
Show HN: Phone verification at no cost - natsu90
https://github.com/natsu90/dial2verify-twilio
======
patcheudor
I may get down voted for this and so be it, this must be said. This is a prime
example of creating what was intended to be a security feature without
understanding the threat landscape. I just tested it, and it's 100% vulnerable
to caller ID spoofing. In 2016, caller ID spoofing is as simple as downloading
an iPhone app and spending $30 for a bunch of minutes.

The problem is, a lot of people will find this cool and will also not evaluate
the threat landscape. In fact, it's even worse. They will assume the threat
landscape has already been evaluated. The code is out there, so it must be
good. They will then implement this into some "super duper secure" service
which should require a far more security for user authentication. It will then
take me 15 minutes of pulling my hair out in a security review to explain to
whomever implemented it that it offers no security. The team will walk away
from our meeting wondering if I was just trolling them and ask how their
entire team could have made this mistake. They will then come to the
conclusion they are smart and I must be wrong. They'll then call me back to
explain again, at which point I'll take them through a full video
demonstration with their VP of operations on the call. This time they will
actually "get it" because they saw it exploited on video. Their VP of
operations will then fire the project manager and lead developer and I'll feel
like shit for being responsible for the termination of two careers.

~~~
bpchaps
Not to mention that it's _incredibly_ inconvenient if you don't carry a phone,
or if you lost it. I tried to signup for airbnb this weekend while traveling,
but wasn't even able to go through the verification process without a physical
phone. Zero alternatives for verification and even trying google voice (my
main 'phone' provider) wasn't good enough. Sure, I could've borrowed someone's
phone for a second, but isn't that the sort of thing these systems are
supposed to guard against? I don't get it.

Another example - you can't use uber on a desktop without going to m.uber.com
last I checked. There's no way to order trasnportation without that m. (why!)

Another - gmail. You either need another email or a phone, and at the time,
neither were possible. (why!!)

For tons of reasons, I just don't like having a phone in my pocket 24/7/365\.
Mostly, I just enjoy the peace of mind of being unreachable. I've been oncall
for years, but that oncall vibe is extending more and more into social
situations, for the worse. I hate it. Devs - PLEASE account for those like me!
I'm really tired of people telling me (accurately :(.) "You wouldn't have
these issues if you had a phone." on account of your laziness or lack of
awareness for sensible security.

~~~
patcheudor
I have a shocking number of burner phones driven by the need to register for
stuff which requires phone-call validation of identity. Of course every one of
those phones was purchased in cash while wearing a hoodie and sunglasses,
after parking in a nearby neighborhood and walking to the store.

Note, I'm not a criminal, I just play one in my day job.

~~~
bpchaps
I might go that route, honestly. I've done a few security disclosures recently
as myself and doing so has been giving me a vibe that I'm not a fan of. Same
with a lot of the FOIA calls I need to make. Having a burner phone might help,
as much as I'd hate to use it.

------
gst
It's relatively easy to change/fake the caller ID of phone calls so
unfortunately this approach isn't really secure. That's why phone number
verification usually places an outgoing call, to verify that you're actually
able to receive calls on that number.

~~~
wfunction
At the risk of sounding like I'm actually going to abuse this capability... if
it's done "relatively easily", how is this done?

~~~
finnn
My SIP provider passes whatever number I send, for most of the numbers. No
talking to them required. Particularly fun for Android phones that do Google
Maps lookups for caller ID, so calling from 2024561414 shows up as "The White
House"

Just for fun i went ahead and verified 2024561414 with the demo of this thing.
It gave me a nice little check mark showing that I was definitely the White
House

~~~
wfunction
Sorry, what's an SIP provider? I've looked it up and still don't understand
what it is. Is it a residential service? Can anyone get it? Is it some form of
VoIP? Or a classical phone line? I've seen it in multiple places but don't
understand what it is or which companies it relates to.

~~~
Symbiote
It's the open standard for VoIP.

It's used in many places, but mostly offices. An office might have an exchange
system, with features like voicemail and routing different types of call over
different networks.

I have a personal account which gives cheap international calls, which I added
to my android phone. I can receive calls at my SIP address, from anyone on any
provider. When I make a call, I'm given the option of using the mobile network
directly, or SIP.

Naturally, neither the phone networks not the big tech companies want you to
use SIP. They'd rather you used normal calls, or their proprietary system.

