. I asked them why they just don't offer it to all customers, since their platform is enabling scammers. And the manager said, I'm paraphrasing here, "well, we are for profit company".
Instead the world toiled away on what is surely several hundred engineer lifetimes of hours building the same fraud guard solutions in front of Twilio.
Wonderful piece of propaganda that Twilio can put out to pretend to be a thought leader in the space while turning a blind eye to the tens of thousands of dollars of fraud passing over their wires on the daily.