> But perhaps we should not be surprised by the lack of interest in fraud exhibited by Twitter’s former management. The tech industry in general suffers from a cancerous disposition towards encouraging fake traffic, fake users, and fake online activity because it makes businesses appear to be more successful than they really are. Criminals are fed millions of dollars by executives who think that price is worth paying if it will mislead investors into believing inflated valuations. The presumption is that current losses are also worth sustaining because the business will turn today’s paper valuation into real value at some vaguely-defined point in the future.
That's it. If you can't figure someone's intentions, look at their actions, and infer the intentions.
At a previous job, we had a product that was attractive with criminals. We were seeing some elevated chargeback rates and refund rates, so I dug in and determined that at least 25% of our new account purchases were fraudulent (unreported stolen credit cards). I put in some rudimentary fraud analysis, and injected a hoop that suspected fraud users had to go through before their account would be billed, simply to prevent the credit card networks from blacklisting our merchant account. The fraud rates dropped considerably with a small false-positive rate, but the new-user metrics slowed with it.
A week after I left my role, the company disabled it. They were sure that the system was a significant cause of some major userbase declines. Within three months, one of their credit card processors threatened to lock them out for elevated fraud rates, and they spent the next six months getting it resolved. Growth never returned.
No one was trying to be dishonest, but no one wanted to look bad, either. The entirety of the metrics showed something was off, but the growth narrative was so important, it was easy to ignore the questionable parts.
This was not a VC-backed business, so the pressure to perform was entirely internal. Nothing was faked, but the success wasn't (entirely) real, either.
Still those bots probably helped make TikTok popular and probably helped boost stock prices, like we see with other social media platforms and even SuperStonk!
I have a harder time believing that 390 different telcos were all running the same fraud to the tune of $60 million per year and none of the previous Twitter administration thought to check into it.
This feels like another one of those claims that has a kernel of truth, but gets exaggerated for dramatic effect as a PR move. Like those drug busts that find a small amount of drugs, but then use the entire weight of the container it was found in multiplied by the highest possible street value they can imagine so they can claim a gigantic number in the headlines.
My brother, I encountered the 1800 free conference call guy and very specifically he said that the industry for both calls and texts like this is huge. At the time he was using that info to attempt to prevent a major merger that eventually went through - but his direct account of the mechanics makes Elons claim more than probable and well beyond credible; basic fact without the individual logs.
Factoid: Every call makes money for the sender no matter if you pick it up or not. Every text the same; especially hiding in plain sight of SMS 2FA
The way I remember it, in the US there are rural telcos that can't afford to maintain infrastructure out the revenue they pull on sparse populations, but the government believes it's critical that citizens have telephone access anyway.
So when a call is placed inbound to telcos of a certain class (size, revenue, I'm not sure), the destination telco receives a fee / subsidy (I think from the telco originating the call).
People figured out that they could run free conference call services hosted on rural telco phone numbers, bringing in oodles of calls, then collect a cut of the subsidy.
> Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.
He’s very clearly accusing the telcos themselves of creating bot accounts.
I don't exactly see the issue with telcos being accused. Telcos still have done almost nothing to address scammers, fraudulent texts and we all know it is because the benefit financially from their services being abused.
True, his messaging wasn't consistent. He is calling them fraudsters (and suggesting some of them are doing it directly). Some of the fraud may be indirect though:
> Listen, if you stop scamming us, then we will gladly pay you some amount of money for SMS texts but you can’t turn a blind eye to relentless bogus SMS texts
The suggestion here is that the telcos are complicit in the fraud, but "blind eye" suggests they may not be directly responsible.
Hmm, I interpreted the "you" to mean the general "you", not telcos; basically meaning that Twitter can't just turn a blind eye. Similar to how some might say: "I elected to the gym today; you can't just sit on the couch all day after all".
That would certainly be a bit awkward wording though, using "you" to refer to both the telcos and to Twitter/the general "you" in the same sentence.
It's unclear if "you" is telcos or Twitter in the last part.
Or depends if the fees were for SMS fees to the telco (!?) or fraudulent "pay-to-send-to SMS numbers" ("1-900" numbers), a massive scam that shouldn't exist at all.
Would you say that a telco is complicit in fraud if it offers a negative rate to customers who take their inbound calls/SMSes in the building where the telco receives the calls/SMSes from its peers/upstream?
Addressing the issue is sensible, and yet he found the least sensible way to do it. Putting the onus on the user to remove sms two factor and making worse security a paid feature is just absurd.
It's not clear to me if Twitter offers other types of 2FA like TOTP. I don't use it.
What do you think the solution is here though? If someone is using a company that's scamming twitter, it's not their responsibility to continue being scammed so they can support SMS 2FA for that user.
