On the exploitation of online SMS receiving services to forge ID verification

Communication service providers (e.g., Whatsapp) enable users to connect with people around the world. These services have been widely adopted and used by millions of users, and such services have emerged as a replacement of the transitional calling and messaging. Unfortunately, these communication services have also been used to commit illegal activities and serious crimes. Therefore, service providers ask for user’s phone/mobile number to verify the user’s identity and to prevent misuses. The Internet is full of freebie services. Short Message Service (SMS) receiving services/websites are one of them. These message receiving websites provide users with real phone numbers and allow them to receive messages. In this paper, we investigate whether these message receiving website have been used as a tool to forge identity verification - typically done using One Time Passwords (OTP) - required for account creation. In our initial investigation, we created and successfully verified accounts for several messaging/calling apps as well as for social networking sites/apps using these message receiving services. Motivated from these findings, we collected and analyzed over 900K unique SMS messages received (upon request of other users) on 18 SMS receiving websites. Our analysis of these messages shows that 82.34% received messages included an OTP. This situation is very alarming that demonstrates the tendency of people to evade identity verification to create online accounts. We also found that the majority (52.47%) of verification code were six-characters long while nine-characters long verification codes were the least used.