Hacker News new | comments | ask | show | jobs | submit login
Mailinator launches Disposable SMS (mailinator.blogspot.com)
257 points by zinxq 10 months ago | hide | past | web | favorite | 72 comments

The problem is phone number reuse, if you try to open an anonymous Google, Twitter, etc account they immediately realize that phone number was already used.

A lot of services that use SMS for new account verification also block numbers from non-mobile providers, even ones that haven't been used before. I tried using a Twilio number as a Google-Voice-like service where it would forward texts to my actual number, but many services refused to accept the Twilio number.

Yep. We’re able to figure out VoIP numbers pretty easily thanks to services like Twilio Lookup. Helped out anti fraud out so much.

But blocked legit users who ported their real phone numbers to VoIP, like I did. Google won't verify an account against my home phone line anymore.

How can we continue to reduce fraud while still serving folks who are using the system legitimately?

>But blocked legit users who ported their real phone numbers to VoIP, like I did. Google won't verify an account against my home phone line anymore.

weird. i use a voip phone service, but twilio identifies it as a landline. maybe you're not using a fixed location voip service?

I use Google Fi as my mobile carrier. It is blocked from virtually everything even though it is a legitimate Sprint+T-Mobile sim.

Really? It should identify as a T-Mobile number. Have you tried contacting Fi support?

Yeah. I was one of the earlier users, the number identifies as GV-Grandcentral, formerly Bandwidth

It's basically rejected from every messenger, I can't use it with paypal or banking, etc.

Same problem but with normal google voice numbers. Really frustrating.

I want to use virtual numbers to avoid the spammers. There have been plenty of companies that had pseudo dodgy signup (win a chance for a dream trip to somewhere) where you had to give up your phone number (supposedly so they could call you). Lots of time I get spam calls that claim I gave permission for them to call me. So a temporary forwarding number hides me. I use my google voice number for this and it does a good job of noticing lots of spammers (but not all).

The google fi number isn’t your T-Mobile phone number. There is actually a way to find the actual t-mobile phone number that Fi forwards to, perhaps you can get that and use it instead.

Google Fi is Google Voice routed through T-mobiles network

I'm using voip.ms with an E911 registered location. We've used the number for years with traditional carriers. The service has been great for a good price otherwise.

We offer users an easy way to contact us to request manual whitelisting. It's painless, fast, and we find that not much abuse gets through when they have to write in messages to get in.

Who are "we"?

You have commented twice saying "We." And it is not clear who the "we" is. Do you work for mailinator, Twilio, Google?

Sorry, I was commenting from the perspective of a company that uses phone verification for account signups to help with fraud. I am not affiliated with any of the listed company.

Only from those providers that explicitly disclose this fact; I provide API-driven phone numbers (from a carrier partner) and those show up as the carrier's numbers on every lookup tool, with no way to distinguish them from numbers allocated to SIMs directly. I actually really like this fact and will make sure it stays that way.

What's your service called?

Nextgrid, though at the moment it's still a work in progress (building an entire telco core network from scratch by yourself takes a looooong time), but in the meantime you can get the numbers from my carrier partner directly: https://aa.net.uk/telecoms.html

Those are UK mobile numbers, with SIP for voice and webhooks for texts, and all lookup tools I've found recognise their numbers as "Three" (a mobile carrier in the UK) mobile numbers.

I am not actually sure how those guys interconnect to Three, it could even be literally a bunch of GSM modems with real SIMs in it. My long-term plan is to get rid of the middleman and become a carrier myself (get a number range allocated by OFCOM, UK's telco regulator) and offer both SIMs and API-driven numbers (with no way of distinguishing which is which from the outside).

Definitely cool service - do these numbers support MMS?

Not at the moment no. I might look into it before launch but to be honest nowadays there is very little business case for MMS so I’m not sure it’s worth the investment.

Just out of curiosity, what do you use MMS for?

I can't find your website through Google. Do you mind linking it?

Do you have any partners in the US?

Is there any non-VoIP telephony left?

"VoIP" is a generic term in this case as they mean numbers that can be rented online by a customer directly, with little to no identity checks - sadly those are often used for fraud, though outright denying service on this basis alone is a dick move IMO.

