
Scammers signed up, scammed us of $870 in 15 minutes - kaushikt
https://dev.to/spike/scammers-signed-up-scammed-us-of-870-in-15-minutes-4gjf
======
chitrakukreja
For the curious - this is toll fraud [https://www.twilio.com/learn/voice-and-
video/toll-fraud](https://www.twilio.com/learn/voice-and-video/toll-fraud)

Scammers make money from receiving phone calls. Apparently, it is super
difficult to tackle this problem - right from twilio to phone network carriers

~~~
tinus_hn
Regulators simply need to either forbid paying out the tolls or forbid
collecting fraudulent tolls from users. These are scams.

The carriers try to hide behind old agreements that state all calls,
fraudulent or not must be paid. If they want to keep these agreements they can
just pay for them themselves. If not, they should change them. The end users
aren’t in a position to enforce this so regulatory pressure is clearly
required.

------
giorgioz
We got scammed out of 200$ on www.mailgun.com Someone managed to get access to
our mailgun account and/or mailgun access key and send 200$ worth of emails in
Ukrainian about a crypto IPO (likely a scam).

~~~
kaushikt
Daimn. We are being super careful with the tokens.

In our case, we were making phone calls to verify phone numbers. That was a
crucial mistake.

Did they get access via tokens or email/password?

------
Nextgrid
I'm curious, why did you have a phone verification feature to begin with; what
would've been the impact of unused accounts being created? To me it seems like
the verification feature did more harm than good in this case.

~~~
kaushikt
Phone verification is NOT mandatory. However, Spike.sh is a simpler
alternative to PagerDuty which means we make calls when there are important
incidents. Not calling might have serious consequences.

Knowing that Phone call is important, we needed to verify it. However, making
phone call to verify is NOT a good idea.

We should have sent an SMS but getting an Alphanumeric sender ID took some
time and we wanted to ship quickly.

------
varlogix
Crazy stuff! And really like the blow-by-blow account.

------
sansnomme
How did you find out about needle.sh? They do not have any form of
advertising. Is this cross marketing?

~~~
kaushikt
I discovered on the demo day at this founders community I am part of -
[https://www.superfounderhub.com](https://www.superfounderhub.com). We are
part of the same community. Not cross-marketing :)

The attack happened and since I had spoken with their team once I decided to
integrate quickly.

------
nikhilbagadia
Good read.

Why not use hcaptcha?

~~~
kaushikt
I only went with what is popular. At the time of doing this, getting captcha
up and running was the top priority.

Having used Google reCaptcha before I immediately set it up.

Would you recommend hcaptcha over reCaptcha?

~~~
the_jeremy
Yes, HN generally seems against reCaptcha, mainly because of (understandable)
Google paranoia and the fact that reCaptcha is significantly worse UX if you
have privacy-centric extensions or browsers (overrepresented in HN compared to
the average).

~~~
kaushikt
During my quick research, I remember stumbling upon comparisons. The only
thing hcaptcha wins over reCaptcha is the fact that it's not owned by google.

~~~
the_jeremy
it's also better UX for firefox. I have to go through multiple questions in
reCaptcha every time I get the "not a robot" button. hCaptcha, from what I've
seen, hasn't needed multiple sets of image solves to allow me through.