A reasonable solution would be to disable the ability to add SMS 2FA to accounts and require either disabling 2FA or selecting a different 2FA method upon next login. If specific accounts with SMS 2FA manage to abuse it after that then ban those accounts, since you can't add SMS 2FA to a new account that removes their avenue for abuse.
Considering how many spam calls come to my phone on a hourly basis, I’m inclined to believe Elon when he says some telcos aren’t in it for the enjoyable user experience.
Given the IRSF attacks that I’ve seen the number isn’t out-of-line with reality. Many of the attacks originate from countries that are perennially short hard currency and with sanctions and rising interest rates dollars are hard to come by. As a head of a telco that needs hard cash to pay for equipment that is all imported, how closely are you going to look?
Yea this is my take as well, having worked in this space. You can and will lose millions without detection, but 60M seems extremely rich, even for a VC-funded growth stock giant like twitter.
1) it makes the cost of acquiring users artificially high, since its an expense that doesn't lead to a completed signup
2) you'd think the verification process would be monitored anyway, in case of deliverability issues or false negatives on checking the codes - even if not spikey because this was always happening, surely the high baseline 'code requested and never entered' would raise questions?
I am not sure if believe the $60 million. The truth might be that banning 360 Telcos saved Twitter $60 million, however, that doesn't mean 100% of these costs are fraud.
Those 360 Telcos are likely in emerging markets that have far more potential to grow than the USA market. If you ban 2FA SMS you will also limit your growth in those markets.
And possibly limit the growth of mobile devices in those markets. They’re probably cross-subsidizing discounted fees with all that western int’l SMS revenue (one can dream anyway).
Assuming an average sms rate of $0.04, they have sent 1.5 billion messages a year.
2022 stats indicate Twitter had 396.5 Million users. So for the full picture, it would be around 5 messages per user per year, which I don’t see as a large number. This might be why it wasn’t unnoticed.
With your numbers (not checking) this would be 1.5B supposed new users requesting to sign up (or existing ones verify a new number I suppose) and then bouncing, every year. Which is a lot if you have 0.4B completed-signup users, and shouldn't go unnoticed.
Those are not the only times when 2FA happens. It happens every time you log in after closing a session. This could be multiple times a day for some users.
Oh true. Still seems very high though. 5x every single day for every single user to log in having logged out since the last one and not 'trust[ed] this device'?
I remember someone did this on a smaller, individual scale. Billing a company for SMS messages..I think it was Starbucks or something. This was 4 years ago, it was shared here.
Wow that's so much more retarded than I expected. I thought it was the telcos setting up bots to get an increased amount of texts with standard fees. Simple, difficult to detect.
My private number can't send texts to premium numbers, that an automated 2FA system could is so ridiculous I would never even try it. I guess that's why they're better fraudsters than I can ever be, they expect this level of stupidity while I'm surprised.
The problem is, globally you cannot know before is this a premium number or not for some random provider in some random country, so what happens is you send the sms and then bill the number.
If my provider can prevent me I'm sure the tech companies with millions in funding can figure it out. Block anything that doesn't comply. I figured this was solved, aren't there SaaS companies with deals all over the world for texts already? If not there's an opportunity. I'm sure it's cheaper than $60M to have full-time employees vet the numbers and new providers showing up.
I suppose that Twitter has to pay each time a SMS is sent (ar at least, they pay according to the amount of SMS generated), so the bots pump that amount?
It very well could have been only targeted at poorly managed big companies, but I didn’t see this despite seeing quite a lot of scams. This was a smaller telco though. When I worked at one of the largest telcos I wasn’t involved in SMS.
Paying for incoming texts and calls is not common outside the US. When you call or text someone, you pay the fee listed in your contract (not theirs). That is to say, the sane system exists and most countries use it.
Preventing the fraud described in your edit is what I'm asking about. I'm wondering if anyone has set up lists to help avoid surprise prices for sending messages via SMS service APIs, not from texting someone from a phone.
Unfortunately this is a case and proof of the classic kickback scheme that occurs in many corporate companies. Also common in many bureaucratic companies, countries. If you don't think $60M/yr is real, you are in a hell of a seat when you see the billing/accounting that goes in corporates and governments.
For those who doubt the old Twitter management could be so incompetent: These are the same people who never noticed they were showing me ads in a language I couldn't understand whenever I went on vacation.
If someone made a fortune at Twitter by running it “poorly”, would it not be reasonable to try it again next time? Just chill at a sunny beach and let someone else figure it out.
Twitter growth, revenue and eventual sale is the absolute dream of so many companies that its kinda funny reading people here calling it the worst thing ever because of this.
That's it. If you can't figure someone's intentions, look at their actions, and infer the intentions.