~~~
StavrosK
Can you recommend one that works well? I want one that hopefully provides a
Greek DID, I want to be able to make calls from my Android to landlines over
my home Internet connection, as you describe, but I haven't managed to find a
good (read: cheapish) provider.

~~~
lstamour
I use voip.ms but many others exist. Anveo, Twilio, Vonage, etc. cheapest
might be a service that uses Google, but only for as long as Google offers
free calls.

~~~
allannienhuis
+1 for voip.ms. I've been using them for years - they're inexpensive, lots of
features, and service has been great.

------
kevindeasis
Hi, there's a free phone verification using facebook. It's account kit.

[https://developers.facebook.com/docs/accountkit/overview](https://developers.facebook.com/docs/accountkit/overview)

What do you guys think?

~~~
chambo622
Similar to Twitter's Digits, which has been around for a while and seems quite
popular. [https://get.digits.com](https://get.digits.com)

~~~
everfree
Why is it free?

~~~
kevindeasis
Twitter built fabric and it's free because they say "they want more developers
using their platform" to help them with building apps

------
Matt3o12_
Are you willing to make international users pay up to 80¢ per verification? If
someone cancels a call, I still have to pay for one minute (it's only free if
I cancel the call). So if I were to call any American number that hung up on
me, I have to pay 80¢ (USD dollar cents of course).

Just pay the 0.02¢ or whatever phone services charge these days. If your
business is actually big enough to have to worry about phone verification, do
it right. Users don't like to call your number since they don't know the costs
associated with it (especially international users). Furthermore, it makes
number spoofing much harder.

------
neil_s
Haha, this is the digital version of the Indian phenomenon of 'missed calls',
used as 1-bit 0-cost notification mechanism. It's become such a cultural
artifact, that big companies are now advertising numbers you can 'missed call'
and get a callback from.

[https://gigaom.com/2011/12/13/indias-missed-call-mobile-
ecos...](https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecosystem-2/)

~~~
koolba
It's not Indian specific either. I've seen it in a number of places throughout
the world. It works anywhere that does not charge to receive calls (i.e. any
sane place outside of the U.S.A.) as long as the caller doesn't get billed for
cancelling.

You can get more than 1-bit of information as well if you sync the clock on
your phone with the recipient. That gives you approximately 3.3 bits of
information if you use the minute modula 10. This only works if you previously
agree upon a meaning for values (Mod 0: Yes, Mod 5: No, etc).

------
ntauthority
Would 'rejecting' the call result in the calling user's operator billing
_them_ , though? This is a major concern with international usage, given phone
providers' tendency to... overcharge for what's technically VoIP usage.

The classical text message verification schemes barely have this issue in most
of the world as the _recipient_ pays nothing, but of course the sender gets
billed instead.

------
DDickson
So you can only verify, at best, one user every 90 seconds?

Also, I have to assume Twilio would look at this as a form of abuse.

~~~
ntauthority
This doesn't reserve the incoming number for _just_ that user (given that one
has to enter their phone number beforehand), but while the user is using the
line, other users most likely wouldn't be able to call either (though it might
be Twilio handles this as well and sends a status message anyway - as even
cell carriers seem able to notify users of incoming calls while being in a
call already).

------
therealidiot
Can people just stop with this whole verify-by-phone thing?

~~~
beefhash
Can people just stop with this whole spam-every-website-to-death thing?

They can't, that's why there's an ever-increasing amount of verification.

------
faizmokhtar
This is pretty cool hack. Great job OP!

------
jldugger
So... Twilio adjusts their pricing in 3... 2... 1...

~~~
rizwank
Twilio likes makes revenue on inbound, or enough breakage on the $1 to not
have it be an issue. This is a perfectly legit usage of the number.

------
cia48621793
However isn't it considered a kind of exploit? Twilio never intended users to
waste their VoIP traffic.

Could we also do phone verification at no cost, however instead by outbound
call? Is there any free/paid host providing such service?

------
subinsebastien
Again, nothing new. I have already implemented this on my app here :
[https://play.google.com/store/apps/details?id=in.xtel.quitq....](https://play.google.com/store/apps/details?id=in.xtel.quitq.app)
using Twilio alone. But, twilio is not completely free.

~~~
OJFord
Well done. But you didn't blog about it, or release that part of your app as a
standalone library. You also didn't (couldn't) patent it - it doesn't need to
be new to be interesting and valuable to HN readers.