Pretty much all telephony is VoIP for at least parts of the call chain, though there are still even analog circuits in place; here are some numbers that lead to analog switching gear: http://www.binrev.com/forums/index.php?/topic/48166-ukrainia...

Which brings the question, when will 'ipv6' for phone numbers come out?

There's a proposal for 12-digit phone numbers in the NANP (US and Canada), but the current 10-digit numbering plan isn't expected to run out of numbers until 2044.


I don't think we need a system of phone numbers at all - IPv6 by itself can already do that.

The biggest roadblock there is that the scammy telco industry's entire business model is based on charging through the ass for what is essentially a 8kbps voice channel. Doing calls via IP would cut that revenue stream and would put a lot of irrelevant people out of a job so it'll be very hard to succeed, though I fully support the idea - it's complete heresy that I can download a 1GB file across the Atlantic for pretty much free but a 12 hour call that would total maybe 40MB would cost a ton.

I get your point but the phone companies wouldn't be able to survive, and when I talk to people on wifi it's never as good as a phone call. They must be using dedicated routing or something, even though I think we are past the world of direct circuits.

> I get your point but the phone companies wouldn't be able to survive

Do we need them to survive? They can and should go the way of the dodo and leave place for ISPs instead.

> and when I talk to people on wifi it's never as good as a phone call

That's a side-effect of crap Wi-Fi gear, but can be resolved by placing the call over LTE and using stuff like MPTCP to combine both the Wi-Fi and LTE connection. In fact, VoLTE is essentially SIP (which is IP-based) over LTE, so there's a good chance you're already using an IP system and not realising it, which I guess proves the point that it's good enough if not better than legacy circuit-switched calls.

It's not on the level of never having to reuse a number, but arguably we've already seen something similar to IPv4->IPv6 (restructuring/numbering to add capacity) in the UK through PhONEday/Big Number Change. Expanding that out to never having to reuse a number, especially now that most people don't have to remember phone numbers (or at least far fewer), doesn't seem that difficult (at least on the numbering end; I don't know about the engineering side of that).

https://en.wikipedia.org/wiki/PhONEday / https://en.wikipedia.org/wiki/Big_Number_Change

Why would it need to...? We aren’t running out of phone numbers.

Phone numbers are regularly cycled. The nice thing about something like ipv6 is that you could build a system where reuse isn't any more convenient.

And with your own personal block of /64, you could give out unique numbers to anyone you want ^_^

I keep getting calls for the previous owner. I would love if i could get something unique.

We need to think about it before running out of phone numbers.

just like we did for ipv6. think about it for years, people argue and we kind of solve all problems but too late.

We will, if this trend continues...

Phone numbers do get recycled in a lot of countries though.

Which is really annoying. Still getting calls, two+ years in, for the previous owner of my number. Including from medical providers.

A CVS half a continent away from has been calling me thinking that I am the previous owner of this phone number for the last six months or so. First they were leaving voicemails that I need to pick up a prescription and that they will return it in a day and stop calling me. But they have been calling every few days or so ever since.

I had this phone number for over 4 years.

That's always been the case. The problem is that, especially over the last couple of decades, people have built lots of systems with a central assumption being that phone numbers are uniquely tied to individuals.

So, instead of fixing those systems, I guess the idea is to adapt phone numbers to the faulty assumptions made about them.

Are there countries where it's not necessary to recycle them?

Good! SMS should have never been a 2fa technology, hopefully this causes a splash and services start actually pushing people to TOTP and U2F!

You can't really intercept SMS with this, you know that, right? You can't just write any existing number and start to receive messages sent to that number. You can only use this to receive messages sent to phone numbers assigned to Mailinator, and frankly, if you're using their numbers as a 2nd auth factor, you kinda deserve what you get. It's no different than signing up for any service with a Mailinator email address.

The only bad scenario was if they somehow got hold of real mobile numbers that real people were actually using before but that were lapsed and got recycled, without those people removing the numbers from, say, their Gmail accounts.

The point I was trying to make is one SMS number does not equal a phone with a paid, credit checked, account behind it. Making it easy to create SMS numbers will help expose the weaknesses of using them for 2fa.

Many people have access to your SMSs. One bad actor at your phone provider, the sms gateway, spoofing your sim, a bad app, or someone casually observing your lock screen are a couple I can think off have, but I'm sure the security experts know many more ways than I do.

Not disagreeing with your overall point, but note that you can configure iOS to hide message contents from lock screen notifications.

iPhone X does this by default and only shows the message contents once Face ID verifies you.

Not with this, but intercepting sms's do exist. https://en.wikipedia.org/wiki/Stingray_phone_tracker#Interce...

Intercepting SMS is incredibly easy. Not with this tool, but via other methods. SMS is broken and should never be used for any type of sensitive communication, be it 2fa or pics you don't want to see online.

what other methods?

Asking the host carrier nicely via SS7.

> Hey I'm one of your roaming partners and this phone here is roaming on my network, can you send me their calls & texts?

> Sure mate, here they are, enjoy!

>"Asking the host carrier nicely via SS7."

Can you elaborate? SS7 is signaling. You can't request a Telecom provider to just start send you all someones calls and texts via SS7.

The SMSC routes an SMS to the IMEI of the phone.

> Can you elaborate? SS7 is signaling. You can't request a Telecom provider to just start send you all someones calls and texts via SS7.

I was simplifying, but how roaming works is that on every call a mobile number from the visited network is assigned to the SIM, and the host network is instructed to send the call there; in the case of an attacker I expect them to be able to use this mechanism to send calls anywhere they want.

They could also most likely fake USSD which is I believe used behind the "Call forwarding" toggle in your phone's settings.

There are plenty of SS7-related demos & presentations posted here on HN, I suggest you use the search and find them, the people making those have much more experience than me in the field and you're better off with then rather than my half-assed explanations, but the point is, call and text interception is possible, among other nasty things (silently tracking a phone' approximate location, DoS, etc).

I recall reading long ago that SMS messages were a hack built on top of the unencrypted "paging" channel in the protocol. They're received and "ignored" by all phones near the intended recipient.

IIRC, the paging channel is a broadcast channel that was originally used to send short message to a handset to advise them of an incoming call and to request a private channel to receive it. It had lots of excess capacity so someone had the idea of pushing short text messages over it.

While that was originally true, I doubt it's true for 3G and 4G. Would appreciate it if someone who knew for a fact would comment.

Would have been a dastardly April Fools if they just told you to make up any phone number and then try to check its SMS messages on mailinator.com.

It's only one number? (I can't imagine other possibility.) In that case it's even less private than the normal (public) email box of mailinator.

Do they sell a similar service with a private box?

According to the linked article, they have a list of public phone numbers. I guess they can cycle through fresh ones every few days.

Of course, if they simply provision a list of phone numbers and then give them up and get new ones, the new holders of the numbers won't be happy....

So perhaps we should fix the problem at the root, rather than needing disposable email address or phone number services.

I'm almost ready to run updated version of https://tempophone.com. You will be able to buy numbers and send/receive text messages in private mode.

These are going to get blacklisted quickly

They already are.

Doesn't work for anything notable with a sole exception of Steam, which will probably blacklist it in an hour.

Unless someone comes up with a single-use-only phone number, this idea is not going to work.

Is there a list of phone numbers available for SMS? Or a a way to generate a different number? Or do you have to go with the one number linked in the blogpost?

By the way, looks like you can see the sender's phone number for incoming SMSs by choosing "JSON" as the format.

> You can find the Public SMS numbers on the left navigation of Mailinator's "email" page (which we should probably think about renaming, huh?) or follow the link below.

But I can't find the list they are talking about

I think it's just the one-item list on that page

1 number is more than useless

I don't get it, only 1 number?

If one sends an email to <number>@... they treat that as an SMS?

Does this get delivered as an SMS to said number? How's the deletion happening on the phone? Do they delete the sms from the phone's SQL lite db that holds sms-es?

What? No. They're not launching an SMS interception/hijacking service, they just have a few numbers that you can use.

It is confusing. That's how they describe it then they show one number.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact